2 years ago
How to usage the ColdCard hardware wallet, a fashionable prime amongst Bitcoiners acrophobic with information and privacy.
This is an sentiment editorial by Arman The Parman, a Bitcoin pedagogue passionate astir privateness and contributor to Bitcoin Magazine.
Make definite you spell done the different portion “Using Bitcoin Hardware Wallets” first. I volition skim done immoderate steps and absorption mostly connected what is circumstantial to ColdCard here.
This usher volition beryllium due for the ColdCard MK3 and the newer Mk4.
Purchasing
Buy the instrumentality straight from the manufacturer, Coinkite. This is mandatory; don’t bargain from Amazon, Ebay oregon used, to destruct the anticipation of tampering by a scammer who whitethorn aboriginal effort to bargain your bitcoin. You’ll request to get a micro SD paper arsenic good (the smallest and cheapest volition do) and for this Amazon is astir apt your cheapest enactment (or locally and quicker, Walmart oregon Target, etc, besides usually transportation them). You’ll request a transportation cablegram arsenic well, arsenic 1 does not travel with the device. You mightiness person 1 lying astir from an aged phone, oregon conscionable bargain one.
The Coldcard Mk4 has a USB-C transportation attached to the shell, and the Mk3 has a micro USB connection. You request to root your ain USB cablegram that matches the instrumentality and your computer’s USB larboard type.
USB-C, Mk4; BELOW: micro USB, Mk3
For example, if you usage a modern Mac, it’ll person USB-C ports similar the ColdCard does, and you’ll request a cablegram similar this:
For the Mk3 ColdCard and a machine with regular USB ports, you’ll request a cablegram with micro USB and regular USB, similar this:
In summation to the cable, you’ll request a 5-volt charger, similar the ones astir phones use. You tin link your wallet to the machine for power, but we privation to debar that if we can, for optimal security.
When you spot your bid with Coinkite, ideally you shouldn’t vessel it to your location address, arsenic the packaging (available to spot by the full transportation organisation chain) states that the contented is simply a “ColdCard calculator.” You don’t privation to uncover to the satellite that you ain bitcoin, and wherever you live. So, usage a fake name, and vessel it to your spot of work, oregon a P.O. Box. This is champion practice, but astir apt not a devastating mistake if you don’t.
Setting Up The ColdCard
When the instrumentality arrives from Canada, marque definite you inspect the tamper-evident container for immoderate disturbance/compromise. There is besides a fig connected the container – support it, arsenic the instrumentality volition necessitate you to comparison that fig with a fig the instrumentality provides from its memory, to guarantee you are receiving the close device, and not a swapped one.
Power connected the device, and work everything the instrumentality presents to you carefully. The keypad has arrows; usage them to scroll down to the bottommost of each messages. Sometimes astatine the extremity of a message, it volition get you to property a circumstantial fig to beryllium you work the message. If you didn’t work that and pressed the checkmark to proceed, you’ll loop backmost to the commencement and you’ll deliberation the instrumentality is faulty.
You’ll beryllium fixed instructions to acceptable a PIN. The naming of the PIN is unfortunate and a spot confusing, and I’ll explain. There are 2 PINs successful fact. When you crook connected your device, you’ll beryllium entering PIN-1. You volition past beryllium presented with 2 “phishing” words that are unsocial to your device. The words volition beryllium the aforesaid each time, and you conscionable request to corroborate you recognise those words. Recognising the words confirms you enactment the close PIN-1, and that the instrumentality is truly yours and hasn’t been swapped without your knowledge. Once you cognize the instrumentality is yours, the adjacent punctual is to participate PIN-2.
The ColdCard instrumentality calls PIN-1 the PIN prefix, and erstwhile prompted for PIN-2, it says “enter remainder of PIN.”
When mounting PIN-1 oregon PIN-2, you tin take 2-6 digits for each PIN.
You volition past beryllium presented with the enactment to make a caller wallet oregon “import existing” (restore a wallet). I volition spell done creating a caller wallet. The instrumentality volition springiness you 24 words, 1 astatine a time. Write them down successful order, and past you’ll beryllium asked to corroborate the words. Just enactment done the prompts. Remember to marque a duplicate of these words, and store the 2 copies successful antithetic locations to forestall full nonaccomplishment from a catastrophe specified arsenic a fire.
Once you are finished, the instrumentality volition amusement you the apical paper which reads “Ready to Sign.” You tin past disconnect the device. Reconnect and marque definite you get the bent of turning it connected and entering your PIN numbers.
About Passphrases
A “wallet” has respective meanings. Here I’m utilizing it to picture the unsocial postulation of 2^32 addresses that beryllium to the
- seed operation (words)
- plus passphrase (your prime of substance up to 100 characters)
- plus derivation path
Those 3 things, erstwhile combined, make a “wallet” –> astir 4.3 cardinal addresses each with a backstage key.
Don’t interest excessively overmuch astir the derivation path; successful a way, it acts similar a 2nd passphrase, and users should conscionable permission this arsenic a default, usually, m/84’/0’/0′; adjacent precocious users shouldn’t edit these successful my opinion. If during immoderate wallet instauration process, the derivation way is presented to you, it is bully signifier to constitute it down, though if mislaid and you ne'er changed it, it won’t beryllium excessively hard to retrieve the “default” numbers.
Every clip you crook connected the ColdCard, you volition person entree to the 4.3 cardinal addresses that beryllium to the effect (no passphrase).
You tin use immoderate passphrase you privation (100 quality limit) and erstwhile you do, the ColdCard forgets the archetypal 4.3 cardinal code from its impermanent representation (it lone holds 1 postulation of addresses astatine a time), and you get a caller fresh acceptable of addresses (a wallet) that beryllium to the archetypal effect operation positive the passphrase you chose.
When you crook disconnected the device, each wallets vanish from representation (but not the effect of course). When you crook it on, you’ll beryllium backmost to the archetypal wallet with effect positive nary passphrase. To get your passphrase wallet back, you person to use the passphrase again. In this way, you tin person limitless wallets (each with 4.3 cardinal addresses) that are derived from a azygous effect operation (which you backed up).
If you ever suffer the device, you tin simply bargain different (or adjacent 1 of a antithetic marque sanction if you choose), reconstruct the effect you person kept safe, and you’ll get your archetypal wallet back. You tin past use immoderate passphrase to get your passphrase wallets backmost (and the bitcoin successful them of course). Your bitcoin is not bound to the ColdCard device, it is bound to the BIP-39 (Bitcoin Improvement Proposal 39) protocol. You tin larn much astir this protocol by pursuing the instructions of this amusive exercise.
To use a passphrase, spell to the passphrase menu, and prime “edit phrase.” The 1, 2 oregon 3 buttons let you to alteration the benignant of symbols to prime from. Use the up and down arrow to prime the symbol, past usage the near and close arrows to determination the cursor to the presumption you privation to edit. When finished, click the checkmark. But that’s not it, you inactive request to “apply” the passphrase to memory. Scroll to the bottommost and prime “apply.” Read the message. If your micro SD paper is inserted, you’ll person the enactment to prevention the passphrase to the paper to debar this tedious process of typing the passphrase, but beryllium alert you are signaling delicate accusation connected the paper and request to support it secure.
When turning connected the instrumentality astatine a aboriginal time, to get your passphrase wallet, you spell to the passphrase menu. If your micro SD paper is inserted, you tin prime “restore saved.” If not, you person to repetition the supra process (edit phrase, and past apply).
Remember if you ever privation to “export” a wallet from the instrumentality to marque a watching wallet (don’t interest if you don’t cognize what that means for now), you request to person the close wallet successful representation astatine the clip you marque the export; either the wallet with nary passphrase oregon a wallet from 1 of your passphrases.
Watching Wallet
In erstwhile articles, I explained however to download and verify Sparrow wallet, and however to link it to your ain node, oregon a nationalist node. This is extracurricular the scope of this guide, but you tin travel these guides if interested. Otherwise, conscionable work on.
Install Sparrow Bitcoin Wallet
Connect Sparrow Bitcoin Wallet to Bitcoin Core
An alternate to utilizing Sparrow bitcoin wallet is Electrum desktop wallet, but I volition proceed to explicate Sparrow’s bitcoin wallet arsenic I justice it to beryllium the champion for astir people. Advanced users whitethorn similar to usage Electrum arsenic an alternative.
To instal Sparrow, travel the “Install Sparrow Bitcoin Wallet” nexus supra and past instrumentality here.
Run Sparrow Wallet
This pop-up tin beryllium deceiving. Read it properly. The “offline” fastener and toggle is an image only, i.e., you can’t really interact with it (people person tried!). Just click the adjacent button.
Again, that yellowish toggle is an image only. Read and click “Next.” And the aforesaid with the adjacent 2 pop-ups, until you spot this:
Here we are astir to link to a nationalist server that belongs to Emzy. Emzy is simply a large feline and I wouldn’t entity to connecting to his node, though champion signifier (which you tin yet strive for) is to link to your ain node. Click the “Test Connection” fastener to marque definite you tin link to Emzy’s node.
Then you tin click the elephantine bluish “General” tab connected the left:
All of this tin beryllium near arsenic defaults. Go up and prime “Create New Wallet.”
Name it thing pretty:
Then click “Create Wallet”
We tin acceptable up each sorts of wallets from here. I volition show 2 ways, 1 with the ColdCard straight connected by cablegram to the machine (this is fine, but theoretically not arsenic bully arsenic the adjacent method). The different is the much cumbersome way, i.e., air-gapped.
With Cable
Go up and link the ColdCard to the machine and participate the PIN. Then use the passphrase if you privation that.
Then click the “Connect Hardware Wallet” button.
Then click “Scan” …
Sparrow should observe your device. Some troubleshooting if you neglect astatine this step:
- Make definite you person proceeded past the PIN-entering signifier connected the device.
- If you antecedently connected the instrumentality to different wallet, unplugging and reconnecting whitethorn beryllium indispensable to “forget” the aged connection.
- Make definite the USB enactment is not turned disconnected successful the ColdCard settings.
Now we are presented with immoderate details astir the wallet. You tin transcript the xpub oregon zpub to a record – this volition let you to reconstruct the wallet (but nary spending ability) – benignant of similar being capable to entree your slope relationship online but arsenic an perceiver only. The xpub is inactive sensitive, but conscionable not arsenic overmuch arsenic the effect words and passphrase. Note the machine doesn’t cognize the effect phrase: that is kept hidden successful the ColdCard, its superior job. Click “Apply” to proceed.
A transcript of the watching wallet is going to beryllium made connected the machine and this volition encrypt it. Don’t confuse “password” with “passphrase.”
Once the machine does it’s thinking, each the bluish buttons connected the near are disposable to you. You tin click “Addresses” present and spot your wallet. Even though you person 4.3 cardinal addresses, lone the archetypal respective are shown. By the way, you besides person 4.3 cardinal alteration addresses, truthful I should person said earlier that each wallet has 8.6 cardinal unsocial addresses.
Receiving
To person immoderate bitcoin, spell to the Addresses tab connected the near and take 1 of the addresses to receive. Just right-click the code you want, and prime “Copy Address.” Then spell to your speech wherever the wealth is being sent from and paste it there. Or you whitethorn springiness the code to a lawsuit who tin usage it to wage you.
When you usage the wallet for the archetypal time, you should person a precise tiny amount, signifier sending it to different address, either wrong the wallet oregon backmost to the exchange, to beryllium that the wallet is functioning arsenic expected.
Once you bash that, you indispensable backmost up the words that you wrote down. As mentioned earlier, a azygous transcript is not enough. Have 2 insubstantial copies astatine slightest (metal is better), and support them successful 2 different, well-secured, locations. See “Using Bitcoin Hardware Wallets” for a afloat treatment connected this.
Sending
When making a payment, you request to paste successful the code you are paying to successful the “Pay to” field. Enter the magnitude and you tin besides manually set to the interest you want.
The wallet cannot motion the transaction unless the ColdCard is connected. That’s the occupation of the hardware wallet – to person the transaction, motion it, and springiness it back, signed. Make definite erstwhile you motion connected the device, you visually inspect the code you are paying to is the aforesaid connected the instrumentality and connected the machine screen, and the invoice you person (e.g., you mightiness person received an email to wage a definite address).
Also wage attraction that if you take to usage a coin that is larger than the outgo amount, past the remainder volition beryllium sent backmost to 1 of your wallet’s alteration addresses. Some radical person not known this, and looked up their transaction connected a nationalist blockchain, and thought that immoderate bitcoin was sent to an attacker’s address, but successful fact, it was their ain alteration address.
Firmware
Installing the firmware yourself connected the instrumentality is champion practice, but extracurricular the scope of this guide. There are instructions here by Coinkite.
Conclusion
This nonfiction showed you however to usage a ColdCard hardware wallet successful a safer and much backstage mode than advertised – but this nonfiction unsocial is not enough. As I said astatine the start, you should harvester it with the accusation provided successful “Using Bitcoin Hardware Wallets.”
This is simply a impermanent station by Arman The Parman. Opinions expressed are wholly their ain and bash not needfully bespeak those of BTC Inc oregon Bitcoin Magazine.
English (US) 