To secure your cryptos, you must:
1. Prevent others from obtaining (a copy of) your private keys → Protect yourself from hackers, secure your devices from viruses, the Internet, etc.
2. Prevent you from losing your private keys → Have backups to prevent loss or damage to devices, and secure these backups.
3. Have a way to pass on your private keys to your loved ones in the event of your death. This isn't a pleasant situation to consider, but as responsible adults, we must manage this risk.
Protection against hackers
You've heard of hackers. They use viruses, Trojans, and other malware. You don't want any of these near your devices.
For decent security, your crypto-dedicated device should never connect to the internet. And you should never download files from it. So how should you use such a device?
Let's talk about the different devices you might use.
Dedicated computer
A computer is an obvious choice, often the most versatile in terms of supported cryptocurrencies. Never connect it to the internet or a network. If you do, a hacker could exploit a bug in the system or software to gain access.
How to install software?
- Use a USB key (scanned with 3 different antiviruses).
- Download the software (OS + wallet) from the official website.
- Wait 72 hours and check that there has been no recent hacking.
- Use only open-source software (less risk of backdoors).
- Choose Linux (more secure than Windows/Mac).
Once installed, use a clean USB drive to sign offline transactions (method varies by wallet).
Physical security:
- Encrypt your hard drive to prevent reading if stolen.
If all this sounds too technical, there are other options.
Dedicated cell phone
An unrooted phone is generally more secure than a PC thanks to mobile OS sandboxing. For most people, I recommend an iPhone. For the more technically inclined, an Android running GrapheneOS.
Best practices:
- Use a phone only for wallet.
- Keep it in airplane mode except for transactions.
- No Wi-Fi, only 5G.
- Some mobile wallets allow offline signing (via QR codes), which avoids exposing keys to the Internet.
Disadvantages:
- No apps/OS updates without compromising security.
- Limited support for staking, yield farms, etc.
Hardware Wallets
These devices are designed so that private keys never leave them. (Update 2025: Newer Ledgers can send your keys to a server, so this is no longer true.)
Weak points:
- Possible bugs in firmware/software.
- Interaction with a computer/phone required (check that the device is virus-free).
- The most fragile part remains the backup of the keys (see below).
---
Protecting yourself from yourself
You could lose or damage your device, so backups are essential.
Backup methods
1. Paper:
- Easy for seed phrases (12-24 words).
- Risks: loss, fire, flood, reading by others.
2. Metal plates:
- Fire/water resistant.
- Do not solve the problem of theft or reading by others.
3. Encrypted USB drives (recommended):
- Use at least 3 resistant USB keys (water/fire/shock).
- Encrypt them with VeraCrypt or a similar tool.
- Store them in geographically separate locations (with relatives).
---
Plan for your loved ones
We don't live forever. A succession plan is necessary.
Options :
1. Share keys directly:
- Risk if your loved ones are not tech-savvy or unreliable.
2. Services de "Deadman’s Switch :
- Online services send a pre-configured email if you don't respond within a given period.
- Use **PGP** to encrypt the message with the recipient's public key.
3. Avoid bank vaults/lawyers:
- Unencrypted keys can be copied and used without trace.
---
Using Centralized Exchanges
If all this seems too complicated, you could store your funds on an exchange. But this isn't without risks.
Choose a Reputable Exchange
Large platforms (like Binance) invest billions in security:
- Robust infrastructure, external audits, big data/AI against fraud.
- Risk of *exit scam* almost zero (unlike small exchanges).
Secure Your Account
1. Dedicated computer:
- Antivirus, firewall, no unnecessary downloads.
2. Secure email:
- Gmail or ProtonMail with 2FA (Yubikey recommended).
- No linked phone number (risk of SIM swap).
3. Password manager:
- 1Password, KeePass (open-source).
4. 2FA and U2F:
- Avoid text messages (risk of SIM swap).
- Prefer Yubikey (phishing protection).
5. Whitelist of withdrawal addresses:
- Activate the 24-hour delay for any new address added.
6. KYC Level 2:
- Facilitates account recovery in the event of an incident.
---
Conclusion
I generally recommend using both:
- A centralized exchange (for ease and advanced security).
- A personal wallet (for quick transactions and autonomy).
If you follow these tips, you should be able to store your funds safely, whether on your own or through an exchange.
