The Serious Bitcoiner’s Security and Privacy Setup for 2024

Imagine a fortress, impregnable and secure, yet entirely digital. This is what you can build to secure your Bitcoin wealth in 2024. How? The answer lies not in a single tool, but a combination of sophisticated choices and general awareness about privacy. Dive into this guide on how to construct your digital fortress, brick by brick, ensuring that your Bitcoin journey is as secure and private as a vault deep beneath a fortress in the Swiss Alps.

This condensed guide is intended for an advanced audience in the Bitcoin space, not for beginners. There are much easier ways to get started and still benefit from using and holding Bitcoin in a decently secure way. Beginners are invited to consider product recommendations below (especially wallets) and try them out, but knowing that a bullet-proof set-up is difficult to achieve. However, if you want to go all the way and optimally secure your Bitcoin, this guide is for you. It focuses not only on security, but also on privacy, which are fundamentally related concepts. Indeed, in a world of self-custody, the security of your funds will only be as high as their level of privacy. For the same reason you do not want potential thieves to know where or how much cash you hold, you also do not want your Bitcoin stack to be public information.

Concretely, you will need a few items to ensure the security of your fortress and the privacy of your errands in and out of it. Let us start with the purchases you will need to complete. For security reasons, make sure to always procure them from the original manufacturer, never from third-party resellers who could have tampered with the hardware. Also, to maintain the highest standards of privacy, pay them in cash or in Bitcoin via the Lightning Network. You should be able to find the following items at any major Bitcoin conference but you can also get them online; in such a case, consider having the items delivered at a privacy-focused parcel shop or delivery location, not at your private address.

Hardware Wallet: Possibly the most important item is your vault. It generates a random mnemonic phrase (commonly called “seed words”) on your behalf and stores your private keys offline, away from potential online threats. Specifically, it lets you sign transactions offline, only broadcasting the encrypted signature, so that you can move your Bitcoin without exposing them to online theft. In other words, the hardware wallet is essential for keeping your Bitcoin secure when making transactions. Recommendable choices for hardware wallets include Foundation Devices, BitBox, Coldcard, and Blockstream’s Jade. If you opt for an alternative, ensure that the wallet is non-custodial (i.e. you are the only one with access to the private keys) and that the code is fully open-source (so that anybody can verify that the code is sound and no confidential data is leaked to anybody).

Full Bitcoin Node: Running a full node is an important step to increase your security and privacy. Actually, not only does it allow you to conduct and verify transactions independently, but it is also contributing to the network’s strength. Specifically, via your own node, you do not need to reveal to anybody that you consulted the balance of a specific wallet or a specific transaction. Privacy-first recommendations for full Bitcoin nodes include RoninDojo, Start9, or Nodl. These latter two are also enabling Lightning nodes (and countless other self-host services), which let you open Lightning channels and then instantly pay for anything at very low fee, while also maintaining a higher degree of privacy for your transactions (off-chain). That being said, some software wallets similarly provide you with the Lightning node that goes with it, enabling you to open channels and transact directly from the app (see below).

Clean Computer: A dedicated computer with minimal software, and therefore low exposure to potential online threats, significantly reduces risks when managing your Bitcoin investments. No need to buy a fancy model, just a functional new laptop will do. For extra security, wipe the operating system (OS) and replace it with a Linux OS (or install Linux as dual boot to have it as an option, only running it for Bitcoin-related business). Make sure to do this reinstall yourself, thereby reducing the risk that third parties might include a backdoor in the software, thus enabling them to spy on your activity or keys. There is extensive documentation online on how to do such a clean install yourself. While setting up your new device, ensure to install and use a VPN at all times to protect the privacy of your IP address. Recommendable ones include Mullvad VPN, Proton VPN, and iVPN.

Privacy-First Phone: A degoogled and hardened phone offers excellent privacy, ensuring your mobile Bitcoin activities remain as secure and private as possible. “Hardened” means that it has been optimised to provide extra security and privacy. For example, all apps are sandboxed (not communicating with each other), data does not leave the phone unless you want it to, and no authorisation (e.g. camera or microphone or location) is given without your explicit consent. You can replace the standard operating system of Google Pixel phones with GrapheneOS, CalyxOS, DivestOS, or LineageOS, which are degoogled operating systems. GrapheneOS, in particular, is a privacy-first, hardened OS and ensures state-of-the-art mobile privacy. This OS is also intuitive and user-friendly, so that using it will not reduce the convenience you are used to. Similar to your computer’s reinstall, make sure to flash the new firmware on your phone yourself.

Mnemonic Phrase Back-Up: The mnemonic phrase (often also called seed phrase or seed words) is a series of 12 or more words that can reinstate your private key. This key enables you to sign transactions and therefore move the funds situated on the corresponding address(es). Engraving your mnemonic phrase in a metal case (titanium or stainless steel are best) ensures your backup is water-proof, fire-proof, shock-proof, and corrosion-resistant. In this sense, it is superior to a paper wallet, whose resilience may fail the test of time. It would also survive an electromagnetic pulse (EMP) and is therefore safer than your favourite digital password manager in this respect. However, you are still responsible for securing it in a safe location. Brands like Seedor, Cryptosteel, Billfodl, or Coinkite’s SEEDPLATE are offering high-quality mnemonic phrase back-ups made from steel. You will need a few of these back-ups, so buy more than one.

Once you have gathered these necessary bricks for your fortress, it is time to set them up the right way in order to make the fortress impregnable. Getting the right software is the next step to your security and freedom.

Wallet Interface (desktop wallet): First, you need to be able to interact with your hardware wallet from a desktop. This is where a wallet interface is necessary. Install a privacy-focused and open-source wallet on your clean computer. Specifically, consider Sparrow Wallet, Electrum, or Specter Desktop. They balance ease of use with robust privacy features, allowing for a comprehensive and private overview of your Bitcoin holdings. Ensure the setup of your hardware device is air-gapped, meaning that the device never directly interacts with the internet. This way, your mnemonic phrase and private keys are safe from online attacks.

Mobile Bitcoin Wallet: Mobile Bitcoin wallets enable you to manage your Bitcoin stack securely, directly from your mobile device. For on-the-go on-chain transactions, Samourai Wallet offers state-of-the-art privacy and couples well with the privacy-focused RoninDojo Tanto node. Consult RoninDojo for detailed guides on the wallet and privacy-first digital hygiene. Additionally, a great way to engage with Bitcoin’s layer-2 solutions for faster and cheaper transactions is via Lightning wallets and Liquid wallets, which you could also consider downloading. Lightning wallets allow you to open a Lightning channel directly in your software wallet and transact without revealing more information than is necessary. Self-custodial Lightning software wallets that equip you with high levels of privacy and security include Phoenix, Zeus, and Breez. It is not to say that they provide full anonymity, but your identity and data will be better protected than with most alternatives. Liquid is an alternative layer-2 solution that also enables instant transactions at virtually no fee. The main wallets to consider to use Liquid are Aqua and Blockstream Green. Some hardware wallets also come with their suggested mobile companion app, e.g. Foundation Devices comes with the Envoy mobile companion app, so this may be your mobile Bitcoin wallet of choice if you use the corresponding hardware. In any case, make sure that your iCloud or Google Drive or equivalent cloud service is not backing up the private keys from these wallets on their servers, as you obviously do not want external parties (especially not big tech companies) to have access to your funds.

At this point, you will have gathered a bunch of passwords, passcodes, passphrases, and private keys or mnemonic phrases. At the risk of stating the obvious, securing this information is paramount. First, ensure you are only using strong and random passwords that are used exclusively for one purpose (i.e., do not re-use passwords). Then, store them effectively, for example in a physical safe or hidden (but memorable) location. Improper storage renders every other action in this article irrelevant. You need to ensure you can retrieve them, while nobody else ever could (possibly except your heirs, in case of an accident). Striking such a balance may require some creativity but is very much achievable by anybody.

Specifically, you should have gathered the following set of information so far. The specifics will depend on the hardware and software you use, but this should give you an idea of how much information you will need to back-up.

• For your computer:- A password or PIN to access the device.
• For your phone:- A password or PIN to access the device.
• For your Bitcoin hardware wallet:- A mnemonic phrase, giving you access to your Bitcoin on the blockchain.- A passphrase, which is like an additional word to your mnemonic phrase, giving you extra protection.- A password or PIN, securing the device.
• For your full Bitcoin node:- A device password to keep it safe from physical risk (somebody physically stealing your device, opening it, and figuring out your private key).- A user password to sign in your user interface.
• For your wallet interface (desktop wallet):- A password to access the software.
• For your mobile software wallet:- A password or PIN to access the app.- A set of mnemonic phrase, passphrase, and password for your on-chain wallet.- Another set of mnemonic phrase, passphrase, and password for your Lightning wallet.

Ensure that all passwords are a long string of characters (at least 8 characters, but ideally at least 12 or even 16 or more characters), including numbers and non-alphanumeric characters, and genuinely random (no phrase, no words, no repetition). Password managers (recommendable ones include Bitwarden, Padloc, 1Password, or KeepassXC) can generate such passwords for you. While you may choose to keep some passwords saved in the password manager app, it is best practice to keep the most important ones (e.g., your mnemonic phrases) genuinely offline, like on paper or, better, engraved in a steel plate. If you trust your memory, you could memorise your mnemonic phrase, which would enable you to transport your wealth across borders without needing any device that could be confiscated or compromised on the way. This is unfortunately a necessary precaution for countless people currently suffering from the consequences of war.

While this set up may seem confusing to newcomers in the space, it is actually rather manageable. There are also countless resources online to help you. BTC Sessions, for example, offers excellent video guides for virtually any aspect of your Bitcoin journey. The start-up The Bitcoin Way, can also help you personally with any step from beginning to end, regardless of your level of expertise, to ensure you maintain and manage your Bitcoin safely. You can set-up a video-call with them anytime and have them walk you through each step. Alternatively, any question you may have has likely been answered dozens of times in online videos and forums.

Best practice would also suggest having a decoy wallet available, in case somebody physically assaults you to steal your funds. If somebody has a gun to your head and asks for your hardware wallet and mnemonic phrase, at least you would have something to give. Nevertheless, to avoid such an unpleasant situation, you would be better off just not revealing to anybody how much Bitcoin you own, or that you own any at all.

Finally, once your fortress is set-up, you can consider bringing in the treasure. Acquiring Bitcoin can be done in many different ways, each having their pros and cons. One important criterion is whether the acquisition is made through a platform that requires to complete privacy-invasive Know-Your-Customer (KYC) processes; such as sharing a proof of identity, proof of address, and proofs for the source of funds. Specifically, KYC Bitcoin and non-KYC Bitcoin offer different benefits and are exposed to different risks. For instance, the former leaves you at the mercy of oppressive regimes that could try to confiscate your wealth, or regulations that could make Bitcoin ownership illegal or heavily taxed. However, KYC Bitcoin would enable you to use it, for example, as collateral for a loan or for purchasing important assets (e.g., a house) transparently in the future. In contrast, the latter is much like digital cash, with its pros (e.g., higher privacy) and cons (e.g., not accepted everywhere). Of course, this choice depends on your personal situation and I can only recommend to make sure all your activities are legal in your jurisdiction.

KYC Bitcoin: The traditional method to get Bitcoin (probably 99% of purchases) is to go through the fully transparent route: Bitcoin (or cryptoasset) exchanges. Such exchanges will require you to provide all your personal identifiable information, from your legal name and birthdate to copies of all relevant documents. Once and if you have been approved by the exchange (which typically takes less than a week), you can wire money to your account on the exchange, purchase Bitcoin, and then send it to your Bitcoin address. It cannot be stressed enough: don’t leave your Bitcoin on exchanges! Exchanges can be hacked (e.g., Mt. Gox), fraudulent (e.g., FTX), closed by authorities, or simply go bankrupt (e.g., BlockFi). In all of these cases, you risk losing part or all of your funds. Recommendable KYC-exchanges as of this writing would be 21Bitcoin (Austria), Coinfinity (Austria), or Relai (Switzerland). Alternatively, and if you are comfortable having your data in American databases, consider Kraken. If you opt for an alternative exchange, ensure that it allows you to monetize (transfer back to fiat) your Bitcoin even if you were holding them in self-custody before. While this last comment seems obvious, recent developments (mid-February 2024) brought the famous Coinbase exchange to put such restrictions in place. One can therefore no longer recommend Coinbase in good conscience.

No-KYC Bitcoin: Methods to get no-KYC Bitcoin are situated at different stages on the spectrum of legality, which depends on local regulations. Please, familiarise yourself with regulations to which you are subject in order to ensure full compliance. The purpose of this section is, of course, not to circumvent regulations, but to ensure everybody gets access to Bitcoin in an effort to boost financial inclusion. This is especially important for people born without a formal proof of identity (unfortunately, hundreds of millions of people across the world) or going through war-torn environments (unfortunately, also a reality for countless people). Privacy, however, should be important for everyone, as data leaks and breaches are unavoidable and you probably do not want your wealth to be common knowledge online. A straightforward way to get no-KYC Bitcoin is simply to trade cash with somebody who owns Bitcoin. Privacy-focused apps, such as Vexl, are facilitating the connection between interested parties. Bitcoin meetups and conferences are also a good place to meet like-minded Bitcoiners who could get you started. Additionally, some peer-to-peer trading platforms (sometimes referred to as no-KYC exchanges) enable to obtain small amounts of Bitcoin while maintaining privacy. For example, consider Hodl Hodl, Exodus, or Changenow.io, noting that these platforms will still require personal information when they suspect connection with fraud or the dark net (less than 1% of cases, and most often false alarms). More radical no-KYC exchanges also exist, such as BISQ, Blockdx, or Boltz, but may be connecting you with more questionable sources of funds. The website kycnot.me lists many existing platforms and evaluates them based on their KYC policy and implementation. There are also no-KYC ATMs that facilitate Bitcoin purchases with cash in many locations, but they typically charge you dissuasive fees (5% to 20% plus a fixed amount) for doing so and usually limit the maximum amount you can exchange (e.g., 1,000€ per use). Bitcoin mining is also a pristine source of no-KYC Bitcoin, but the technical setup for mining can be cumbersome and you need access to an exceptionally cheap source of electricity to mine profitably. Finally, you can be remunerated in Bitcoin for work you perform. Repeating myself, ensure the legality in your jurisdiction of whichever practice you choose, as you may need to declare it.

Once you completed the previous steps, make sure you can use Bitcoin properly. Specifically, test that you can retrieve funds exclusively with your mnemonic phrase. After you have set up your wallet and written down your mnemonic phrase, start by sending a small amount to the wallet, as a test. Then, hard-reset your hardware wallet (uninstall/reinstall your software wallet) and set it up again, but this time choosing to import an existing wallet, using your mnemonic phrase. Alternatively, use a different hardware or software this time. Only once you identify that your wallet can be properly reinstated based on your mnemonic phrase (your funds are there), you will be able to sleep well, knowing that your mnemonic phrase is genuinely the access key to your vault.

The final step consists in ensuring you maintain your fortress in good standing. To do so, make sure to regularly update your software, thereby patching known weaknesses. Updates should come exclusively from the original provider of the software, not from third parties. Specifically, do not fall for scams, like phishing attacks inviting you to update your software by clicking an email link.

Also, ensure you remain up-to-date on developments in the Bitcoin space. Fortunately, many great resources exist. You can start with bitcoiner.guide, www.lopp.net/bitcoin-information.html, Swan Bitcoin, online content from Michael Saylor, the “What Bitcoin Did” podcast from Peter McCormack, BTC Sessions material, or the “Relai Bitcoin Podcast”. Also consider attending a Bitcoin conference in person, which will undoubtedly give you a better feel for the community. Finally, there are many other useful resources online that keep emerging: books, videos, documentaries, podcasts, peer-reviewed articles, forums, and more. Just go out there and find out what works best for you.

By following this guide, you are not just investing in Bitcoin; you are embracing a lifestyle that upholds the principles of privacy, security, and autonomy. Being a serious Bitcoiner is not just about owning Bitcoin – it’s about challenging the status quo, becoming financially independent, and safeguarding your digital sovereignty.

Disclaimer: I am not affiliated with any of the products referenced in this article and do not benefit in any way from recommending them. Note that more exhaustive analyses of Bitcoin products is available on thebitcoinhole.com. Also, while these recommendations are as good and objective as possible at the time of writing, I cannot assure they will remain optimal in the future. I can therefore take no responsibility for any malfunction or loss. This article should be seen as educational only, not financial advice. As always, remember to do your own research.