Most of us reading this post know the importance of using a hardware wallet to protect our bitcoin. We know to secure and protect our seed phrase. “Not Your Keys, Not Your Coins” is our mantra. But are they your keys if you have to trust the TRNG (True Random Number Generator) built into your hardware wallet?
It is true that quality hardware wallets like the Cold Card products are completely open source. That is great, but a guy like me does not have the technical ability to verify source code. So I have to trust (a dirty word for bitcoiners) other hodlers much smarter than me to check the code. Also, the secure element chip is not manufactured by the wallet company, so you have to trust the chip maker as well.
The alternative is to roll your own seed. It is a bit of a process, and you really should roll the dice at least 100 times to ensure sufficiently high entropy (randomness).
I admit I have not done this, but now I’m thinking about giving it a try. I wonder if most people on Stacker News do this, or do you trust the hardware wallet? Also, do people who use multisig think of rolling dice for each phrase to be overkill?
Yes. And is not really necessary to use a hardware wallet, if you really know how to manage that seed with multiple apps.
What is really a hardware wallet? Is just a seed keeper and signer. Nothing else. HW are for people that are not comfortable with software. Yes, I would strongly recommend to non-tech people to use a HW.
I personally do not use a HW and never lost any sats or get "hacked". Why? Because I know what am I doing.
reply
famous last words and then lost all his bitcoin :)
reply
Do you think that what Luke Dashjr was doing is sort of what you describe? Also, did you see that he is now working on creating a wallet?
reply
Luke didn't read his father guides... 😂😂😂😂
Also is possible that was cover up of a "ups I lost my keys and my BTC are gone"... Luke is well known for these "scenarios".
reply
Very interesting that his name is Luke!
reply
Dices are nice little entropy generation devices. I used dices and recommend using dices.
BUT: you really must know what are you doing and how you are doing it.
Just to do a coumple of examples, there is a risk of exposition/vulnerability if you use a software tool like iancoleman's to derive words and addresses on a connected or infected device. Also you can be exposed if you write on paper the dice rolls or if you take a pic of the software tool screen showing the words as reference to engrave on metal.
So roll the dices, but be careful and think carefully at what are you doing.
reply
Just buy a small pack of dice and do a few rolls. Really doesn't take that long, and will give you peace of mind.
Having said that, i believe the Mk4 uses two sources of entropy which reduces risk from one of the TRNG being compromised.
Also, passphrase is a simple additional step which further improves security if you dont have the option of dice on your HW.
reply
I do not do that and I would doubt many do that. (also interesting to see the comments).
I cannot speak to all the HW wallets out there, however, if there is a business whose entire premise is HW wallets and not your keys/not your coins slogan, they better be sure to control the manufacturing process of their chips if they want to thrive (that is probably even more important than the software since that can be easier to control). It is in their interest to do so. Trezor for example now started to manufacture their own chip if I understand it correctly.
Of course, you never know, but if for example one of the major HW wallet sellers would have a security issue as in scamming users, then this would be the largest scam in history :).
reply
I basically agree, but when reading your response I started thinking that few people probably saw Mt Gox or FTX coming either.
reply
That is for sure. Better be safe then sorry in this industry hehe :).
reply
If you're able to run code, why not run a local script?
reply