At the core of cryptocurrencies is the idea of self-sovereignty – the notion that users can act as their own bank. Secure your funds properly, and they'll be harder to reach than even the most well-guarded of bank vaults. Fail to do so, and you run the risk of someone remotely emptying your digital wallet.
Learning how to properly secure your digital coins is a vital step as you journey down the cryptocurrency rabbit hole. In this guide, we'll discuss some of the techniques for doing so.
What is a private key?
A private key, like a real key, unlocks your cryptocurrency for you to spend. It's just a really big number – so large that it would be impossible for anyone to guess. If you flip a coin 256 times and write down "1" for heads, "0" for tails, you'll end up with a private key. Here's one we've just generated. It's encoded in hexadecimal (using numbers 0-9 and characters a-f) for a more compact representation:
If you look that number up on Google, you'll see the only occurrence is in this article (unless it's been subsequently copied elsewhere). That should give you an idea of how truly random the number is – the odds of anyone having ever seen it before are astronomically low.
That example still doesn't do it justice. The number of possible private keys is close to the number of atoms in the known universe. In a nutshell, this is a vital security principle in cryptocurrencies like Bitcoin and Ethereum. Your coins are safe because they're hidden in a brain-meltingly large range.
If you've received funds before, you'll be familiar with public addresses, which are also strings of random-looking numbers. Those are obtained by doing some cryptographic magic on your private key to get a public key, which is hashed to get the public address.
We won't get into depth on how this is done in this article. All you need to know is that, while it's easy to generate a public address with the private key, doing the reverse is all but impossible today. That's why you can safely list your public address on blogs, social media, etc. No one can spend the funds sent to it without the corresponding private key.
If you lose your private key, you lose access to your funds. If someone else learns your key, they can spend those funds. As a result, keeping your private key away from prying eyes is of paramount importance.
You should note that wallets today rarely have just one private key – they're hierarchical deterministic (HD) wallets, meaning they can hold billions of different keys. All you need to know is a seed phrase, a collection of human-readable words that can be used to generate those keys. It may resemble the following:
strike sadness boss daring voice connect holiday vintage quantum pony stable genuine
Unless you deliberately choose to use only one private key, you'll probably be asked to back up a seed phrase when you create a new wallet. When we discuss key storage later, the term keys will be used to describe both private keys and seeds.
What we described above – with the private/public key pair – is public-key cryptography. This also allows us to make use of digital signatures, which prove that messages came from specific individuals. When you make cryptocurrency transactions, you combine your private key with a message to produce a digital signature. You can't discover the private key by looking at a signature, so, as a public address, it's safe to share.
A neat feature of digital signatures is that anyone can compare a public key with the signature to determine if the key's owner signed the message. When you spend your cryptocurrency, you typically provide a signed message saying something along the lines of "I pay X coins to Y address."
This way, you can prove that you have the right to spend certain coins. The message you broadcast (your transaction) is added to the blockchain, and everyone can check whether it's valid. All this without revealing your private key.
Hot wallets vs. cold wallets
Wallets fall into two categories: hot wallets and cold wallets. These encompass a broad range of different solutions. Now let's dive into hot and cold wallets.
A hot wallet is any cryptocurrency wallet that connects to the Internet (e.g., smartphone and desktop wallets). Hot wallets tend to provide the most seamless user experience. They are very convenient when it comes to sending, receiving, or trading cryptocurrencies and tokens. But this convenience often comes at the cost of security.
Hot wallets are inherently vulnerable because of their Internet connectivity. Though private keys aren't broadcast at any point, there's a possibility that your online device can be infected and remotely accessed by malicious actors.
This isn't to say that hot wallets are completely insecure – they're just less secure than cold wallets. Hot wallets are superior on the usability front, and thus are the generally-preferred option for holding smaller balances.
To eliminate the significant online attack vector, many opt instead to keep their keys offline at all times. They do so with cold wallets. Unlike hot wallets, cold wallets don't connect to the Internet. Let's break down the steps involved in creating and broadcasting a transaction to illustrate how this is possible.
Creating a transaction
In UTXO-based cryptocurrencies, you need a few bits of information to build a transaction. Notably, you need data on the funds you want to spend (the inputs), and the addresses you're sending to. With those, you can create a "skeleton" of a transaction. It isn't spendable yet, though. For that, you need to sign the transaction.
Signing a transaction
You need to prove to the network that you're the owner of the funds being transferred. This is where your private key comes into play. Your inputs are signed, producing a signed transaction. After signing, you can broadcast the transaction immediately, or you can wait. You can also ask someone to broadcast it on your behalf.
Broadcasting the transaction
This is the stage at which the transaction meets the blockchain network. If the signed transaction is like a cheque that hasn't been cashed yet, the broadcast is what actually moves the funds.
Interestingly, none of the previous steps need to happen on the same device. You can construct the transaction on Computer #1, sign it on Computer #2 and broadcast it on Computer #3. This principle is what cold wallets rely on. In this example, you'd generate your private keys and store them on Computer #2, which you keep offline permanently.
Computers #1 and #3 could be vulnerable to malware, but it wouldn't matter: once a transaction is signed, it cannot be modified. All that matters is that Computer #2 isn't connected to the Internet. It serves as a black box that stores the private keys and signs the transactions. In fact, Computer #3 is not even needed in this scenario – you could just broadcast from Computer #1.
Hardware wallets (such as the Trezor One or Ledger Nano S) aim to provide a better user experience while adopting a similar principle of keeping the private key offline. These are more portable, cheaper than a full PC, and custom-made for cryptocurrency storage. See What is a Hardware Wallet (and Why You Should Use One) for a more detailed explainer. The hardware wallet industry has grown considerably in recent years, bringing dozens of different offerings to the market.
Custodial vs. non-custodial
We described above the use of non-custodial wallets – those that give you full control of the keys. But if you use an online service like a cryptocurrency exchange, then, at the protocol level, you're not really in possession of your coins. Instead, the exchange holds and manages your funds on your behalf (hence the term custodial wallet). In most cases, the exchange uses a combination of hot and cold wallets to keep your coins safe.
So, if you want to trade BTC for BNB, the exchange reduces your BTC balance and increases your BNB one in its database. But there is no blockchain transaction involved. Only when you decide to withdraw your cryptocurrencies, you request the exchange to sign a transaction. They will then broadcast a transaction that sends your coins to the address you provide.
Cryptocurrency exchanges provide a much more convenient experience for users that aren't concerned with third-party custody of their funds. One of the risks of being your own bank is that no one can come to your rescue if something goes wrong. If you lose your private key, you'll never recover your funds. If you lose your account password, on the other hand, you just need to reset it.
You're still at risk of having your credentials stolen, so you need to ensure that you're taking the right precautions to secure your account (such as using two-factor authentication and a strong password).
What's the best storage option?
Unfortunately, there's no one-size-fits-all answer to that question – this would be a much shorter article if there was. The answer largely depends on your risk profile and how you use your cryptocurrency.
For instance, an active swing trader will have different requirements from a long-term HODLer. Or, if you run an institution that handles large amounts, you'd probably want a multisignature setup, where multiple users need to agree before funds can be transferred.
For regular users, it's a good idea to keep the funds you're not using in cold storage. Hardware wallets are the most straightforward options – but make sure you test them out with small amounts to get comfortable first. You'll also want to keep your keys backed up elsewhere, in case the device itself is lost or fails. Make sure that your backup is offline – some write their seed phrase down on a piece of paper and store it in a safe, while others stamp it into fire-proof metal.
Online wallets are great for small amounts that you're using to buy goods and services. If your cold storage is like a savings account, your mobile wallet is like the physical wallet that you carry around. Ideally, it should be an amount that, if lost, would not cause you serious financial issues.
For lending, staking, and trading, custodial solutions are your best bet. Before putting your funds to use, though, you should come up with a plan for how much you're allocating (e.g., with a position sizing strategy). Remember that digital currency is highly volatile, so you should never invest more than you can afford to lose.
When it comes to cryptocurrency storage, the blockchain industry today provides many interesting options. Each alternative comes with its own benefits and drawbacks, so it's important to understand the trade-offs. This way, you can get more comfortable using a combination of hot and cold wallets, according to your needs.
Learn blockchain and cryptocurrency on your schedule and completely free at