Bitcoin Security Best Practices

Bitcoin has the potential to revolutionize the way your company does business. Payments made or received using the virtual currency are almost instantaneous, and no card processor or other intermediary takes a percentage of transactions.

But if there’s one major weakness with Bitcoin, it’s security.

Your Bitcoins live in your Bitcoin wallets, so you are, in effect, your own bank. If you encrypt your wallet and forget the key, your Bitcoins are gone forever. And if a hacker or malware gets access to it, your wallet can be cleaned out in seconds. Your Bitcoin funds will be lost, and you can’t turn to FDIC  or any other financial authority for reimbursement.

That means security is of the utmost importance. Here are 10 vital security tips businesses should employ to keep Bitcoins secure:

Don’t Use Web Wallets

These are magnets for hackers and should be avoided whenever possible. If it is necessary to use one when you use a Bitcoin exchange, transfer them from your exchange-based wallet  after the exchange transaction as quickly as possible to a wallet running on a computer under your control that is kept encrypted.

Limit Employee Access to Bitcoin wallets

Joe Stewart, Dell SecureWorks’ director of Malware Research, says this is very important in corporate environments, because of the anonymous nature of Bitcoin transactions. If an employee gets access to a Bitcoin wallet and transfers funds to another wallet that they control, there’s no obvious way of tying the destination wallet to an individual employee.

In organizations where many different staff need access to a Bitcoin wallet to make transactions, he recommends using a wallet with multiple sub-wallets: one sub-wallet for each employee who needs Bitcoin access, and each protected by encryption.

Maintain Separate ‘Hot’ and ‘Cold’ Wallets

Bitcoin wallets that reside on machines that are connected to the Internet (“hot” wallets) are far more vulnerable to network-based attacks than ones that are offline. “If you are running any kind of online Bitcoin business, offline-wallets are an invaluable tool,” says Alan Reiner, core developer of the open source Armory Bitcoin wallet.

The idea is to keep the bulk of your Bitcoin funds in the  offline wallet (which can be stored in a safety deposit box if you want) while keeping just a small “float” of Bitcoins in your online wallet for day-to-day use. If you receive large Bitcoin payments to your online wallet, they should be moved to the offline wallet regularly.

Store Private Keys Offline

Bitcoin wallets use public keys for receiving Bitcoins (and other functions such as checking balances) and private keys for authorizing Bitcoin payments from your wallets.  So one way to enhance the security of your online wallet is to remove its private keys, and store them on a separate computer which is not connected to the Internet and therefore can’t be compromised by malware or hackers.

“To make a payment you generate the transaction on the online computer, bring it to the offline computer (on a USB stick) for signing with the private key, and then bring it back to the online computer to complete the transaction,” explains Stewart.

This may be inconvenient, but it provides significant extra protection for your online wallet if it has to contain large amounts of Bitcoins from time to time. That’s because compromising a cold wallet requires physical access, an advanced USB virus or the accidental installation of malicious software.

Use Dedicated Hardware

Ideally, dedicate one USB key for moving data between online and offline computers to minimize its exposure to potential viruses, and dedicate your offline computer exclusively to running your offline wallet – also to minimize its potential exposure to viruses.

Use Linux on Online and Offline Computers

The best way of moving data between online and offline computers is by USB drive, Alan Reiner points out, and Linux has the best record of resisting USB-based attacks.

Keep Secure Offsite Backups of Bitcoin Wallets

If your computer is lost, stolen or destroyed, or your hard disk fails, then you may not be able to access your wallet or the Bitcoin it contains – unless you have backed up your wallet elsewhere. A sensible precaution is to make multiple backups stored at different locations.

Depending on the type of wallet you use, you may have to back up your wallet after each transaction or each 100 transactions in order to keep it up to date with the latest private keys that have been generated to provide access to your Bitcoins.

Use a Type 2 Deterministic Wallet

The benefit of a Type 2 deterministic wallet (which includes both the Electrum and Armory open source wallets) is that it uses a seed to deterministically generate all future private keys for any Bitcoins you receive.  That means that you only need to make one backup ever, Joe Stewart points out.

That’s because the backup contains the seed; if you lose your wallet, you can simply create a new wallet using the same seed and your lost wallet will effectively be recreated with all the private keys and Bitcoins it contained.

Use Fragmented Backups

Even though you only need to make one backup of your seed ever, it is still sensible to make multiple copies of this backup and store them at different locations. If you are concerned about the physical security of your backup, make a fragmented backup. This splits the seed into, say, six fragments, with any four needed to recreate the seed. You can then store each fragment in a different location; to get access to your wallet, a thief would have to access four of the six fragments. The Armory wallet offers the option of fragmented backups.

Use a Hardware Wallet

A hardware wallet (such as the Trezor) is effectively a USB key with an on-board computer running its own specialist operating system, dedicated to running a Bitcoin wallet. Its hardware stores the wallet’s private keys and never divulges them – similar to the way that many laptop computers’ Trusted Platform Module (TPM) holds encryption keys.

By inserting a hardware wallet into an online machine, Bitcoin transactions can be signed using the private keys stored in the hardware. Even if the online computer is infected with malware, Bitcoins can still be securely sent and received without the malware getting access to the all-important private keys.

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist based in England, and is an eSecurity Planet contributor.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles