The Bitcoin community has established that every January 3rd is Proof of Keys day – a special day during which bitcoiners withdraw their coins from exchanges. But there’s more to it: Proof of Keys also reminds the community about the numerous exchange hacks that we have witnessed over the years, and seeks to accomplish the proof of reserves that exchanges refuse to do.
Event creator Trace Mayer described the annual event as “flexing your muscles” so it doesn’t get weak. It’s good to remind yourself (and the exchange) every year you are the owner of the coins, and every attempt to encourage self-custody will only create more individual sovereignty and empowerment. Ultimately, these are two of the goals that the Bitcoin project is trying to accomplish.
Yet in spite of this noble pursuit to boost Bitcoin self-custodianship, very little emphasis is put on how it’s accomplished. Sure, it’s simple to install a software wallet or purchase a hardware wallet. It’s even simpler to set up a BIP 39 wallet, a PSBT configuration, a Shamir backup, or a multisig. But it’s a lot more difficult to manage the coins and ensure that you own them and can spend them whenever you please.
With this article I want to propose March 31st (the World Backup Day) for the day when we also remember to verify our Bitcoin wallet backups. Furthermore, I will also explain how to perform the procedure securely, to avoid unfortunate situations in which funds get lost.
And for the purpose of avoiding hackers who may pay extra attention on a specific date, baiting on privacy leaks that help them steal bitcoins, I strongly recommend that you perform your check on a random day of the year – and not necessarily on March 31st. The event I’m proposing acts as a reminder of the importance of verifying your backup. So you should definitely follow the best security practices.
Backup & Verification Matter
In this whole process of attaining sovereignty, we tend to forget about backup and verification. We need to minimize single points of failure while mitigating the risk of excessive multiplication, and we must also be sure that the backup we have made is still working.
This is no easy task and it definitely opens up the flood gate for lots of dilemmas. How many copies of your backup should you have? How should you store them? Where should you store them? How are you going to check your backup without exposing yourself to risks? How often should you verify your backup?
All of these questions concern your personal threat model and have no universal answer. Everyone must assess how they are most likely to lose their coins and who are the prime suspects. Do you live alone? Is there anyone who knows that you’re a bitcoiner and knows where you live? Do you keep all of your coins in one wallet? Do you suspect that your computer may be infected or get infected in the future? Are you the only custodian of the bitcoins? Do you travel with your coins?
Once you have an answer for every one of these questions, your plan should become clearer. This is how you figure out what kind of wallet you should be using, the amount of security you require and which vulnerabilities you might have.
And after you figure out the kind of storage that you really need, it’s time to think about your backups. They range from a “wallet.dat” file that you generate in Bitcoin Core and save on your computer to external drives, encrypted USB flash memory, hardware wallets, BIP 39 seed phrases, multisigs, PSBTs, and Shamir backups. You can even take the resulting data and write it down on a metal plate such as Billfodl, to eliminate some of the risks associated with paper or storage of files on a potentially-infected computer.
After you undergo this whole process and finally back up your coins, you must also do periodic verifications. A lock that’s left out in the rain for too long might go rusty.
If your security is too strong and you forget how to use it, you effectively lock yourself out and lose access to your BTC forever. If your security is too basic and obvious, you might make mistakes that leak data and get you hacked. So it’s always good to find a middle ground.
But backup verification is essential. What if you wrote down a wrong word for your seed phrase? What if you completely forget how to use your backup and you can no longer spend your coins because you relied too much on memory? What if the service which provides that nice user interface runs out of business and you can no longer use it?
The latter scenario is not ridiculous at all: there are lots of wallet developers and manufacturers that run out of business and stop supporting their work. Some of them don’t open source their code – and even if they do, it’s hard to find, verify and compile anyway. You should avoid locking your coins with a company whose services are so exclusive that nobody else provides them, and try to use as many open source standards as you can. After all, this is about money for which you should have long-term plans and even consider inheritance.
Securely Verifying Your BIP39 Seed
Every type of Bitcoin backup can and should get verified at least once per year. In this next section, I shall present my preferred way of verification. The device of choice is a Trezor Model T because it has the most convenient input (T9 typing on a touchscreen) and it undergoes a thorough process.
Now let's say that my BIP39 12-word seed includes the words: animal farm great novel number one book like very much thank mom
These are actual words from the BIP39 English dictionary, which consists of 2048 words that can be arranged in any order to form 12, 15, 18, 21, 24, 27, 30, 33 (and any multiple of 3) seed phrases. But I’ve picked the smallest number just to prove my point.
Now let me say this from the start: typing the seed on your computer keyboard is the worst idea ever. You can never know when you computer is infected and someone implanted some kind of keylogger. And while you verify the seed phrase, someone else receives it and steals your coins.
Likewise, you never know when you are infected with spyware which “sends home” every bit of text that you copy – it’s usually looking for passwords and credit card information, but hackers will quickly recognize a BIP39 seed phrase. On mobile devices, you already have Tik Tok, Google News, and New York Times which spy on your copied text. What makes you think that your computer is safer?
So if you’re going to do a recovery (preferably in a wallet like Electrum or Wasabi), type it only on your hardware wallet. Even when you enter the passphrase on a hardware wallet like Trezor, never use the computer keyboard regardless of the convenience factor.
The reason why I recommend Trezor Model T for recovery mostly concerns the convenience factor. In the Trezor web wallet, you can even verify your seed (though it comes at the cost of exposing your xpub/public key, so Trezor will know how many coins you’re holding). If you use this web wallet, then open it in the Tor browser as explained in this article.
The Model T uses T9 typing just like a mobile phone from the early 2000s – except that it has a touch screen. I only recommend it because I prefer its input system (and hardware wallet hacker Lazy Ninja seems to share my preference).
Similarly, the BitBox02 also has touchscreen input for quick verification. In comparison, Ledger hardware wallets only have 2 buttons which make recovery check a lot clunkier and susceptible to mistakes that make you re-enter words. In the end, it’s a matter of taste. And if you already own one of these devices, there is no reason to buy a new one just to perform the verification faster.
To get a better idea of what it entails, watch this video (and keep in mind that it’s better to use Electrum than Trezor’s web wallet):
If you undergo all the steps correctly and the words you type via hardware wallet are confirmed to be correct, then congratulations! Not only that you’ve discovered that you can successfully use your bitcoins whenever you need them, you’ve also remembered how. It’s like a muscle that you should exercise about once a year, before returning to the practice of secure custodianship.
If you held gold bars in a safe, this would be like practicing the process involved in unlocking the door via cipher code. You gotta remind yourself how it’s done and also make sure that everything still works.
On World Backup Day (March 31st), we should also remind each other to verify our backups sometime throughout the year.
Donate to Bitcoin Takeover
Enjoyed this article? Found it helpful? Well, you can definitely support my work with a donation. Here’s how you can do it:
Donate BTC: 36iGomuWKYvKdpUybRD4xtREHgxN3nQCNF
Donate bits via Lightning: https://tippin.me/@TheVladCostea
Support the channel on Patreon with dirty fiat: https://www.patreon.com/bitcointakeover