In this article on BitCoin security, we discuss more in-depth how to use a second phone for secure cold storage.
Marquee Mark – September 3, 2019
This three-part series shows how to store BitCoins long-term securely. In Part 1 we discussed what cold storage is, why use it and the different options available. In this article, we discuss more in-depth how to use a second phone for secure cold storage.
The process with one phone
Consider this simplified process to send a BitCoin transaction from a smartphone without cold storage.
- Prepare the transaction by collecting the best unspent outputs in the wallet to be used as inputs in the transaction. Prepare the outputs, which are usually two in number: one for the recipient, and one for “change”. Sometimes there can be one output, and sometimes more than two, but usually there’s two. At this stage the mining fee is calculated, usually one satoshi per byte on BitCoin SV.
- The transaction is then signed with the private key for each of the inputs to the transaction so that the coins can be sent to the new addresses.
- At this stage the transaction is fully constructed and signed, and the transaction is broadcast to the BitCoin network.
Using a second smartphone
The Simply Cash app is a great way to manage online and offline wallets for cold storage. The app is available from the Play/App Store or from the Simply Cash website.
In order to set up a cold storage system, two smartphones are needed. One is an everyday phone that can be carried around, and the other will be disconnected from the internet and stored securely. I use Samsung phones, but any recent Android or iPhone will work equally well. The process to sign a transaction offline is shown below.
There is a video on Streamanity showing the entire process on how to set this up with a demonstration with real phones.
- Prepare the inputs and outputs the same as for a hot wallet on a hot phone.
- The unsigned transaction data is displayed as a QR code for the cold storage phone to scan.
- The cold storage phone scans the unsigned transaction from the QR code on the hot phone.
- The transaction is signed with your private keys. This will make the transaction valid and ready for broadcast on the BitCoin network.
- The cold phone cannot send the transaction to the network because it’s not connected to the internet, so it needs to be sent back to the hot phone via QR code.
- The hot phone receives the signed transaction by scanning the QR code with the phone camera.
- As soon as the QR code is scanned, the transaction gets broadcast onto the network and the transaction is received by miners, ready to be mined into a block.
Cold Storage step-by-step guide
The steps required to set up a working cold storage solution will now be described in the following section.
Factory reset your second phone
A second phone can be:
- An old phone you already own
- A second-hand phone bought from a dealer or online site.
- A new phone from a third-party dealer
- A new phone from the manufacturer
Whatever the source, you should perform a factory reset in case any malicious software has been installed. If there is a SIM card in the phone, remove it now. It is not needed.
Apply security updates
Connect to a private wi-fi and manually apply the latest security updates by going into your phone’s settings. Your phone may need to restart at this point.
Download two apps
Download Swiftkey and Simply Cash. Swiftkey comes pre-installed on some phones. Change the default keyboard on your phone to Swiftkey and switch it into incognito mode. This will prevent the keyboard from learning words that you type (i.e. passphrases, seed words).
Once Swiftkey is installed, download and install Simply Cash. DO NOT OPEN IT YET! When the app is first opened, it creates a new wallet called Wallet 1 with new private keys. You don’t want to do this yet because the phone is still connected to the internet.
Optional: Connect to Ian Coleman in the web browser
Navigate to the Ian Coleman website in your web browser with this link. Once this link has loaded, proceed to disconnect.
Disconnect from the Internet
- Disconnect your phone from wi-fi.
- Go into wi-fi settings and forget the network you were connected to so that the phone doesn’t auto-connect if the wi-fi is switched on accidentally.
- Put the phone into aeroplane mode.
The phone will not ever connect to the internet again from this point onwards.
Generate keys using Ian Coleman or Simply Cash?
At this point, we are going to create the private keys for the cold storage wallet. There are two options here, first one is to generate the keys outside the Simply Cash app, and the second one is to generate the keys in the Ian Coleman site. I think either approach is fine. The more paranoid among you will generate your keys in the Ian Coleman site.
Make sure you are in a private place where no-one can see your phone or the piece of paper you are going to write the seed words on. Make sure the piece of paper you have does not leave an impression on the material underneath. I use a 2B pencil with several sheets of paper underneath, and then I shred the four sheets of paper so that my writing the seed words cannot be recovered. This helps prevent a side-channel attack.
Some of you might think this is a bit weird, but we want to be as secure as possible with our cold storage wallet.
Make sure there are no cameras around and do this away from windows. Close your curtains/blinds/shutters.
Option 1: Generate keys using Ian Coleman’s site
In your browser make sure that the coin is set to BCH – Bitcoin Cash and ensure the derivation path is BIP44 m/44’/145’/0’/0
This is the derivation path the Simply Cash wallet uses to create private and public keys.
In the Mnemonic section, select 24 words, and then tap GENERATE to generate your keys. A list of 24 words will be created. These words need to be written down. For now, write them down using the method described above.
Option 2: Generate keys using Simply Cash
If you are using Simply Cash to generate your keys, then all you must do is open Simply Cash and a new wallet will be created with 12 seed words. Click Settings in the top right (three vertical dots) -> More -> Backup Wallet, and your seed words will be shown. Here is a test wallet.
Write down your words described in the method above.
Once the wallet has been created on the cold phone, the read-only wallet data of the cold wallet can be transferred to the hot phone using something called the XPUB. This can be displayed on the cold phone and scanned by the hot phone. This allows monitoring of the cold wallet balance, receiving of transactions and the ability to create unsigned transactions. If you reveal the XPUB to anyone, they will be able to see all your addresses and monitor your wallet, but won’t be able to spend from it, so keep it secret.
Bear in mind that when you scan the XPUB on your hot phone, it can be displayed again on your hot phone without needing access to the cold phone.
Coming up next: I describe how to store your seed words and PIN on a specially configured phone.