State of the art 2023: multisig for cold storage
411 sats \ 8 comments \ @C_Otto 17 Dec 2023 bitcoin
I'd like to use multisig (2-of-3 or 3-of-5 or so) to store some BTC in cold storage. I've been quite happy with Armory, but it seems that project is rather dead. What are good ways to use multisig in 2023? I'm looking for software that...
  • is well-known, reviewed, trusted, widely-used, open-source
  • will be around (and installable) in a couple of years
  • makes it easy enough for non-techies to recover funds
  • provides seed phrases, QR codes, ... with all necessary information
write
preview
related posts
1000 sats \ 6 replies \ @antic 17 Dec 2023
my preferred setup is (in a nutshell):
  1. raspberry pi that has never been online with latest raspbian OS
  2. load up a USB with GPG key, copy of bip39-standalone.html, and Electrum
  3. generate seeds using bip39-standalone with passphrase/extension
  4. save seeds/extensions to text and GPG encrypt and save GPG encrypted outputs to USB (note, I encrypt these with myself and some other trusted GPG recipients who will be able to decrypt all seeds upon my death)
  5. load seeds into electrum and create multisig (checking bip-39 and extend) -- the reason for using bip39-standalone instead of using electrum to generate the seeds is that I don't want to be beholden to electrum's proprietary seed versioning system but they are a convenient way to load up and recreate the multisig wallet (though not a total software dependency)
  6. copy down Master Pub for each seed and root fingerprints and save in a plaintext to create a watch-only (onto USB)
  7. copy down first 5 generated addresses to plaintext file to extract via USB
  8. bring up a watch-only on another device and ensure the addresses match
  9. for extra sanity, repeat creating the multisig on the raspberry pi to ensure no weird cosmic rays affected the bits and ensure it all still matches
  10. distribute each GPG encrypted seed to trusted parties/places
I save copies of the Electrum, bip39-standalone.html, and Raspbian OS image in cloud storage so family can access the exact tooling I used if I die and they need to recover along with instructions on how it was done. Cosigners know to assemble upon my death and not to give me the seeds back out of normal cycles or when asked to be rushed--and if rushed, it's a sign to alert authorities that I'm being held hostage.
There are a few other secret details, but this is good enough for most folks :)
reply
0 sats \ 1 reply \ @C_Otto OP 12 Feb
Sorry for the very late response, I'm slow with stuff like this. Thank you for your setup! There's no multisig in it, though?
reply
0 sats \ 0 replies \ @antic 19 Feb
this method works for generating any combination of multisig or single sig. I've used this method to create 6/10, 2/3, 3/5, etc. After generating the initial seeds, they can be combined using Electrum for the multisig. I do this part using Electrum because I want to have verified and documented repro steps for non-technical family/friends to recreate after I die.
Ultimately though, waiting to build a good MuSig2 setup as I'd like to move the 6/10 multi-state/user distributed shards to a MuSig2 design during a low fee time.
reply
0 sats \ 3 replies \ @xz 18 Dec 2023
Serious question. That I've heard mentioned before but never fully resolved..
Why would you trust the author of bip39-standalone.html over electrum wallet? Both have sha-hash of the code, can be built from source and developrs gpg signatures?
Appreciate your thorough methodology above.
reply
21 sats \ 2 replies \ @antic 18 Dec 2023
I don’t trust either of them, but I can read code. The reason for Ian’s bip39 code is that it’s using the bip39 wordlist and spec, without custom logic. That means I can use any standard software (or write my own) to derive the keys from the seed without needing electrum. The randomness isn’t in question so much as reliable reproduction and recovery.
reply
111 sats \ 0 replies \ @xz 18 Dec 2023
I can use any standard software (or write my own) to derive the keys
I see. Makes sense. So comes down to simplicity I guess. Removing potential layers of complexity in the code that derives the keys.
Thanks for explaining!
reply
0 sats \ 0 replies \ @antic 18 Dec 2023
bcoinjs is also easy to use and read and can generate seeds.
I use their library and CLI for some things too, which I like because all of their dependencies are internal to their GitHub, so it’s all there to review. No crazy event-stream dependency shenanigans: https://github.com/bcoin-org/bcoin/blob/0c18028cd333bef8b0939ada8b56ae3911fd0c26/package.json#L25
reply
0 sats \ 0 replies \ @anon 18 Dec 2023
https://www.sparrowwallet.com/
reply