Private Key Management aka How to hodl crypto?

Cryptocurrencies are all the rage now. They promise a lot of things, one of them being the delivery of more freedom in the financial sector and the removal of pesky rent-seeking middlemen as well as hyperinflating fiat of governments. Since by this point in my life I have learned that nothing in life is for free and it's all about tradeoffs, I thought it might be a good idea to learn more about the tradeoffs to be had with cryptocurrency asset storage.

Factors

Adversarial protection

One of the most important qualities of a financial setup that you would like to have is its security against malicious actors that could steal from you. In most people's minds that is simply the likelihood of an attacker transfering your assets out of your control.

Betrayal of trust

If you trust a party or parties, immediately you'll have to think about how much you really trust them.

Institutional protection

A commonly cited benefit of cryptocurrencies is the ability to put assets outside the reach of large instiutions including governments.

Accident/misfortune protection

An overlooked, despite many highly publicized stories, is the chance that you will irrevocably lose control of your assets outside the influence of someone adversarial.

Convenience of transfer

What good is an asset if you can't do anything with it? The ease of transferring the assets, either within your control or to others, is a major factor to consider for your storage. Ease can be quantified via mental complexity, transaction processing duration as well as dependencies on other parties, or places.

Options

With those guidelines in mind, let's look at some commonly discuseed options for storage and how they compare on those dimensions:

Exchange wallets

I don't think I'm that far off when I claim that the vast majority of people holding cryptocurrencies, do so by simply holding it within the exchanges like Coinbase, Gemini, Kraken etc.

Adversarial protection

Since the exchange exerts ultimate control over the cryptoassets (and their private keys) that belong to you, your adversarial protection is about as good as the exchange's security:

• An attacker could get a hold of your password
• If you don't use MFA, usually control of your email will yield control of your exchange account via resetting the password
• If you do use MFA with a phone number, then phone number takeover is possible.
• An attacker could try to impersonate you via social engineering on the exchange and move out the assets.
• An attacker could hack the exchange or you via various other means including phishing, keylogging etc. and get the private keys and move out the assetts.

Betrayal of trust

• A rouge employee could move out assets. You have to trust the exchange to have good policies in place to prevent this.
• You are technically trusting your operating system, browser vendor, as well as any other software that runs on your machine.

Institutional protection

• Most exchanges that deal with fiat currencies are connected to the conventional financial system and thus are bound by various regulation. A government or bank can force an exchange to block access of your assets or even strip you off it, whether justified or not (fraud, involvement in a crime, tax evasion etc.)

Accident/misfortune protection

• If you ever lose access to your account to an exchange, you can often use your government issued ID and other information to prove to your exchange that you are indeed the legitimate owner of the account. (In addition, if you don't use MFA then resetting passwords can also work)

Convenience

• Arguably the most convenient, as you generally only need knowledge of your password and optionally MFA to access your account and transfer funds. Some exchanges even have mobile apps. You can generally do it from anywhere with minimal requirements. Also recovering from accidents is relatively convenient via the usage of government-issued identification. There is very little cost involved with holding your funds in an exchange.

Hot Wallets

Another common way of storing cryptocurrencies is the use of a wallet on your computer or smartphone.

Adversarial protection

• Compared to an exchange wallet, you no longer have a security dependency on an exchange, thus you yourself are mostly responsible for adversarial protection. While that reduces the surface area, it's not too far fetched to say that most individuals would actually increase the likelyhood of adversarial theft because exchanges can be better specialized at securing systems.
• You can still be phished, keylogged etc.
• Your device can get stolen.

Betrayal of trust

• As said above, you especially have to trust the software and operating system running on your machine.

Institutional protection

• Institutional protection is as good as your adversarial protection. Your assets are subject to the jurisdiction of the device.

Accident/misfortune protection

• Without backups, loss or irreversable destruction of your device means loss of your assets. Let that be a fire in your house, losing your computer while travelling, disk failure etc.

Convenience

• Use of your funds is effectively tied to the control of your device. If that is your computer at home, being out and about or even travelling makes it largely impossibly inconvenient to access your assets.

Hardware Wallet

Instead of using software to manage your private keys and thus your assets, you can use a specialized hardware device.

Adversarial protection

• Compared to a hot wallet, you greatly reduce your surface area for malicious attackers, since software can no longer access the private keys. Most hardware wallets have dedicated displays and buttons that virtually elimate the possibility of phishing and keylogging.

Betrayal of trust

• While you no longer have to (mostly) trust your machine and the software it runs, you do have to trust the manufacturer of the hardware wallet.

Institutional protection

• Same as hot wallet

Accident/misfortune protection

• Same as hot wallet, just for the wallet itself instead of your computer.

Convenience

• It is slightly less convenient to transfer funds with a hardware wallet, though arguably its also more portable.

Modifcations

While these are roughly the options you have, many people are overlooking crucial modifications that you can use to modify the trade-offs of an option

Air-gap

For Hot Wallets and Hardware Wallets, you can modify the trade-off by air-gapping the host computer, i.e. disconnect it from the public internet.

Adversarial protection

• You further decrease the surface area for software to infiltrate you and steal your private keys.

Convenience

• Obviously dealing with an air-gapped machine is more cumbersome, not only in its active use for transferring funds but also in maintaining and updating the machine.

Backups

With either Hot and Hardware Wallets, you can generally create (paper) backups.

Adversarial protection

• Your surface area increases with your choice of backup locations. For example putting a backup in a bank deposit box would open yourself up to heists on that box.

Betrayal of trust

• If you trust other parties with your backups, i.e. banks or friends, you have to trust them and their security procedures

Institutional protection

• Your backups are subject to the jurisdiction of their locations.

Accident/misfortune protection

• Instead of having a single point of failure with your machine or hardware wallet, you can diversify your risk to multiple locations.
• The integrity of your backup media is important (i.e. paper can become unreadable, disks can become corrupted)

Convenience

• Convenience slightly increases as you can gain access to your assets through your backup locations.

Fragmented backups / Multi-sig

A modification on top of the Backup modification are so-called fragmented backups based upon multi-signature procedures. Instead of every single backup being able to assert control over your assets, you will need a tunable m-out-of-n backups to be able to transfer funds.

Adversarial protection

• Attackers now have to be able to successfully attack at least m locations, greatly reducing the likelihood of a successful attack

Betrayal of trust

• A single party can not betray your trust any more, instead they would need to conspire against you

Accident/misfortune protection

• Tunable, as you can choose m and n, thus how resilient you want to be to losses of backup locations.

Institutional protection

• Like betrayal of trust, depending on the diversity of your locations, a single government might not be able to assert control over assets.

Convenience

• At least currently, fragmented backups are way less convenient due to the heightened coordination effort to assert control over your assets.

What now?

With this overview of the factors and considerations for storage strategies, I hope you can appreciate now how the trade-off you should choose depends on your circumstances. I would especially like to see more attention being paid to fragmented backups. With normal backups of even advanced setups, you effectively degrade towards the bottleneck trade-offs of your backups, i.e. your whole setup is as secure as your least-secure backup. With fragmented backups you can tune your trade-off regarding the trustworthiness and quantity of your backup locations instead of having to fully rely on the security of each location individually.

To take this even further, what if we combined this with a public identity service like Keybase? I.e. designate n other people you trust and have them sign conveniently whenever a transfer of funds needs to occur. While being over the public internet increases the attack surface area, we massively gain convenience while maintaining the primary benefit of an adversary (or government or misfortune) needing to compromise at least m people. Revokations of keys can be automatically detected and rekeyed. As far as I can tell, this could lead to quite a favorable trade-off for many situations, the equivalent of diversifying your risk. What do you think?