Unfortunately the "real" world has taken up all my time the past few weeks and I haven't been able to find time to finish the next part in my series about online privacy. Instead I'm posting a previously written article that has not been shared here. I appreciate your understanding.
While being entirely in control of your money is very empowering, such empowerment comes with inherent risks. With cryptocurrencies, it is up to you to protect your investments - there is no one to call to bail you out. To that end, taking the proper steps to secure your wealth is imperative. In this guide I will show you how to set up a smartphone to safely and securely store your cryptocurrencies offline and keep them out of reach of thieves and hackers.
Cold storage is where you store your private keys offline so they can’t be accessed or stolen through the internet. The most common method of storing private keys offline is with a hardware wallet such as the Trezor. While hardware wallets are the most popular method, they aren’t the only one; another option is a smartphone. There are three primary reasons why you’d use a smartphone over a hardware wallet. First, hardware wallets are often back ordered and aren’t always easy to get. Second, you may already have an old smartphone laying around and don’t want to pay the money for a new device. And third, a smartphone gives you more options as you can install multiple wallets on it and thus store a greater variety of coins.
I will be using Android for this tutorial but this procedure can be adapted to work on other platforms. When done, this will be a dedicated, single task device. It will be used for nothing but storing your cryptocurrencies; any other tasks performed on this device will introduce security risks.
Step 1: Prepare your phone
Remove the SIM card if your phone has one. You don’t want any cellular communications, only WiFi.
Perform a factory reset. This is typically found under Settings/Backup & Reset. This procedure wipes all personal data from the device and returns it to a factory state. Obviously back up anything you need before hand.
Create a Google Account. After resetting the device and connecting to your WiFi (make sure your WiFi is password protected), you will have to log in to a Google account during the setup process. Do not use an existing account. Instead, create a new account with a fake name. Save the details of the account for later. This new account is to be used for absolutely nothing but tasks related to interacting with this device. Also during setup, don’t back up your phone to Google’s servers, don’t select to stay up to date, and don’t add any billing information. When it asks you to secure your phone, choose PIN and make sure it’s at least 6 digits long; I use 10. Remember, this isn’t about convenience, it’s about security. When prompted, choose to not show notifications when the device is locked. Lastly, don’t enable any of the offered services like backups, locations, bug reporting, etc.
Turn off data communications once the phone is done setting up your profile. On most Android phones, swipe down twice from the top of your screen to bring down your quick menu. Click on the icon for your data or cellular connection and then disable mobile data.
Disable unused apps. Go into Settings/Apps, swipe over to All, and uninstall or disable every app that isn’t explicitly needed for using the device for offline storage. If in doubt, leave enabled all of the apps with the green android avatar. Also leave enabled Google Play, Google Play Services, and Google Keyboard. Don’t worry, if you accidentally disable something you need, it can always be re-enabled; just make sure you’ve tested everything before you start moving coins to the device. It’s also a good idea to reboot your phone before moving on to the next step.
Go to Settings/Security. Set it to automatically lock after sleep. Enable the “Power button instantly locks” option, disable “make passwords visible”, and disallow installation of unknown sources
Finally, encrypt your phone. There should be an option on the Security page. It will warn you that encryption will take a long time but since there’s hardly anything installed or stored on the phone at this time, it will only take a few minutes. If the option to encrypt isn’t available, don’t use this device. If you can’t encrypt your device, your security is highly compromised and isn’t worth the risk and you’ll be better off using something else.
Step 2: Install software
Install a VPN client. While there are free ones available, I don’t trust them. I use and pay for Private Internet Access (PIA); they have a strong history of protecting their customers. A VPN (virtual private network) encrypts and routes all data coming and going to and from your device through a proxy server masking your IP address. If your VPN allows for it, set it up so that if the VPN loses connection, it will kill your network connection and prevent any unencrypted data from leaving your phone.
Install LastPass. LastPass is a free (with paid premium features) app that allows you to manage passwords and secure notes. It is a fully encrypted cloud based service that nobody can access but you, not even LastPass. Since LastPass is cloud based, you can log in to your LastPass account from any computer or device. When setting up LastPass, make sure you use a good master password and DO NOT LOSE IT. If you lose your LastPass master password YOU POTENTIALLY LOSE EVERYTHING!!! Write it down and memorize it. Do not save it as an unprotected file on your computer.
Install wallets. There are a number of wallets available on the Android platform, all with different features. Do NOT use a hosted wallet app such as Coinbase Using a hosted wallet completely defeats the purpose of using your device for offline storage. When choosing your wallet, always try to choose wallets that offer a 12 word recovery phrase. If you ever lose your device or it malfunctions, you’ll need this phrase to recover your money. The wallet that suits my needs best is Coinomi. It has a good interface, holds several of the coins I own, can be protected by a password, and has a 12 word recovery phrase.
Step 3: Backup your data
Create a new Secure Note in LastPass. Choose the Generic template and give it a name that’s not too obvious as to what it’s being used for. Make sure you check the box “Require Password Reprompt”. In the Notes section, add the following information:
Google Account info. Enter the username, email, password, and personal info of the fake account you created earlier.
Screen Lock PIN. This is the PIN you need to unlock the phoneWallet Info. Record the name of the wallet, its password, and most importantly, the 12 word recovery phrase.
Enter an address for all of the coins in your wallet. There should be an option to view your addresses and their respective keys. By saving these in LastPass, you can log in to LastPass from another device and access your addresses and send money to your cold storage device without having to power it on.
Backup LastPass. On your computer, login to LastPass. While you can do this from the website, I recommend getting the browser plugin. Once logged in, click on Options/More Options/Advanced and choose Export. Choose the csv export option and save it to your computer (if it displays in your browser window instead of giving you the option to save a file, copy and paste the data into Notepad and then save it). If you don’t have Z-Zip, you’ll need to install it. Once you’ve done that, open 7-Zip and navigate to the the export file you saved. Select the file and click on Add. On the setup screen enter a password (don't lose this password!) and click ok. Now in the same location where you saved your export file will be a new encrypted .7z volume containing your exported file which can’t be accessed without a password. Save your new .7z file to a secure location. It’s a good idea to save a copy of this file on a thumbdrive or some other removable storage. Lastly, go back to the original, unencrypted export file you saved and while holding the shift key, delete the file. Holding the shift key bypasses the recycle bin and permanently deletes the file.
Step 4: Test your setup
On your computer or device where you access your existing currencies, log in to LastPass and search for the Secure Note you created in Step 3 and open it. Copy the address of the coin you want from the Secure Note and use it to send a small amount to your address. Go back to your smartphone and open up your wallet and verify the transaction went through.
Wipe your wallet and then restore it with your 12 word recovery phrase. If it restores properly and show the correct balance, you can now be confident in your setup and may start transferring your money to this device. You may need to create a new password after restoring so make sure you check on this.
Your smartphone is now fully configured for offline storage. All that’s left to do is to power down the phone, remove the battery if possible, and store it in your safe or other secure location. It’s a also a good idea to power up the phone every once in awhile to make sure everything is still working.
I hope you found this guide to be helpful, and as always, I greatly appreciate your comments and criticisms!
Author: Chris Webb
another great post! Do you use a dedicated smartphone for this? What are the minimum hardware requirements? Just thinking older phones don't always have access to the latest security patches, getting a very cheap newer model may be safer.
Yes, my phone wallet is a dedicated device. It should be used for nothing at all other than managing your wallet. Regarding the age of the device, newer is typically better but older phones should be ok provided you remove all the unnecessary apps and encrypt it.