Coldcard - hardware wallet for cypherpunks
November 22, 2019
Coldcard is a hardware wallet targeting the real enthusiasts and instead of delivering a product with a polished exterior the company takes pride in trying to produce to most secure hardware wallet possible. Somewhat surprisingly this does not actually make it a lot less user friendly than the alternatives. Let’s have a look!
The packaging is as simple as it gets, a transparent plastic bag, but of course it comes with a tamper evident seal so that you should be able to detect if someone has opened it in transit. On the bag there is a number printed. This number will later be checked against a number shown on the device display which is another way of ensuring that no one has tampered with the bag. Included in the bag is a small sheet for writing down the backup words and PIN code and a sticker, but that’s it. The device is connected and charged using a micro USB cable, something that you probably already own.
When you connect the device the number that is also found on the bag is displayed and you get to confirm that they match. The next step is selecting a PIN code and this feature differs quite a lot from other hardware wallets. The PIN code consists of two different parts where the first part gets converted to 2 words that are displayed every time you start your Coldcard. This is an anti phishing feature designed to make sure that you always log on to the correct device, i.e. that no one switched it out without your knowledge. It’s really important to remember the PIN code of your Coldcard as there is no “factory restore” feature on the device. This means that your Coldcard wallet is completely unusable in the case that you forget your PIN code. This too is a security feature that is by design.
The next natural step is of course to get a cable and connect your wallet to your computer’s USB port but before doing that you should know that you actually don’t need to do. It is possible to use Coldcard without ever connecting it to a computer, which is a unique property that makes it an interesting choice for the most sensitive use cases, and makes Coldcard one of the few hardware wallets that can actually be called cold storage.
Anyway, since I want to compare the Coldcard experience to Trezor and Ledger I begin by connecting it to my computer to be able to use it in a similar way. After selecting a PIN you can create a new wallet and in a familiar way you then get 24 words presented, intended to be written down on the sheet provided. To confirm your backup Coldcard wants you to repeat the words back and this experience, which is often tedious when lacking a proper keyboard, is actually not that bad as Coldcard presents 3 different words to choose from instead of letting you type the words. Clever and simple solution.
Sending and receiving
Coldcard does not come with its own software wallet so the standard way of interacting with it is to use Electrum (though there are other options). Unfortunately Electrum does not offer a great user experience but it's still relatively simple to get started using the instructions provided by Coldcard. When connected to the computer using a cable the process of sending bitcoin is just as easy as using Trezor or Ledger. After clicking send in Electrum the transaction is shown on the Coldcard display. Thanks to the rather large display, showing 5 rows of text at a time, and thorough instructions I actually find the information easier to read than on most other hardware wallets. The following text is displayed and you use the arrow buttons to scroll down and view all the text.
OK TO SEND?
- to address -
Press OK to approve and sign transaction. X to abort.
When receiving bitcoin the address is displayed in Electrum but there is also a button, Show on Coldcard, that should be used to confirm that it is correct. This is straightforward so let’s instead have a look at sending transactions without ever connecting the device to a computer.
Real cold storage
To get started you first of all need to get a MicroSD card. Don’t worry though, it won’t be expensive as the amount of data used for transactions is very small so you can pretty much get the smallest card you can find. If you want to do things the right way you should of course never connect the device to the computer at all, so ignore the first part of this article if you want your cold storage to be truly cold. Instead do the following:
- Insert your SD card
- Connect the device to a power outlet (not a computer!)
- In the menu, choose Advanced > MicroSD Card > Electrum Wallet
- Move the SD card to a computer with Electrum installed and choose to open te file new-wallet.json that has now been created on the SD card
Then, to send a transaction, do the following:
- Create a transaction In Electrum (just the way you normally do)
- Instead of Send, choose Preview, then Save PSBT to save the file to your SD card
- Move the SD card to you Coldcard
- Choose Ready to sign, pick the file from the previous step, check that the information is correct and press OK
- Now move the card to a computer with Elecetrum again and choose Tools > Load transaction from file > Broadcast
You have now sent bitcoin without ever letting the private keys or the device where they are stored come in contact with a computer. Pretty cool, huh? It’s not exactly a smooth and quick experience but that’s the price you have to pay for this level of security, at least for now.
The format that was used to export the unsigned transaction in the previous example, PSBT or Partially Signed Bitcoin Transaction Format, was developed primarily for signing by multiple parties in multisig solutions. This means that you can use several Coldcard devices and require signing from each one of them to make a valid transaction. You could, for example, create the transaction on the computer and then move the SD card between different devices and sign the transaction on each one before finally returning to the computer to broadcast the transaction. Doing this is a bit of a hassle still but if you are interested the documentation is available on the Coldcard site.
The real advantage of multisig will be when more hardware wallets implement support for PSBT. By using multiple devices from different manufacturers you could minimize the risk of losing your bitcoin because of bugs, either in hardware or in software.
Here are some other features available on Coldcard:
- An alternative PIN code that opens a separate wallet when entered. Can be used to hide your real wallet in a situation where someone forces you to unlock the device.
- A green light connected directly to the secure chip to show that your device has not been tampered with.
- Generate your seed using dice rolls. If you don’t trust the built in random generator it is possible to instead roll a die multiple time and enter the results to create a seed generated from a source of randomness that you control.
- Encrypted backup on SD card. In addition to writing down your recovery phrase on paper you can export all information that is needed for recovery, encrypted, to an SD card to make it easy to get started with a new device if needed.
- Transparent case. What may look like a cheap plastic cover is actually also a security feature that makes it possible for you to see for yourself whether someone has done something to your device, inserted some hardware that shouldn’t be there etc.
There is no doubt that Coinkite is serious in its ambitions of creating the most secure hardware wallet. If you’re not intimidated by the simple design Coldcard is just as good a choice as Ledger or Trezor, even for a “regular” user. The physical buttons are robust and large enough that they are easy to use. There is a small delay in the button pushes which is somewhat annoying e.g. when entering the PIN code but it’s not a huge problem. Another disadvantage compared to Trezor and Ledger is that it is somewhat bigger so it doesn’t fit great in your keyring.
In the comparison of hardware wallets by Michael Flaxman Coldcard gets an equal or higher rating than all other devices on all of the points "Multisig Support", "Airgap", "User Input" and "Privacy".
You find the Coldcard wallet and other products by Coinkite in their shop.