Extreme Ownership: the Glacier Protocol
When it comes to Bitcoin, there’s ownership, and then there’s ownership. Some are happy with delegating custody of their coins to exchanges, while others feel relatively confident with their private keys stored on their phones. Generally, the more experienced crowd will tell you that a combination of hardware wallets, assault rifles and steak diets are the only way to ensure the safety of your funds.
However, there’s another level of protection that makes the former sound almost laughable in comparison. That’s the Glacier Protocol.
The project’s website details an extensive guide aimed at Bitcoin holders that want to go above and beyond with their security — those that hold large amounts of coins and/or those that want a self-sovereign and future-proof solution (it’s optimised for long-term storage, and not frequent withdrawals).
The Glacier Protocol places heavy emphasis on mitigating attacks ranging from malware installed on hardware at its source to side-channel attacks during setup. As such, the initial costs don’t come cheap – an optimal setup requires two factory-sealed PCs, four factory-sealed USBs, casino-grade dice and a Faraday bag for good measure. The hardware list even includes a ‘table fan’ to generate white noise, in case of opponents eavesdropping during the process. Unlike with hardware wallets, not even the manufacturer is trusted.
Eternally Quarantined Computers
The two new PCs used in the setup will never be brought online (whether intentionally or unwittingly) – the user removes the wireless cards before even powering them on. The operating system used is booted off of two of the four USB devices, and the operations themselves run off of the remaining ones.
If you’re committed to securing your funds in this manner, you’ll likely want to go all the way – which is why the guide provides a detailed section on setting up a quarantined workplace for deposits or withdrawals. It recommends you run the PCs on an external battery, pull the shades, run audio interference and put other electronics in a Faraday bag.
Operations are done in parallel on both PCs, to ensure that one hasn’t been compromised at the factory level. Once inside this airgapped system, the individual uses Bitcoin Core and the Glacier Python scripts to create private keys to a multisig address — generated with 160 bits of entropy stemming from 62 dice rolls. The number of keys in the m-of-n multisig scheme is left up to the individual.
When those are manually transcribed onto paper (along with the pubkey for deposits and the scripts to move the coins), they go into separate opaque envelopes and are dispersed (presumably one into a bank vault, one to your lawyer and one into your basement safe guarded by automated turrets and lasers).
Is it for you?
It really depends on your threat model, but for the vast majority, probably not. The Glacier Protocol prioritises security over convenience – as you may notice in perusing the guide, withdrawals aren’t as simple as plugging in a Trezor and heading to the product’s webpage. It’s designed chiefly for protecting large amounts of coins that will sit idly for long periods.
Though the process is documented step-by-step so as to cater even to those with little technical proficiency, experts like Andreas Antonopoulos warn that unfamiliar users may end up losing their funds or failing to properly airgap their machines.
Cover art by author.
