Topic: Electrum multisig for long-term cold storage (Read 521 times)
I would try to avoid whenever possible (sometimes it's unfortunately not) security by obscurity setups. Obscurity hasn't proven to be superior over transparency. Security by transparency is more likely to reveal flaws than by obscurity. And don't try encryption in some home-brewed way because there's too much that will go wrong. Leave decent encryption design and algorithms to encryption experts.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
This should be true in theory, simply because attack vector for airgapped hardware wallets is usually smaller than for general purpose computers/laptops.And there is big advantage that hardware wallets can be almost fully open source, that is something very hard to achieve for laptops, but it's not impossible.
I don't see any reason why we can't use both devices and combine them in some good multisig setup.
When we make a general comparison, encryption increases your security, so you cannot say the opposite or the same.
Not all encryptions are always good, and sometimes they can damage your security.Telegram claims their are encrypting something, but nobody can verify their claims, and we know many examples of broken encryption in past.
I also remember a case of ''encrypted'' phones used by criminals and create by three letter government agency.
An airgapped computer with full disk encryption still has its weak spots: the bootsector and bootloader are not encrypted, an attacker with physical access could inject some password stealing malware there. Probably an easier attack vector than passing barriers of an airgapped hardware wallet or hardware wallet in general.
There are plenty of mitigations against this, such as UEFI secure boot. And even without these, an attacker would need to know exactly what they are looking for and would need access to your device undetected on multiple occasions, which should be easily prevented. If someone is willing to break in to your house more than once to do this, then they are probably also willing to just hit you with a $5 wrench.Also, there have been many physical attacks demonstrated against a variety of hardware wallets, which only require access to the device once and while still technical probably require less expertise than compromising the bootloader on a fully encrypted device. One such example: https://blog.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Exactly.Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
Who knows what three letter agencies are putting in the chips being supplied to hardware wallet manufacturers?
I think we diagress a little bit off the topic here. I want to add a few bits of opinion. An airgapped computer with full disk encryption still has its weak spots: the bootsector and bootloader are not encrypted, an attacker with physical access could inject some password stealing malware there. Probably an easier attack vector than passing barriers of an airgapped hardware wallet or hardware wallet in general.
This would be a very targeted attack, kind of an evil maid thing to gain access to the disk encryption passphrase.
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Next bad thing in computers are the Intel ME and whatever it's called on AMD platforms. My knowledge ist limited here, but AFAIR the ME is kind of a separate computer (or microcontroler) in a computer. To my knowledge beyond the control of the main OS.
Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
This would be a very targeted attack, kind of an evil maid thing to gain access to the disk encryption passphrase.
Anyway, I wouldn't bother about this too much. If you have to fear something like this, you're likely screwed already.
Next bad thing in computers are the Intel ME and whatever it's called on AMD platforms. My knowledge ist limited here, but AFAIR the ME is kind of a separate computer (or microcontroler) in a computer. To my knowledge beyond the control of the main OS.
Would be even more specialized and targeted attack by this route, but who knows what three letter agencies have access to. Don't want to stirr a soup whose ingredients I don't know, though.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
When we make a general comparison, encryption increases your security, so you cannot say the opposite or the same.The air gapped system depends on how well you know how to create it properly and use the proper wallet. If you use a closed source wallet inside it, it's like you've done nothing. If you implement it correctly, all you have to worry about is device failure, forgotten seeds/passwords, and physical attacks. Adding a layer of encryption will enhance your security in terms of physical attacks, all you have to do is make sure the seeds are saved correctly and use a multi-signature wallet to reduce the risk of you losing a seed.
Almost maximum security is an encrypted air gapped system with a multi-signature electrum wallet, one of those signatures is a hardware wallet and good seed distribution.
I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
It depends on the hardware wallet. If you are using a permanently airgapped device like a Passport, then maybe. If you are using a device which connects to an internet enabled computer like a Trezor or a Ledger, then no.It also depends on your threat model. Against remote electronic attacks, the security might be similar. Against physical attacks, an airapped laptop is superior. There have been multiple attacks against multiple hardware wallets which have demonstrated seed extraction. I'm not aware of a single successful attack at extracting data from a drive running full disk encryption done properly. If an attacker sees a hardware wallet, they know you have coins worth stealing. If they see an encrypted laptop, they have no idea what is on it. I can even use hidden volumes to decrypt it to decoy "sensitive" data.
Totally with you there. I just meant that a dedicated air gapped HD wallet is going to offer the same security (if not more) than an air gapped encrypted PC.
Same security compared to what exactly?
I had software hot wallets on a system that wasn't used for anything else. Strictly reduced to the minimum, not used for daily stuff. I was aware that this isn't safe but I'm able to keep my machines at home safe enough, past has proven, no issues with viruses, malware or other nasty things. (I think I'm not yet overconfident, I hope. It's just practice and knowledge of security related computer stuff. Don't be reckless and question crazy offers...)
But I knew, I shouldn't keep it that way. I experimented first with a PiTrezor I assembled myself. Just to get a feel to use a hardware wallet. Then I bought a "real" open-source hardware wallet. Still in the play & experiment phase but getting more and more familiar with it. Until I have my "secure" setup, I moved my wallets to an air-gapped encrypted laptop (yes, I know, that doesn't make them cold, but they're less exposed for sure).
I still need to figure out how I want to deal best with some of my important to me points of my risk assessment. Don't want to go too crazy, but don't want to go too easy either. Still reading books like what's available at https://smartcustody.com.
I had software hot wallets on a system that wasn't used for anything else. Strictly reduced to the minimum, not used for daily stuff. I was aware that this isn't safe but I'm able to keep my machines at home safe enough, past has proven, no issues with viruses, malware or other nasty things. (I think I'm not yet overconfident, I hope. It's just practice and knowledge of security related computer stuff. Don't be reckless and question crazy offers...)
But I knew, I shouldn't keep it that way. I experimented first with a PiTrezor I assembled myself. Just to get a feel to use a hardware wallet. Then I bought a "real" open-source hardware wallet. Still in the play & experiment phase but getting more and more familiar with it. Until I have my "secure" setup, I moved my wallets to an air-gapped encrypted laptop (yes, I know, that doesn't make them cold, but they're less exposed for sure).
I still need to figure out how I want to deal best with some of my important to me points of my risk assessment. Don't want to go too crazy, but don't want to go too easy either. Still reading books like what's available at https://smartcustody.com.
Interesting. The way I see it, if you're storing coins on a multisig setup with open source hardware wallets, this should offer the same security (maybe more secure?).
Do you keep your private keys on hardware wallets, or are they stored on your hard drive? My wallet files are watch only, but with the master fingerprints so that I can use them to sign from an air gapped device.
I use a combination.I have small amounts of coins in hot wallets on both mobile and desktop. I used to use a number of different hardware wallets, but given the number of hardware wallets over the last few years that have been shown to have critical vulnerabilities, data leaksm horrendous privacy features such as implementing KYC exchanges or supporting AOPP, horrendous security features such as online back up, and so on, I've pretty much abandoned them all. The vast majority of my coins are stored in permanently airgapped devices using full disk encryption.
I use my wallets on a Linux system with full disk encryption. Stealing the device should prevent an attacker to gain access to the filesystem. I do wallet password protection even for watch wallets, just a habit I don't want to break with. I only make an exception if I do something with a test wallet which doesn't control any worth.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Do you keep your private keys on hardware wallets, or are they stored on your hard drive? My wallet files are watch only, but with the master fingerprints so that I can use them to sign from an air gapped device.
I use my wallets on a Linux system with full disk encryption.
I also use this on all my drives, but of course remember that this only protects the disk at rest. If the drive is in use, such as it would be if you are running Core, then it is obviously decrypted and susceptible to physical or electronic intrusion. This is why, like you, I still password protect/encrypt all my individual wallet files as well.
I use my wallets on a Linux system with full disk encryption. Stealing the device should prevent an attacker to gain access to the filesystem. I do wallet password protection even for watch wallets, just a habit I don't want to break with. I only make an exception if I do something with a test wallet which doesn't control any worth.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
Even my Testnet Bitcoin wallets are password protected, but not with my stronger passwords. For convenience I relax passwords strength where appropriate.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
Although some VPNs bundle some anti-malware capabilities, VPNs shouldn't be relied on to prevent your computer being hacked or targeted with malware. If you want to do other bitcoin related things on that computer which you don't want your ISP to know about, such as use this forum, use block explorers, check fees, etc., then a VPN might be worthwhile, although Tor would probably still be better.None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
I see. In that case the concern is a privacy one, rather than a security one. If someone hacked your device or physically accessed your device, password protection on your Sparrow wallets might prevent them from viewing your wallets, addresses, transactions, etc. (This could of course directly lead to a security risk if the attacker then decides you own enough bitcoin to make you a target for further attacks.) Personally, I password protect/encrypt everything, even watch only wallets.
Thanks for the reply.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
Thanks for this.
Quote
No, it wouldn't make any meaningful difference if you are already doing everything over Tor.
My node (separate machine) is connected to my wallet via Tor, but the computer that has Sparrow installed is still connected to to the internet. Does the above advice still stand?
Quote
The descriptors that Sparrow creates only contain xpubs, and therefore are watch only and cannot be used to sign anything. You should definitely still password protect your wallet files which contain your seed phrases/private keys.
None of my private keys are kept in the wallet files. They just contain the xpubs and master fingerprints. The private keys are stored in hardware wallets.
Quote
That's right. The descriptor file will contain the xpubs for all your co-signers. Personally, I would still back up the xpubs alongside each seed phrase back up though, in the manner I describe here which maintains your privacy at the same time: https://bitcointalksearch.org/topic/m.62443533
Thanks for this.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
No, it wouldn't make any meaningful difference if you are already doing everything over Tor.2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
The descriptors that Sparrow creates only contain xpubs, and therefore are watch only and cannot be used to sign anything. You should definitely still password protect your wallet files which contain your seed phrases/private keys.3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
That's right. The descriptor file will contain the xpubs for all your co-signers. Personally, I would still back up the xpubs alongside each seed phrase back up though, in the manner I describe here which maintains your privacy at the same time: https://bitcointalksearch.org/topic/m.62443533
I'm revisiting this topic as last night I had a major issue with Casa. Their servers went down, and the only way I was able to sign was with the setup I recreated in Sparrow. It brought home how vulnerable I was in relying on a third party, and how antithetical it is to the whole point of bitcoin.
So, I'm going to fully self custody from this point on. I am pretty confident in my ability to manage multisig via Sparrow, having kicked the tires on it over the past 6 months. I want to ensure I run the setup in the safest possible way, however.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
Thanks!
So, I'm going to fully self custody from this point on. I am pretty confident in my ability to manage multisig via Sparrow, having kicked the tires on it over the past 6 months. I want to ensure I run the setup in the safest possible way, however.
1. Currently I connect my wallet to my node running a private Electrum server over Tor. Would running a VPN on my local machine also help against malicious attacks?
2. Sparrow recommend a password for your wallet files. However, if I'm not encrypting the wallet descriptor files, is there any point to this?
3. Am I right in thinking that if I have my descriptor file, and the necessary quorum of seedphrases/working HD wallets, I will always be able to access my funds?
Thanks!
Thank you both. That confirmed what I had been thinking. I have been playing around with paper multisig in Electrum for a while now - I always make sure to note the derivation paths.
I am going to establish a hardware multisig setup using open source wallets - 2 coldards and 1 passport. I'll probably stress test it and play around with it first before I migrate from Casa.
I am going to establish a hardware multisig setup using open source wallets - 2 coldards and 1 passport. I'll probably stress test it and play around with it first before I migrate from Casa.
However, I had always thought that, so long as I have all seed phrases to fulfil a quorum, it doesn't matter whether the vendors create changes that disrupt the devices' multisig capabilities?
That's correct. The hardware wallets are simply storing the seed phrases and private keys, and interacting with the wallet software you are using. Should a hardware wallet manufacturer accidentally break the way they interact with your software, then you can simply take the seed phrase back up and import it somewhere else which is still working as intended.The biggest potential issue here (outside of importing seed phrases in to pieces of software and therefore risking exposing them) would be knowing which derivation path your hardware wallets have used for your multi-sig wallet.
Just thinking about this again after watching Jameson Lopp's interview with Peter McCormack. He makes the point that Casa help protect against "breakable changes" that could happen if wallet vendors make a bad update to their software. However, I had always thought that, so long as I have all seed phrases to fulfil a quorum, it doesn't matter whether the vendors create changes that disrupt the devices' multisig capabilities.
Isn't Casa just a multi-sig platform where they hold one of your keys and allows you to add more keys/switch devices later on? I don't think you need Casa to protect you from malfunctioning hardware as long as you have the backup. You can replace Casa with another multisig device and you would still be fine. Not to mention you need to pay to use their multisig service.You can check out their hot it works page[1] and replace the "hardware lost" with "broken hardware" and the graph will look the same. He is not wrong when he said Casa can protect their users from bad updates, but Casa is not the only option. A user can also wait for reviews before deciding to upgrade their software, or just use an open-source HW wallet where they can modify it whenever they want to. As long as they keep the backups they should be fine. CMIIW.
[1] https://keys.casa/how-it-works/
Quote
I would also be careful making any multisig setup with hardware wallets like ledger or trezor, that are not fully supporting it or they shown some issues in past.
Just thinking about this again after watching Jameson Lopp's interview with Peter McCormack. He makes the point that Casa help protect against "breakable changes" that could happen if wallet vendors make a bad update to their software. However, I had always thought that, so long as I have all seed phrases to fulfil a quorum, it doesn't matter whether the vendors create changes that disrupt the devices' multisig capabilities?
Ah got it, thank you.
Why is this? I had assumed that if all three HD were corrupt I could just import the seeds into three new devices.
You can of course, provided you have three new devices in which to import your seed phrases.If you were in the situation where your hardware wallets were lost/stolen, and you needed access to your coins urgently (before you had time to order three new hardware wallets and wait for their delivery or purchase three second hand laptops or similar), then your only option would be recover all the seed phrases in to the same wallet.
Quote
if your hardware wallets have issues you may have to recover every back up to the same device
Why is this? I had assumed that if all three HD were corrupt I could just import the seeds into three new devices.
Quote
Seems reasonable. When you say "one key kept nearby", is this on another device or just on paper? Because as above, if you need to import this key on to the same device which is already holding another key every time you want to spend, you are losing much of the benefit of a multi-sig, which is to spread your keys across different devices and remove a single point of failure.
I mean one key would be kept on a HD nearby. Though having one key permanently on the signing machine obviously means you are particularly vulnerable in a 2-of-3 setup. Maybe best to not have one key on the signing device.
----
One question that I just thought of is, could an air gapped HD that can sign with a QR code (such as Passport or KeyStone) sign an Electrum multisig transaction remotely?
But I guess so long as I have the backups for the wallets, it doesn't matter so much if the HDs have issues? Yes, I'm thinking about air gapped wallets/general setup.
As long as you have your back ups you will be able to recover your wallets, but if your hardware wallets have issues you may have to recover every back up to the same device, which removes the security of a multi-sig wallet. Keeper (https://www.bitcoinkeeper.app/) seem to be developing something that probably suits what I'm looking for. It's still in testnet mode however.
Is it open source? They link to a GitHub, but it doesn't seem like any of the repositories are for that wallet.This would seem to be better than a single sig wallet with multiple backups as there is no single point of failure.
Seems reasonable. When you say "one key kept nearby", is this on another device or just on paper? Because as above, if you need to import this key on to the same device which is already holding another key every time you want to spend, you are losing much of the benefit of a multi-sig, which is to spread your keys across different devices and remove a single point of failure. Quote
I would also be careful making any multisig setup with hardware wallets like ledger or trezor, that are not fully supporting it or they shown some issues in past.
Other hardware wallets are much better for multisig, especially if they are airgapped like Passport or Keystone.
Other hardware wallets are much better for multisig, especially if they are airgapped like Passport or Keystone.
But I guess so long as I have the backups for the wallets, it doesn't matter so much if the HDs have issues? Yes, I'm thinking about air gapped wallets/general setup.
Quote
can't recommend specific wallets for iOS since I've never used any myself, but there will be a number of wallets which support multi-sig which could be used to make your phone one part of a multi-sig wallet. A subset of those wallets which support multi-sig will also have support for your chosen hardware wallet, if instead you want to make your hardware wallet one part of a multi-sig but interface with it via your phone.
Keeper (https://www.bitcoinkeeper.app/) seem to be developing something that probably suits what I'm looking for. It's still in testnet mode however.
----
I'm now thinking about the following setup:
An air-gapped machine that I use to sign. One key kept on there, and one key kept nearby.
An online machine with a watch-only wallet. Importing the transactions to the air-gapped machine to sign, importing the signed transactions to the online machine and broadcasting.
Backups (seeds and wallet file) and one other key kept remotely.
This would seem to be better than a single sig wallet with multiple backups as there is no single point of failure.
So, Electrum doesn't seem to have an iOS app. I'm trying Bluewallet, but it seems it's impossible to use with a Trezor One or Ledger.
I'm at a loss as to how to incorporate a key on my phone into a multisig setup.
Well, that depends if you want to use a key stored on your phone, or if you want to use a key stored on a hardware wallet which you access via your phone.I'm at a loss as to how to incorporate a key on my phone into a multisig setup.
I can't recommend specific wallets for iOS since I've never used any myself, but there will be a number of wallets which support multi-sig which could be used to make your phone one part of a multi-sig wallet. A subset of those wallets which support multi-sig will also have support for your chosen hardware wallet, if instead you want to make your hardware wallet one part of a multi-sig but interface with it via your phone.
Thank you all for your replies. I guess the most fail-safe way of creating an inviolable multisig wallet would be to do it through Bitcoin Core? Given that that is likely above my technical capabilities at present, I could just keep a copy of Electrum backed up.
You can use any wallet you want but I don't think Bitcoin Core is good option unless you already running your own node, you will have to wait a very long time for sync to complete and blockchain to be downloaded.I would also be careful making any multisig setup with hardware wallets like ledger or trezor, that are not fully supporting it or they shown some issues in past.
Other hardware wallets are much better for multisig, especially if they are airgapped like Passport or Keystone.
So, Electrum doesn't seem to have an iOS app. I'm trying Bluewallet, but it seems it's impossible to use with a Trezor One or Ledger.
One more option for Android wallet would be Airgap.it that is open source, but this wouldn't be my primary choice.I think it's working for multisig setup, but I can't vouch for this.
Quote
BlueWallet works with Coldcard and CoboVault. According to the information on their website, it only works with hardware Wallets that support PSBT's.
Blockstream Green has support for hardware wallets. You could try that one.
Mycelium does as well but it doesn't work with iOS devices.
Blockstream Green has support for hardware wallets. You could try that one.
Mycelium does as well but it doesn't work with iOS devices.
Thanks for this.
I'm trying Bluewallet, but it seems it's impossible to use with a Trezor One or Ledger.
I'm at a loss as to how to incorporate a key on my phone into a multisig setup.
BlueWallet works with Coldcard and CoboVault. According to the information on their website, it only works with hardware Wallets that support PSBT's.I'm at a loss as to how to incorporate a key on my phone into a multisig setup.
Blockstream Green has support for hardware wallets. You could try that one.
Mycelium does as well but it doesn't work with iOS devices.
I'm not sure what you mean by a "mobile key", but you can certainly use Electrum on mobile to generate and restore one part of a multi-sig wallet.
Yes, I mean a key that is held on the mobile phone.
So, Electrum doesn't seem to have an iOS app. I'm trying Bluewallet, but it seems it's impossible to use with a Trezor One or Ledger.
I'm at a loss as to how to incorporate a key on my phone into a multisig setup.
Can I generate a mobile key in Electrum? That would definitely address the access issue.
I'm not sure what you mean by a "mobile key", but you can certainly use Electrum on mobile to generate and restore one part of a multi-sig wallet.Yes, I guess I was thinking along the lines of redundancy. However, I hadn't factored in the scenarios where without the custodied keys you would only need to lose two items to prevent access to the wallet.
Yeah, you should always have more than one back up of every part, so for a 2-of-3 multi-sig that means at a minimum 6 different back ups. With such a scenario, you could lose any 3 back ups and still regain access to your wallet. Quote
It seems to me you could achieve the same with a 2-of-3 multi-sig involving your mobile phone, a hardware wallet, and a paper wallet/back up stored somewhere else which would take a bit of time to be accessed.
Interesting, I didn't think this was possible. Can I generate a mobile key in Electrum? That would definitely address the access issue.
Quote
I don't follow your meaning here. 2-of-3 is always 2-of-3, regardless of how many back ups you generate or where those back ups are stored.
Yes, I guess I was thinking along the lines of redundancy. However, I hadn't factored in the scenarios where without the custodied keys you would only need to lose two items to prevent access to the wallet.
Quote
It's not the recovery process that is the issue with closed source wallets. It's that you have no idea how the wallet was generated in the first place. Did it use a poor source of entropy? How do you know it didn't give you a seed phrase from a list of possible seed phrases that someone else possesses? How do you know it hasn't transmitted your seed phrase to Casa's servers or some other third party? These are not just hypotheticals - these are all things that have happened in the past with closed source wallets.
I really hadn't considered any of this, thank you. I'm definitely erring on the side of setting up an entirely self-sovereign multisig.
Closed source, yes. But I have all the derivation paths and xpubs for the multisig address that I can import to an open source wallet.
It's not the recovery process that is the issue with closed source wallets. It's that you have no idea how the wallet was generated in the first place. Did it use a poor source of entropy? How do you know it didn't give you a seed phrase from a list of possible seed phrases that someone else possesses? How do you know it hasn't transmitted your seed phrase to Casa's servers or some other third party? These are not just hypotheticals - these are all things that have happened in the past with closed source wallets.I'm also not sure a completely self custodied 2 of 3 setup beats a collaborative 3 of 5 setup.
Well, that's a personal decision, but I would always opt for the set up which does not depend on third parties.Establishing a completely self custodied 2 of 3 would essentially be a 2 of 6 if my seeds were also dispersed.
I don't follow your meaning here. 2-of-3 is always 2-of-3, regardless of how many back ups you generate or where those back ups are stored.In an emergency situation, I'd use the mobile key, the Casa sovereign recovery key (which comes with a 48-hour delay to avoid wrench attacks) and the one HD. This seems to retain the benefits of a multisig setup.
It seems to me you could achieve the same with a 2-of-3 multi-sig involving your mobile phone, a hardware wallet, and a paper wallet/back up stored somewhere else which would take a bit of time to be accessed.
Closed source, yes. But I have all the derivation paths and xpubs for the multisig address that I can import to an open source wallet.
I'm also not sure a completely self custodied 2 of 3 setup beats a collaborative 3 of 5 setup. Having the seeds for the latter basically makes it 3 of 6 if Casa went offline. Establishing a completely self custodied 2 of 3 would essentially be a 2 of 6 if my seeds were also dispersed. However, the problem with the latter is that if the keys and seeds were dispersed enough to provide robust security, accessing the funds in an emergency could be problematic.
In an emergency situation, I'd use the mobile key, the Casa sovereign recovery key (which comes with a 48-hour delay to avoid wrench attacks) and the one HD. This seems to retain the benefits of a multisig setup.
I'm also not sure a completely self custodied 2 of 3 setup beats a collaborative 3 of 5 setup. Having the seeds for the latter basically makes it 3 of 6 if Casa went offline. Establishing a completely self custodied 2 of 3 would essentially be a 2 of 6 if my seeds were also dispersed. However, the problem with the latter is that if the keys and seeds were dispersed enough to provide robust security, accessing the funds in an emergency could be problematic.
In an emergency situation, I'd use the mobile key, the Casa sovereign recovery key (which comes with a 48-hour delay to avoid wrench attacks) and the one HD. This seems to retain the benefits of a multisig setup.
My current multisig is with Casa.
Then I think you should continue down the path of moving to a better system. Casa is closed source, holds one of your keys for you, and (correct me if I'm wrong) but you have to pay them $120 a year for the privilege of them holding one of your keys for you. None of these are good thigns.However, on reflection, I think my relative lack of technical expertise may be more of a threat to my multisig security than Casa becoming a bad actor.
Maybe at the moment, sure. But the fact that you have self identified this means you are already well on the way to being able to address your lack of expertise. An entirely self hosted solution will always be preferable to one which depends on third parties.With my current setup, I only need to have access to one physical key.
Well then you've already lost most of the benefits that a multi-sig solution brings.
My current multisig is with Casa. I thought for the sake of absolute self sovereignty/privacy, etc., I would explore the option of establishing a multisig address myself. However, on reflection, I think my relative lack of technical expertise may be more of a threat to my multisig security than Casa becoming a bad actor. Then there is the trade off between a more secure setup being correlated to the keys being more geographically dispersed and the ease of access to funds in a situation where travel is hard. With my current setup, I only need to have access to one physical key. The one vulnerability is the seedless setup they encourage, but I can easily overcome that by replacing the current seedless keys with new keys and have their seeds backed up.
No GUI option or menu for MultiSig as well, you'll have to operate using commands.
Next to that, type the BIP39 passphrase when prompted for the "seed extension".
After that, you'll have to select the correct script type and then edit the derivation path if it's different from the default for P2SH-SegWit MultiSig - m/48'/0'/0'/1'.
But yours is probably more than just m/49 since it's usually the extended master key at BIP38 derivation path's 'script type' level (check your wallet for the correct path).
Appreciate this, thanks
[moderator's note: consecutive posts merged]
Thank you all for your replies. I guess the most fail-safe way of creating an inviolable multisig wallet would be to do it through Bitcoin Core?
Bitcoin Core doesn't support HD MultiSig wallet so it'll be tricky to backup multiple MultiSig addresses.No GUI option or menu for MultiSig as well, you'll have to operate using commands.
The sovereign recovery info for my current multisig setup directs me to use p2sh-segwit on Electrum with derivation path m/49, not m/1. All keys on my current setup use BIP-39 passphrases, which I successfully tested when one of my keys became corrupted. Can I establish a multisig quorum by just inputting the BIP-39 seeds of my wallets?
Yes, Electrum can restore from BIP39 seed phrase and BIP39 passphrase, just enable the options "BIP39 seed" and "Extend this seed with custom words" when importing the seed phrases(s).Next to that, type the BIP39 passphrase when prompted for the "seed extension".
After that, you'll have to select the correct script type and then edit the derivation path if it's different from the default for P2SH-SegWit MultiSig - m/48'/0'/0'/1'.
But yours is probably more than just m/49 since it's usually the extended master key at BIP38 derivation path's 'script type' level (check your wallet for the correct path).
Appreciate this, thanks
[moderator's note: consecutive posts merged]
The sovereign recovery info for my current multisig setup directs me to use p2sh-segwit on Electrum with derivation path m/49, not m/1.
What is your current multi-sig set up? Why is that insufficient and why are you planning to change?The derivation path you need to use to recover an existing multi-sig set up is dependent on how it was created in the first place, not on which software you are using to recover it. As I said above, if you create an Electrum segwit multi-sig wallet using Electrum seed phrases, it will use m/1' If you create an Electrum segwit multi-sig wallet using BIP39 seed phrases, it will use either m/48'/0'/0'/1' or m/48'/0'/0'/2' for P2SH and P2WSH respectively. If you recover an existing segwit multi-sig wallet using Electrum, then you'll need to use whatever derivation path your original software used when first establishing the multi-sig wallet. If it tells you to use m/49' (or more likely m/49'/0'/0'), then use that.
All keys on my current setup use BIP-39 passphrases, which I successfully tested when one of my keys became corrupted. Can I establish a multisig quorum by just inputting the BIP-39 seeds of my wallets?
The BIP39 seeds and any associated passphrases, yes. But be aware that by importing all of these in the same wallet, then you remove all the additional security that multi-sig brings by having all the keys necessary to spend your coins contained within the same wallet on the same device. 
Thank you all for your replies. I guess the most fail-safe way of creating an inviolable multisig wallet would be to do it through Bitcoin Core?
Bitcoin Core doesn't support HD MultiSig wallet so it'll be tricky to backup multiple MultiSig addresses.No GUI option or menu for MultiSig as well, you'll have to operate using commands.
The sovereign recovery info for my current multisig setup directs me to use p2sh-segwit on Electrum with derivation path m/49, not m/1. All keys on my current setup use BIP-39 passphrases, which I successfully tested when one of my keys became corrupted. Can I establish a multisig quorum by just inputting the BIP-39 seeds of my wallets?
Yes, Electrum can restore from BIP39 seed phrase and BIP39 passphrase, just enable the options "BIP39 seed" and "Extend this seed with custom words" when importing the seed phrases(s).Next to that, type the BIP39 passphrase when prompted for the "seed extension".
After that, you'll have to select the correct script type and then edit the derivation path if it's different from the default for P2SH-SegWit MultiSig - m/48'/0'/0'/1'.
But yours is probably more than just m/49 since it's usually the extended master key at BIP38 derivation path's 'script type' level (check your wallet for the correct path).
Thank you all for your replies. I guess the most fail-safe way of creating an inviolable multisig wallet would be to do it through Bitcoin Core? Given that that is likely above my technical capabilities at present, I could just keep a copy of Electrum backed up.
The sovereign recovery info for my current multisig setup directs me to use p2sh-segwit on Electrum with derivation path m/49, not m/1. All keys on my current setup use BIP-39 passphrases, which I successfully tested when one of my keys became corrupted. Can I establish a multisig quorum by just inputting the BIP-39 seeds of my wallets?
The sovereign recovery info for my current multisig setup directs me to use p2sh-segwit on Electrum with derivation path m/49, not m/1. All keys on my current setup use BIP-39 passphrases, which I successfully tested when one of my keys became corrupted. Can I establish a multisig quorum by just inputting the BIP-39 seeds of my wallets?
There is a 2FA (multi-sig) seed phrase, but the multi-sig wallet uses normal "single-sig" seed phrases.
My bad. I had in my head that version 0x101 was for multi-sig wallets, but you are right - it is specifically for 2FA wallets. Multi-sig wallets just use the usual 0x100 version of Segwit seed phrases.You can use the same nmemonic for both wallets too but you might lose some privacy doing that as you'll have the same public keys used again.
By default, Electrum uses path m/0' for single sig segwit wallets but path m/1' for multi-sig segwit wallets, so the public keys would be different. 
It'd be very hard to make electrum.unavailqble. Most open source projects often maintain an end of life version or get someone (in this case another wallet) to accept their seed phrases before they become obselete. You'd be able to recover everything if you backup the electrum binaries somewhere though (there are likely enough backups made already). Just don't use old software on an online machine to load up your wallet because that can lead to vulnerabilities that are already fixed that previously existed (in the past ~5 years we've seen two fairly substantial vulnerabilities - one with a phishing attack and one with a json rpc vulnerability that meant unsigned transaction data could be changed for an open wallet (and nmemonics could be extracted in unencrypted wallets but I didn't see an instance of this being reported at the time that wasn't a proof of concept)).
You can use the same nmemonic for both wallets too but you might lose some privacy doing that as you'll have the same public keys used again.
You can use the same nmemonic for both wallets too but you might lose some privacy doing that as you'll have the same public keys used again.
Also, I assume I can use one of the seeds for my multisig wallet for a single sig wallet?
Not with Electrum seed phrases. It has built in version which tells Electrum it is a multi-sig seed phraseMy question is, should Electrum be unavailable, will I be able to reestablish access to the multisig wallet if in 10 years I want to spend funds and have all seeds and xpubs available to me?
Yes, although if Electrum is no longer available then it could be tricky.Even if Electrum is no longer maintained, chances are you will still be able to find a version of the software which is usable. If you can't find the software at all, then you might need to tinker with another piece of software in order to recover this wallet since Electrum seed phrases are not the same as BIP39 seed phrases. You should also note that Electrum Segwit multi-sig derives at m/1'.
Also, I assume I can use one of the seeds for my multisig wallet for a single sig wallet?
Correction below.
If you were to use BIP39 seed phrases, then you could use one of your multi-sig seed phrases for a single sig wallet.
I am thinking of establishing a 2 of 3 multisig with Electrum, creating a watch only wallet from the xpubs, and leaving it there for a long while, backing up all seeds in separate locations.
I'll probably use native segwit as a derivation path.
My question is, should Electrum be unavailable, will I be able to reestablish access to the multisig wallet if in 10 years I want to spend funds and have all seeds and xpubs available to me?
Also, I assume I can use one of the seeds for my multisig wallet for a single sig wallet?
I'll probably use native segwit as a derivation path.
My question is, should Electrum be unavailable, will I be able to reestablish access to the multisig wallet if in 10 years I want to spend funds and have all seeds and xpubs available to me?
I am thinking of establishing a 2 of 3 multisig with Electrum, creating a watch only wallet from the xpubs, and leaving it there for a long while, backing up all seeds in separate locations.
I'll probably use native segwit as a derivation path.
My question is, should Electrum be unavailable, will I be able to reestablish access to the multisig wallet if in 10 years I want to spend funds and have all seeds and xpubs available to me?
I'll probably use native segwit as a derivation path.
My question is, should Electrum be unavailable, will I be able to reestablish access to the multisig wallet if in 10 years I want to spend funds and have all seeds and xpubs available to me?
Also, I assume I can use one of the seeds for my multisig wallet for a single sig wallet?
Jump to: