Hardware wallets are deemed the most secure storage option for cryptocurrencies. But you can’t just
put your funds on the wallet and you’re done. There are still some risks that appear if the device is
not properly initialized or there are issues with the firmware’s updates. In order to increase the
security of your hardware wallet, there are some security precautions that need to be applied.
1. Buy the wallet only from its official supplier or a trusted third-party
Purchase the wallet only from its official vendor instead of a reseller to reduce the probability of it
being counterfeited or tampered with. There was a case in which an eBay reseller managed to access
buyer’s even if he sold them legitimate and unopened products.
2. Stay away from pre-initialized hardware wallets
A pre-initialized hardware wallet could just carry a wallet that is a copy of a wallet which could have
been installed by a scammer. Make sure that you are the only person to initialize your hardware
wallet before you use it. Go through the initialization setup for your hardware wallet provided on its
3. Only use device-generated recovery words
Never use recovery words that have been pre-selected. Always make sure the wallet has been
initialized from zero and use only new random on-device generated recovery words. The person that
has the recovery words is able to access the wallet and steal its coins.
4. Look for a device that has attestation
Before you purchase your hardware wallet, make sure that you will receive a document or some sort
of proof that shows the origin, authenticity, or integrity of the product. Try to find the software
developed by the device manufacturer which can interrogate a Secure Element embedded on the
device and prove the device’s integrity.
Go through the verification instructions given by your wallet provider (Ledger has available
instructions for verifying attestation through its secure element attestation).
5. Test Your Backup
A very important rule that sometimes overlooked is verifying the backup. Your wallet backup
represents a set of recovery words. You can test the recovery words to see if they work on a different
hardware wallet device.
If the wallet has been completely and successfully recovered, then you can be certain that the
backup works. After this, you have to erase or reset the test hardware. It is not recommended to use
your usual computer or software wallet to check if the backup works.
The instructions for performing a recovery test for your backup seed should be provided by your
6. Write down and store your recovery words separately
Do not type the recovery words into a computer or take photos of them or print them. The only safe
way to store your recovery words is by writing them down on paper. You could later on laminate the
paper so it can stay safe against environmental factors that might degrade it.
Store it in a place that only you have access to. Keep in mind that the wallet’s PIN code does not
guarantee fund protection if an attacker gets a hold of the wallet physically and finds the recovery
words next to the device. Under no circumstance do you store the wallet alongside the paper which
contains the recovery words.
7. Verify the software that communicates with your hardware wallet
A desktop software that is backdoored can be a threat to your funds. Hardware wallets make use of
desktop software for transaction initialization, firmware updates for the device, as well as other
In order to prevent an attacker from tampering with the device software after it has been installed,
there should be reproducible builds and code-signed executables available. By using code-signed
executables, the operating system automatically verifies the code signatures each time the
application is launched, as opposed to manual verification, which is usually only done once.
8. Consider using only one dedicated computer for your wallet
If just one computer is used to access and operate your hardware wallet, it can provide even more
safety as it is not used for daily tasks, thus reducing its exposure to other online threats that might
compromise it, and by association your wallet.
By option to use your hardware wallet only from a PC that has immutable configuration, you increase
the security of your private keys. This computer would have to be disconnected from the Internet,
and dedicated exclusively to initiating and signing transactions via the hardware wallet.
First, you will have to disable all of its firmware configuration (for instance, restrict boot devices,
disable network boot, etc.) to make sure that nothing connects to it during its booting process.
9. Look for a wallet that has multi-sign functionality
“Multi-signature” is the process which involves more than one key when authorizing a transaction.
This feature offers protection against a single point-of-failure. A multi-signature wallet will generate
multiple keys which can be kept in separate hardware wallets.
10. Manually check when a new multi-signature address is generated
Multi-signature wallets are formed by merging a number of private key-owners into one address
which is stated in a script. This type of address is called P2SH or “pay-to-script hash”.
This process of creating the address is performed in the user interface of the desktop software via
the use of public keys, not the hardware wallet. If you use a compromised PC when the script
generates the new P2SH address, then the hacker may be able to modify the script terms and attach
itself to the multi-sig wallet.
This means that he could secretly insert himself as an additional owner to the address and thus gain
access to said joint wallet.
With this, we conclude our article regarding how you can increase the security of your hardware wallet. It may seem a little too much (or paranoid, by some accounts) to implement all these rules,
but as recent reports have shown us, greedy malevolent actors stop at nothing to get the digital
funds of others.