What is the best bitcoin wallet?

You've bought some bitcoins on an exchange, and then you followed the common advice to withdraw your coins to a hardware wallet. That's definitely better than creating a webwallet on something.com or leaving them on the exchange! But there are some big problems with hardware wallets you should be aware of.

  1. Every transaction you send or receive is seen by the hardware wallet provider. Unless you buy your bitcoin with cash locally, your identity is linked to your bitcoins, and who knows what they are doing with all of your personal data? Personal data can be worth a lot of money...wouldn't it be interesting to know how many bitcoins so-and-so has?
  2. You rely 100% on the hardware wallet provider's servers to send and receive transactions. In theory the software they use is free and open source, but you would need special knowledge and powerful hardware in order to run this same software. During a period of crypto-excitement in 2017, a colleague became very worried and dismayed when he couldn't broadcast an Ethereum transaction- because the hardware manufacturer (Ledger) servers were not online! He missed out on buying the thing he wanted.
  3. You assume the hardware manufacturer is running the software you think (and they say) they are. It's easy to be tricked into believing you are using bitcoin, when really you might be using a cheap immitation! Unscrupuless hardware wallet manufacturers might be bribed into using a version of the software that benefits them, rather than you!

I have my 24 word seed written down on paper, and I've never taken a photo or otherwise put this data into a computer. Are my coins safe?

No! You must keep these words available and in the correct sequence, perhaps on a piece of metal, but they must also be kept totally private! Anyone who sees those 24 words, even for a split second, can sweep all of your coins at any time. A telephoto lens from a neighboring building, a drone hovering outside your window, a plumber, a maid, a realtor, a bank employee, the police with/without a warrant...anyone who sees those 24 words is the next owner of your bitcoins. The only way to protect against this threat is by enabling "25th word" passphrase protection.

So what's most private, secure, and reliable method for storing and using bitcoin? There are always trade-offs to be made, but for most people who are ready for the "next level" the best way is to run an always-on computer that is dedicated to bitcoin core. There are three important considerations to keep in mind with this approach:

  1. You could accidentally install malware on the machine. This threat is a function of your behavior- by making sure the machine is dedicated to bitcoin core, and following a strict usage procedure, you'll be fine. But remember that the computer can't be used for anything else! No email, no web browsing, no messaging, etc. And definitely don't go sticking random USB sticks into it!
  2. It's much more expensive than other solutions, perhaps 4-5x more expensive than a hardware wallet.
  3. You are learning a technical competency. But it's worth it! You'll have a lot more control and confidence.
It's going to cost some money and effort if you want to have ultimate control over your money and financial privacy. But everything worthwhile in life does! Let's look at setting up a computer dedicated to bitcoin. A bitcoin terminal.

How do I setup a bitcoin terminal?

There are a number of tutorials out there, including the one I wrote on being your own bank. By the way, I do not recommend using the Intel NUC which was used as an example in that paper. The eMMC storage became corrupted after only a few weeks.

A proper bitcoin terminal is modern minimalist art; you take a computer that can do all kinds of things, and make it do only one thing (run bitcoin core) and do that one thing really well. In general, you should:

  1. Buy a desktop machine; a tower. Not a laptop! Something with at least a 1TB HDD (not SSD!) and 4GB RAM. Lenovo, Dell, HP, and others make such machines. Customize it; make sure the machine has a nice wired network adapter, don't buy anything that has wifi or bluetooth. Make sure your keyboard and mouse are also wired! It should also have a Blu-Ray DVD burner.
  2. Completely wipe the pre-installed operating system (some flavor of Windows) and install Ubuntu Linux. It should be protected with a very strong passphrase. Follow a tutorial to install the Ubuntu image on a USB stick, e.g. this example from Ubuntu.
  3. Install bitcoin core software. Installation using the package manager is fine. Just follow one of the guides that already exist online.
  4. Install tor using the package manager. Follow the guide, it's very simple to setup and configure. The "SOCKS" proxy in Bitcoin is conveniently already setup for tor.
  5. Setup UFW; only allow port 8333 to be open. All other ports should be blocked. Get familiar with UFW; you'll need to disable it when you update the OS, bitcoin core, and tor. And then re-enable it.
  6. Encrypt your wallet.dat file with a strong passphrase, then backup your wallet using the built-in menu command. Burn the backup wallet.dat file to a Blu-Ray DVD or M-Disk.
  7. Check that everything works. After your bitcoin terminal has synced with the network, send a small amount of bitcoin to it. After it shows up, shut down your bitcoin-qt software and delete your wallet.dat file. Copy the wallet.dat file from your optical disk and paste it back into your terminal. When you re-start your bitcoin-qt software everything should work just fine.
  8. Burn at least two optical disks, and store them in different geographical locations.

Imagine that you store one of your optical disks in a safety deposit box at a bank. If someone who works at the bank decides to have a look at your disk, they will be able to see your wallet history. This is not so great for privacy, but at least they won't be able to steal your funds - that's because you encrypted the wallet with a passphrase. If you want to protect your privacy too (probably a good idea if you are mailing the optical disk across borders) you can go one step further and place the wallet.dat file in an encrypted container, using VeraCrypt, and then burn that encrypted container to optical disk. Even if you take these measures, you should assume anyone who has access to the disk is working on cracking your passphrase. Make sure to use a strong passphrase, and change it (and then burn new disks) each year!

How do I deposit bitcoins to the terminal?

Create a new receiving address. Scan the QR code which is displayed with your smartphone camera, then send the address via a messaging app like Telegram or iMessage, or something like airdrop to your laptop. From there you can send the address to the exchange or create an invoice and send it to whoever is supposed to be sending you bitcoins.

How do I send bitcoins from the terminal?

You need to get the address to which you'll be sending funds into the terminal. The best way to do this is to dedicate a USB stick to the mission of "address courier". Don't use the USB stick for anything but this purpose. Save the receiving address to a text file on the USB stick using your laptop, then stick the USB stick into your bitcoin terminal. Copy the address from the text file and paste it into your "Send" dialog box. Take a picture of the original invoice and double check the first four and last four characters to make sure the receiving address hasn't changed after you pasted it.

Are there any other advantages to this approach?

Yes. You will have more control over address types, so you can take advantage of new features (such as lower cost transactions) while remaining perfectly backwards-compatible. You will also be perfectly setup to work with multi-signature transactions, which provide better protection against malware as well as against physical threats and coercion. You also won't be subject to a vendor's constant marketing emails or a user interface cluttered with useless and risky features, like built-in token exchanges...

Conclusion

Creating a bitcoin terminal is definitely is not the only way to use bitcoin, and isn't necessarily something everyone will want to do. In practice, advanced users pursue a combination of approaches, keeping their bitcoin spread across multiple hardware wallets, in multi-signature schemes, a little bit on exchanges, and maybe a little bit on a mobile wallet. It's important to understand the costs and benefits of each approach so that you can competently manage risk.

So what is the "best" bitcoin wallet? I think it's the terminal you maintain yourself. But the best wallet is the one that you're comfortable with and one in which you fully understand the risks and are comfortable taking measures to control those risks.



Return to main