Cryptoadvance has created a wonderfully written Python program that lets self-sovereign users to achieve a multi-signature easily and efficiently. So far, most muli-sig wallet options have been limited to only a few wallets and may have some privacy concerns. Specter Desktop has a wonderful interface and not only can it be used with all major hardware wallets, but it can be used with hardware wallets you can create on your own. I am setting currently setting up Michael Flaxman’s 10x Security Bitcoin Guide to setup my Multisig. The 2-3 setup requires a Laptop running bitcoin core(You can also use a Rasberry Pi with something like My Node Installed), Cold Card wallet, Cobo vault wallet, ,paper wallet, pencil and paper, a laptop, and a printer. To make it the process easier, we are also going to use a single die. To make it more secure, we are going to use Tails to generate our paper wallet and never connect that instance of Tails to the Internet again. This article will focus on setting up the paper wallet portion of this multi-signature setup, since the Internet is filled with examples on how to setup commercial hardware wallets like Cold Card and Cobo Vault.
According to Michael Flaxman’s guide, you should understand that “This “paper wallet” is only ever designed to be used for backup/recovery purposes and will hopefully never be used.” * but if you do need to use it, you will have to load it into a hardware wallet to recover your funds. For example, you hold the key to you Cold Card in a safe at home and this paper wallet seed in a safe deposit box, but your Cobo Vault keys are buried next to Abrahan Lincoln on Mount Rushmore and your recently discovered this wallet is malfunctioning. Congress decides to add another dead president to Mt. Rushmore within 24 hours…the keys to your Cobo Vault are blown to smithereens. Now, you need to recovery paper recovery wallet to recover your bitcoin.
This is a very unlikely situation indeed, but setting up a mult-sig wallet like this is an exercise in Trust minimization. You will probably not lose both your hard wallet and seed at the same time, but it is possible to make a mistake in writing a seed down, or perhaps a fire ignites your safe deposit box aflame. Nevertheless, the BTC guide mitigates risk by removing single points of failure.
This article will describe how I created a paper wallet using the following tools:
3) A printer(it does not need to be your own)
4) A random number generating device (A single die)
5) 1 16gb+ Pen Drive with Tails installed
STEP 1) Print out the Seed words:
There are several options:
Option One: Cut out 2048 individual words and draw them from a hat. This is an example of 2048 individual words.
Cutting out 2048 little words is a bit laborious, but I found it quite satisfying to mix up every BIP39 word with my hands. It helped me appreciate the entropy involved in creating a bitcoin wallet. Once you cut the words, simply put them in a bag. After writing down the word, throw the word back into the bag and draw again, stop at the 23rd word since the 24th word will be calculated for us using the seed picker tool.
Option 2: I like this option the best since It is less labor intensive and more fun to roll a die. On the next family game night you can do this in the hopes of finding a bitcoin wallet with actual bitcoin in it. It’s not impossible. You have an equal chance of winning the Powerball 9 times in a row.,
1) Prepare you materials. Print out all of the required documents, get a single die, a bag, and pencil, print out the lookup table and seed form:
Next, cut 342 raffle tickets,tickets as evenly as possible and shuffle them in a bag. You could use a box or hat too, but we will use a quart size Ziplock in a bowl for this demonstration.
3) Draw a ticket. In this example, we drew the raffle T223.
4) Roll the die. In this example, we rolled a 3.
5) Write down the word that corresponds to the raffle and die roll. According to the lookup form the combination of T223 + 3 corresponds with the word “plug”. Plug will be the first word we enter into the , seed form and the first word we type into the Seed Picker Website. T223 and the word under numeral 3 are highlighted in the picture below.
Repeat this 23 times.
You can use a program to generate the words for you. This is the easiest way to do this, but requires the most trust. Ian Coleman has a website that will generate all 24 words for you, including the checksum. I wrote a simple Python program that randomly chooses 23 words and I am working on one that let’s the user also choose a single die.
I prefer the other two options to even to using the program I wrote myself because it requires the least amount of trust. Even though I wrote my own program that chooses 23 words from the BIP39 list, this still requires me to trust the random module.
Remember: If you choose one of these digital options, be sure to use it on a secure computer and do not save the paper wallet file, as this is the most vulnerable part of the multi-sig wallet set up.
Using option 2, the raffle tickets and a single die method, we randomly chose the following 23 words:
plug topic image gate high stick stock regret picture lake tornado wide blouse example trim aim enroll spice aisle evil large sing rebel
Note: For security reasons, we obviously do not want to use this key to hold any bitcoin.
The last word will be calculated on the Tails operating system. Once we access the Seed Picker Website , we never want to connect this instance of Tails to the Internet again. Tails is an acronym for The Amnesiac Incognito Live System. This operating system uses TOR and does not save anything you type into it, unless you set up a special persistence folder which needs to be created ahead of time. Since we are creating a paper wallet with the goal of never allowing the 24 seed words to be saved on a computer that is connected to the Internet, I will not explain how to set up this Persistence folder. This should only be used for advanced Tails users because it is easy to make mistakes. Most users should not keep these keys on Tails. Even if you are an expert, you must also consider the increased difficulty this might add to your heirs if you get hit by the proverbial bus.
First, download the operating system from the Tails website. Linux is recommended, but you will want to use the version that is appropriate for your operating system. I learned how to install it watching the tutorials on the Infosec Bytes YouTube channel. Once the Operating system is downloaded, be sure to verify the software. If you know how to use OpenPGP, do so. If you are not familiar with OpenPGP, you can verify the image with the Tails Verification extension. Once verified, flash this with a program like Balena Etcher. This post assumes you are already running bitcoin core and have either already used Balena Etcher to flash Linux for Mynode or something. If not, do not worry. It has a user friendly, drag and drop GUI.
Before we create the checksum, we want to make sure to use a secure computer and we never want to connect that computer to the Internet again. You will want to practice this several times before you create our actual paper wallet. To calculate the checksum, you should use the following steps:
a. Make sure your computer is turned off.
b. Insert the Tails USB into your computer and turn it on. Some computers, like the P laptop I used will boot Tails automatically. Other computers will require you to press f12 or some other similar key. All computers are different so you will need to look up the method for your specific computer if it does not au tomatically start. You will know Tails has started when you see this screen:
After Tails finishes booting up, you will see this Welcome screen:
I used my main instance of Tails, therefore the Encrypted Persistence Storage is enabled. The Encrypted Persistence Storage will not appear if this is the first time you are using Tails. Click on the blue Start Tails button in the upper right hand corner of the welcome screen.
6) Connect to the Internet:
This machine is plugged into my router and connects to the Internet the old fashioned way since I run Bitcoin Core on a Debian distribution on my hard drive. If you do not using an Ethernet cable, you can click on the speaker looking icon in the upper right hand corner and connect to Wifi. You will need to select your network and enter your password the same as you would with any other operating system.
7) Open TOR
Tails uses TOR. This is a web browser that enables anonymous communication. We will use this to web browser to generate the 24th word.
8) Navigate to https://seedpicker.net/calculator/last-word.html
Do not enter your 23 words yet. We do not want to enter our words until we have disconnected our machine from the Internet. Our keyboard may be infected with key-logger malware. This is probably not the case, but let’s not take any chances. We can mitigate this risk by turning on the screen keyboard. That way, our key will even be safe on a key-logger infected machine. The on-screen keyboard and how to navigate it is shown in the above picture.
9) Disconnect the Internet Then Enter the 23 Words
Turn off WiFi. Unplug any Ethernet cables.
We will now enter our 24 seed words into the Seed Picker Website.If a word is misspelled, or not part of the BIP39 word list, the page will prompt you to correct the error. Once you fill in your first 23 words, press the calculate button.
11) Write down you 24th word.
We now have all 24 words of our paper wallet.
As you can see, the last word/checksum in my example paper wallet is allow. In case of emergency, you will also need the zpubs which will be shown. Since we are never going to connect this instance of Tails to the Internet again, we can’t just send it to our email, not even if we encrypt it using PGP. Tails will also not save anything once you shut it down(Assuming we are not using the Persistence Folder), nor can you upload this information to another USB stick. Instead, we will click on the QR Code button.
12) Show QR Code
Since Tails erases everything not saved to our persistence folder, and we do not want to connect this instance of tails to the Internet ever again, We are not able to just send this important information over email, not even with PGP. Luckily, the seed picker solves this problem quite elegantly by allowing us to show a QR code. To ‘upload’ this information to Specter Desktop, we just need to take a picture of the QR code, which gives us a json file. If you are ultra concerned about your privacy, you might want to use a Polaroid camera, but even your funds can not be recovered with the Zpub alone. The camera on my phone also reads the QR Code, so I saved that information to the phone, This can be saved to a Keepass, or Protonmail. You should get the information onto your phone before you power off your computer in case the picture of the QR code since your Specter Wallet machine is connected to the Internet.
Yu should be able to obtain the zpub for our wallet this QR code. If your phone does not do this automatically, there are several Apple or Android apps that can help you accomplish this. You can also scan this picture with Specter Desktop to enter the key, but there is a chance the picture will not be clear enough to work. Therefore, We should save a copy of the zpub as well as take a photo. Otherwise we will need to start the process over. Note: when you take the picture, try to get as close as possible and take several pictures. If they are blurry, you may want to do them over again. In this example I used the same laptop I have Specter Desktop installed on to use Tails, so I did not have a chance to test the picture before shutting down Tails.
13 Add the Wallet to Specter Desktop
You should now be able to upload the json backup wallet file for your Specter Desktop Multi-Sig Quorum.
It should look something like this:
**Please note this is an example wallet. Please do not use it or send bitcoin to any addresses derived from this key.
I hope this helps you create your own paper wallet as safely as possible.
Please suggest any ways I can approve this.
Thanks for reading.