Ethereum on ice — cold storage your coins

I have not been so excited about a new technology since I was a teenager. Back then, to be able to go on the so-called “Internet” and have instant access to information just absolutely blew my mind. As you get older, to feel the same kind of excitement gets harder and harder I guess, but Ethereum and Smart Contracts definitely does it for me again. The technological, economic and social impacts will be profound … I do have to admit that I have become a bit of an Ethereum fan boy. Anyway … I do come from an application security background and my friends keep on asking me for advice on how to secure their Ether, so I am summarizing some of my own considerations in this article. There are several things to consider when you go about to secure your coins, and concepts from different domains like the Ethereum network, crypto exchanges and local wallets often get mixed up.
So let’s start with crypto exchanges: It is generally not advisable to keep big stashes of Ether there. Because crypto currencies are fairly new, crypto exchanges are less or not regulated at all, depending on the country where they are setup. They are usually private companies that are not backed by government entities, so if they go bankrupt, you’ll likely lose your coins. Technically speaking, the coins are with the exchange until you withdraw them and if the exchange shuts down, you have no way of accessing them anymore. Exchanges also get hacked and you can lose parts or all your coins. Compared to hacking banks, it’s easier for hackers to target crypto exchanges. Not because those systems are less secure, but because it’s easier to get the money out. If you hack a banking system, you have to deal with transaction limits, expert systems that track unusual transactions, and long transaction times (an overseas transaction might take days). You might also be forced to show up physically at an ATM to withdraw the funds. If you hack a crypto exchange and get your hands on the private keys, you can transfer all the coins to your address within minutes. Tracking of the funds is possible within the Ethereum network, but identifying the attackers and their real world identities is hard unless they really screw up.
Therefore, it’s generally advisable to withdraw all your Ether into your own wallet. I would advise to deviate from that rule only if you have very limited computer skills. If you are not confident that you can follow the steps below, I would advise against the personal wallet option. Make no mistake, if you lose the private keys, your precious coins are gone and they are never coming back.
If you do end up keeping your coins in an exchange, it is worth verifying that they take their security seriously. Don’t buy into fancy marketing pages where they say they use 256 bit SSL encryption and therefore everything is secure. Look for indicators of a mature software security program, such as a public bug bounty program. Those programs are excellent as they create economic incentives for hackers to find vulnerabilities in computer systems and share them with the exchange opposed to doing something naughty with them. Another nice-to-have for online wallets is what Coinbase calls Vaults . They even allow multi-signature transactions and some other neat features that add extra security. Unfortunately however, Ether is not yet supported.
So how to get started? There is a guide available on the MyEtherWallet page itself. It’s great to play around with and learn the concepts, and there is tons of useful information for getting started. My only concern is, probably largely due to my abundant experience with broken and insecure web applications, the fact that you can create your wallet including the private key online. I am sure the guys have done a good job and nothing gets logged anywhere but I seriously don’t recommend doing this online.
The following steps explain how to get cold storage of your Ethereum setup locally:
1.) Download the MyEtherWallet or Mist from here.
2.) Sync with the Ethereum network, this can take some time.
3.) Create a Wallet and set a secure password that you can remember (if you are about to choose your dog’s name read this it might help). What happens in the background is that the wallet application creates a JSON file that looks like the one below.

There are too many wallet settings to discuss them all in detail in this blog post, so I’ll stick with the essentials. address is where you send your Ether to if you want to send coins to it. You can share it with other people so they can send you coins. The closest analogy is the account number in your online banking system. The private key that everyone keeps talking about is encrypted using an AES key derived from the password that you set when creating the wallet. The password essentially is the secret that allows decrypt the private key from ciphertext.
4.) Start Testing and gain confidence let’s say 0.001 Ether or whatever the minimum withdrawal amount from your exchange is — and send them to your address. Once you receive the coins you can send them back again. Remember that in order to send coins, you need to sign transactions with your private key. The wallet application will use the password you entered to decrypt the private key and do the transaction signing for you. Run some transactions to get familiar with the local wallet and make sure you know how to use it.
5.) Keep your key and password safe. You need both to access your coins and make transactions — if you lose either one, your Ether is gone forever! You can save the JSON file with the encrypted key on your backup disks, USB drives, and I also recommend printing it out. Keep them in a safe place. As for the password, only keeping it in your head might be considered a single point of failure. If you fall on your head and you lose parts of your memory (or more likely, you simply forget the password) then that means bye-bye coins. A way to mitigate that risk is to put both the printout for the JSON file and the password into a safe deposit box. This also gives your family and loved ones the possibility to access your coins in case something happens to you.
The last thing that remains to do after you have all your backups in place and you have practiced restoring your wallet enough that you can do it in your sleep, is to delete the JSON file from your computer. Then you truly have your coins in cold storage.
Another interesting option for keeping your coins in cold storage is to go with hardware wallets like the Ledger Nano S or the Trezor if you feel more comfortable with a dedicated device. There are really many ways to do this depending on your own preferences and risk appetite. The most important thing is that you are comfortable with the approach and that you can get your hands on your coins even if you don’t use them for years.
