bitcoin best practices - bitcoin core + specter + coldcard guide

requirements: computer, coldcard, battery pack, usb cable, microsd card, card reader, dice

The goal of this guide is to get you setup with using bitcoin in a reasonably easy, affordable, and secure way. After you get comfortable with this setup you can easily upgrade your security and privacy without changing the software you are using.

minimum setup cost: ~$150 + computer
recommended full setup bundle cost: ~$300 + computer

1. receive coldcard
   a. best to buy in person at a conference or meetup
   b. second best to ship to an address that is not your home, using a burner email + phone number, and bitcoin for payment
2. check bag for tamper
   
3. open bag, check device for tamper
   
4. download newest firmware
5. verify it (video guide)
   a. import the coldcard signing key: curl https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10 | gpg --import
   b. the signing key downloaded should be: 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10
   c. download signatures.txt from github
   d. verify the signature: gpg --verify signatures.txt
   e. calculate the hash of the firmware file: 2021-04-29T1725-v4.1.0-coldcard.dfu
   f. confirm it is the same hash as the one shown inside signatures.txt
6. load it on to microsd card
7. connect CC to battery, power on
   a. some battery packs do not stay on for low power devices, I really like the bare board coldpower offered directly from coinkite
8. check bag number on device
9. use microsd to install latest firmware
10. check bag number again
11. create pin
12. create new wallet
13. press 4 to add dice
14. roll at least 100 times
    a. if you wish to verify the dice rolls you can here
15. backup your wallet by storing the secret backup word phrase somewhere safe and offline
    a. this is called your seed
    b. anyone with access to this phrase can spend your coins, never enter it into your computer, only enter it directly into your coldcard when restoring from backup
16. download specter desktop
    a. it is best practice to use a dedicated computer - if a malicious actor gets access they can compromise your privacy and potentially steal funds
17. verify it
    a. download signing key
    b. fingerprint of the key is 5DF6 A760 1DB8 B78E BDEC 18DB 5D27 DE56 4153 F2BD
    c. import key: gpg --import ben-kaufman.asc
    d. download signed hashes from github
    e. verify signed hashes: gpg --verify sha256.signed.txt
    f. confirm hashes are the same: sha256sum -c sha256.signed.txt specter_desktop-v1.3.1-x86_64-linux-gnu.tar.gz | grep OK
    g. if ben is not available the release may be signed by stepan with this key, fingerprint: 6F16 E354 F833 93D6 E52E C25F 36ED 357A B24B 915F
    h. more comprehensive verification guide if you are confused
18. install specter desktop
19. wait for sync
20. proceed with specter wallet setup wizard
    a. full specter guide can be found here if you have issues
    

---

IMPORTANT THINGS TO REMEMBER

• always verify receive addresses on the coldcard address explorer going forward

• make sure to clearly label your receive addresses in Specter so you know what their source is when you go to send from them in the future

• always double check destination and change addresses directly on the coldcard screen during the transaction sending process

• never connect your coldcard directly to the computer, use a microsd card to transport the data

• make sure you backup your wallet by storing the secret word phrase somewhere safe and offline

• anyone with access to this phrase can spend your coins, never enter it into your computer, only enter it directly into your coldcard when restoring from backup

• can also be useful to have an additional backup that is a second coldcard already setup with the same wallet

• always test your backups, consider doing a full restore process on a new device

• the coldcard is designed to be secure even if your computer is insecure but best practice is to use a dedicated computer with it that you do not use for anything else - if a malicious actor gets access to your computer they can compromise your privacy and potentially steal funds

• You may want to experiment with a multisig setup using the same software stack as above as you get more comfortable. The nice thing about the above setup is you can easily move to multisig in the future. A guide for that setup can be found here.

---

This is not sponsored content. This is my personal opinion on best practices. No affiliate links. No ads. If you appreciate this guide consider buying me a drink.

The content above provides education as to general privacy and security practices when using bitcoin. Should you choose to apply the practices described in linked content with bitcoin you own now or may purchase in the future, you do so at your own risk and I shall in no event be liable for any financial loss suffered. Nothing shall be construed as providing consulting, financial advice or general advice as to securing bitcoin.