I often get asked “How/where should I store my Bitcoin?”
This is a complex question that I’ve explored extensively over the last 8 years HODLing, but there are some simple ways to break down the solutions and pros/cons.
There are two ways to store your Bitcoin:
- Self-Custody: You take custody (aka you hold) Bitcoin yourself, and have complete control over it. This means you manage your own private key
- Custodial: You trust a company like Kraken, Coinbase, Anchorage, etc. to store your Bitcoin for you where they have control over the private key.
”Not your keys, not your coins” is a popular mantra in the space advocating for self-custody. If you don’t control the private key, the Bitcoin isn’t 100% yours. Conversely, “Your keys, your coins,” which means you are solely responsible for the proper storage of those coins.
The debate between custodial vs self-custody comes down to two main points:
- Trust: Who do you trust? Do you trust a company to hold your coins, or do you trust yourself?
- Attacks: What are you trying to protect against? Exchanges are a honeypot for hackers, and governments can force companies to freeze funds. But self-custody methods are prone to mistakes, break-ins, and natural disasters (ex: Earthquake, tornado, Hurricane, house fire)
In the following sections, I’ll break down the pros/cons of self-custody vs custodial.
This is the preferred method to store Bitcoin. With self-custody you take complete control of your Bitcoin, which is one of the main value props.
The upside is that you are in complete control of your Bitcoin no matter what local regulations dictate (just like holding physical gold). No one can take your Bitcoin from you if stored securely, and you are free to do what you’d like with it. Self-custody protects Bitcoiners against government seizure, honeypot hacks (ex: exchanges or other large pools of Bitcoin), and others attacks.
However, the downside of self-custody is that you could lose all your Bitcoin if not stored properly.
A common mistake is to overcomplicate the backup. A backup is created in case of hardware device failure, which consists of 12–24 words that need to be stored somewhere safely. If anyone finds the backup, they can take your coins. Because of this, Bitcoiners think that they need to come up with more elaborate setups just in case the backup is found. However, that sometimes can end with the coins being prone to loss via human error. For example, folks may add an additional password on the backup. But then they’re just adding layers of additional complexity which may not be the best solution for those who have trouble remembering passwords.
Another backup mistake is to have it written down on paper which can easily be lost or damaged. The best way to protect against this is storing the backup on titanium using CryptoTag.
Note: You can have a self-custody wallet that is connected to the internet, called a “hot wallet” or one that isn’t connected to the internet “cold wallet/storage.” Having a wallet connected to the internet opens it up to more hacker attacks, so it’s recommended that most coins remain in cold storage, and only the ones you need to use on a daily basis are in your hot wallet.
How to self-custody:
- Buy Bitcoin
- Buy a Hardware
- -(Simple) Trezor
- -(Better, but more complicated) Coldcard: http://rb.gy/u0rlck
- Record your backup on titanium: https://rb.gy/nvkoul
- Transfer x% Bitcoin over that you trust yourself handling
Trusting someone else to store and manage your Bitcoin like when you leave it on an exchange. Businesses that custody Bitcoin range from incompetent (Mt.Gox) to highly competent and trusted to hold Billions in crypto, for example:
Kraken: Kraken is extremely security focused. While I can’t go into the exact protocols that they use, The security page covers private key management practices. Kraken has never been hacked in the 10 years of its existence.
Coinbase: they are one of the most trusted exchanges in the space and operate as a “qualified custodian” which means that they have a separate company called “Coinbase Custody” which operates as a standalone, independently-capitalized business to Coinbase, Inc. Coinbase Custody is a fiduciary under NY State Banking Law. All digital assets are segregated and held in trust. Coinbase has never suffered a hack that led to loss of funds. Here’s a great blog post by them going into their private key management practices.
Anchorage: they are also a qualified custodian, and the first national bank approved by the OCC in the US. You can read more on their security methods here.
These custodial entities are all extremely competent and have built their cold storage systems to withstand natural disasters, hacking attempts, etc. Will one be hacked in the future? Possibly, but I think large scale fund losses are likely to be rare.
The primary risk with custodial solutions would be with governments seizure of your Bitcoin, which most of these services would probably acquiesce.
How to use custodial services:
- Find a reputable company that you trust. The above 3 are popular and reputable.
- Move your coins there
- Make sure to use password management tools for password generation AND set up non-sms 2FA like Authenticator by Google
When it comes to custody of my coins, my thoughts are around mitigating catastrophic risk. Whether that be with an exchange hack or state seizure of assets (custodial) or with forgetting your password/house fire (self-custody). In order to reduce that risk, I split them up between those solutions, with a majority in self-custody cold storage.
Long term, I think multisig is the best solution as a blend of the benefits of self-custody while also minimizing self-custody risk. With multisig, you have x pieces of a private key that you distribute amongst y parties. 2/3 key and 3/5 key setups are popular. However, user experience around additional key holders is still being worked out. For example, who controls the 3rd/4th/5th key? If a company has one key, I have one key, and a family member I still have to trust in the family member’s competency. Great multisig solutions are Casa and Unchained Capital.
As mentioned in the beginning of this newsletter, what custodial vs non-custodial ultimately comes down to is who do you trust and what attacks are you trying to prevent?
There’s no perfect answer to private key management.