(Almost) Zero Kelvin crypto storage

People are getting wiser about keeping their crypto funds safe, but if you’re not clear about setting up cold storage, here’s a brief guide for WAVES, Waves assets and other cryptos.

It happens all the time. There’s a frantic message on Slack or a forum from someone who has found an unexpected transaction in their crypto wallet. It’s empty. And the overwhelming odds are they’re never getting it back.

I’ve seen this happen many times, both to n00bs and crypto veterans who really ought to know better. Sometimes the losses have totalled hundreds of thousands of dollars. It happens for a variety of reasons, all avoidable. Cryptocurrency is incredibly secure when it’s used properly: the odds of brute-forcing a private key are infinitesimally small. Where thefts have occurred, it is always down to bad practice:

  • Choosing weak passphrases — or, in fact, any phrase that has appeared on the internet
  • Leaving private keys unencrypted on a computer, or in the cloud
  • Allowing a keylogger or other malware to be installed on the computer

Cold storage is the practice of placing cryptocurrency funds in an account where the private key has never been exposed to the web and these attacks. The key is then kept somewhere safe, offline and often in physical form. This isn’t just for protection against hackers; it’s well worth keeping your crypto safe for your loved ones to access in the event of an unexpected bus.

In this tutorial I’ll be looking at how to set up super-cold storage for bitcoin/gamecredits, WAVES and Waves tokens, such as Incent, EncryptoTel, MobileGo, ZrCoin, Ripto Bux, Waves Community Token and so on — though the same principles work for any crypto since all cryptocurrencies use public key cryptography.

1. Airgapped computer

You’ll need to generate new private keys for your cold storage accounts, and to do that, you’ll need a clean computer that is not connected to the internet (and won’t ever be connected again).

I’m using a Raspberry Pi 3, which I had anyway and which my kids use to watch old episodes of Trap Door on YouTube, plus a brand-new SD card pre-loaded with the NOOBS (linux-based) operating system — both available for bitcoin from The Pi Hut, if you don’t mind a significant percentage of your spend being the tx fee. The new SD card means there shouldn’t be anything nasty on the computer that has crawled out of the Trap Door from the dungeon of writhing nasty that is the internet.

2. Install your key-generating software

The next step is to download the software you’ll need to create your private keys (or ‘SEED’ in the case of Waves; the SEED is actually the precursor to the private key, but to all intents and purposes they can be considered the same for this process).

If you’re setting up a Waves cold storage account, you’ll need Python for this part — another reason to use the Pi, since it comes pre-installed on all the standard OSes. You’ll need to install the pywaves library, which you can do with [sudo] pip install pywaves from a command prompt. (For those of you who don’t know much about Linux, you can think of ‘sudo’ as the Voice of the Thing That Lives Upstairs in Trap Door. Say it and the servant is duty bound to comply, regardless of whether it’s sensible or reasonable.)

Then open up a Python window and import pywaves.

Pywaves, courtesy of Peter Black, is a Python library for Waves that enables you to create addresses and much else besides very easily. All you need is a SEED to create a Waves address. The SEED can be anything, and you can also use pywaves to generate a random twelve-word passphrase if you want. (Just leave the ‘seed’ field empty: seed=“”, see example below.)

An alternative, which I’ll be doing in this instance, is to generate a private key for another cryptocurrency using a separate piece of software, thereby enabling cold storage of WAVES, Waves assets and a further non-Waves crypto using a single key. (It’s equally possible to generate addresses for bitcoin and other cryptos from a twelve-word phrase; the number of cosmetic alterations it is possible to apply to the graphical user interface of a custom application token is greater or equal to two.*)

I’m using a version of the well-known bitcoin vanitygen software, which generates a random private key and (optionally) allows you to search for specific strings in the associated address so you can create a vanity address. This one has been adapted to create keys/addresses for gamecredits and other cryptos, as well as bitcoin. It’s open source, and you can find instructions for how to install and use it at https://github.com/mikeyb/vanitygen-gamecredits/blob/master/README.md. Thanks to Miko for making this and pointing it out to me.

Because both pywaves and vanitygen are open source (as is the Linux distro used for the Pi), and their code can be audited by anyone, there’s very little chance that they are compromised. Add to that the fact that you’ll never be connecting the computer to the internet again, and the chance of having your keys snaffled is vanishingly small (but non-zero, hence the ‘(Almost)’ in the title; if you really want to make sure, write your own random number and key generation software from scratch on an airgapped machine, or better still use dice and do the maths by hand).

3. Disconnect

Disconnect the computer from the web and make sure it stays disconnected throughout the following process, until you remove the SD card. This ensures that no one can log what’s going on or watch you do it. At this point, you should probably also check over your shoulder, just in case.

4. Generate your key and addresses

Run the vanity generator. Keeping things simple and fast for now, enter:

./vanitygen -G ‘G’

And you’ll get something like:

Difficulty: 1

Pattern: G

Address: Gb9MnyKjCp97Zb6Nj5esDkvhLLob2hVgdV

Privkey: 6Zz5ffPRLjn8jDjbpxWFEfEdXceFFhHzAFtJ2fQuKX5k5bjQuYK

This gives you a GAME key and address. The same key can be used as a Waves SEED. All you need to do is open up your Python window and type:

>> pw.Address(seed=“6Zz5ffPRLjn8jDjbpxWFEfEdXceFFhHzAFtJ2fQuKX5k5bjQuYK”)

(NB: seed=“” will generate your random 12-word phrase.) You’ll get a response like:

address = 3P3oF76XxShQ8yDCnBPshhfdXhf3R2taX85

publicKey = 97UAV4LzfM2h185rvh5zWu9nHLsTkXnbuzUtXT6MTKaH

privateKey = 7Uk6SeCNteUvGWNPLTrfj4qfvJiGkbXmVF1q1vGwtnmh

seed = 6Zz5ffPRLjn8jDjbpxWFEfEdXceFFhHzAFtJ2fQuKX5k5bjQuYK

balances:

Waves = 0

Make sure you copy and paste the privkey exactly — no extra spaces or characters missed off the end. Check it, double check it, then do it again to make sure you get the same result.

Did I mention checking it?

You can save these details to a text file on the SD card, which will become part of your cold storage record. If you want to keep using the Pi with the same card, then at the very least format it first. (And ideally, dry roast it on the hob, grind it to powder, add it to your coffee and buy a new SD card for the job.)

5. Record and store your key securely

Now to write your key down and place it somewhere secure. Don’t rely on the SD card alone, since there’s a chance it may become corrupted over time. And don’t rely on a copy stored in just one location, or you run the risk of losing your money in the time you can say ‘Single Point of Failure’.

I’m using a Cryptosteel, but a paper wallet will do the job depending on where you plan to keep it. You might simply write the key and addresses down using pen and paper. Whatever you use, make sure you double and triple check to make sure it’s right. Once you’ve done it, write the privkey back from the paper/Cryptosteel into pywaves on your offline computer to make sure you’ve got the right key. You don’t actually need the addresses as cold storage, since they will be created when you import your private key to a live wallet; it just makes things easier when you move funds into them. You will need them to send funds to from an online computer. You can use a clean USB drive for this.

It’s critical to make sure there are no traces of this key left anywhere else. If you print the key out, then use an offline printer and keep it offline, in case someone pokes around in the memory afterwards. It’s potentially also important that you don’t know the key or have immediate access to it either, in case someone pokes around in your memory (a technique known as Rubber Hose Cryptanalysis).

Where you keep them is up to you. If you’re storing a significant amount of crypto in these addresses, then a safety deposit box with a bank or solicitor may be the right way to go. A safe in your own home is another option, but be aware of factors such as:

  • Fire
  • Flood
  • Burglars with blow torches
  • Kidnap and Ransom

6. Move the funds

Finally, once the keys are secured wherever you’re going to keep them, only then do you send the funds from your wallet to their cold storage addresses. Repeat: your keys should be worthless whilst in transit.

When you or your grandchildren need to thaw the cold storage accounts, it’s just a case of retrieving the keys and importing them to the requisite cryptocurrency wallet.

That’s all! If you’ve got any tips for super-safe cold storage, feel free to tweet them to me.

* DM me the reference on Incent Slack along your Waves address if you get it — first one gets some Incent.