If you bought bitcoin recently during the mad rush, you now need to familiarize yourself with the concept of “cold storage.”
Since bitcoins are a digital asset that you can’t touch or hold physically, owning bitcoins really only means that you have access to the coins. You access your coins using multiple keys, which are strings of numbers and letters.
Let’s say you bought bitcoin on Coinbase, the most mainstream website for buying bitcoin. If you bought bitcoin there and then did nothing else, you are allowing Coinbase to be the custodian of your coins. Your coins are on a wallet that lives on Coinbase, and the funds are instantly accessible to you when you log in. But that also means they’re more vulnerable to a hack.
If someone gets into your Coinbase account and gets access to your phone, they can take your coins, and you’re powerless to stop it. Bitcoin theft is a major problem: in 2016, $28 million in losses due to cryptocurrency crime were reported to the FBI, triple the amount in 2015.
The safest way to store your coins is through “cold storage”: keeping the access keys somewhere offline, not accessible to the Internet in any way. (In other words, not “hot.”)
Cold storage by Coinbase and other exchanges
Coinbase can do its own cold storage of your coins, if you ask it to. When you create a wallet on Coinbase, it gives you the option to “vault” the wallet. If you do so, the funds are not as instantly accessible to you on the site to sell or transfer, but they are safer—Coinbase is keeping your keys somewhere offline using its own chosen method.
In fact, Coinbase says it stores 98% of customer funds, using paper backups of the keys that are “distributed geographically to safe deposit boxes.” Sound elaborate? It is, because it has to be in order to protect the coins from thieves.
When the bitcoin exchange Bitfinex fell victim to a hack one year ago worth $65 million in bitcoin at the time, it happened because Bitfinex, which had originally been using cold storage for customer keys, had switched its security system to “segregated multi-sig” (multi-signature), where keys are divided up among multiple owners to mitigate risk. The wallets were protected by an outside security provider, BitGo. When hackers sent coins off of Bitfinex, BitGo auto-approved the withdrawal.
But the purest form of cold storage is writing down the keys on a piece of paper somewhere safe, and doing it yourself, rather than trusting Coinbase to do it.
Paper wallets, hardware wallets
Yes, there is an obvious irony to the notion that the safest way to protect your digital asset is using plain dead-tree paper.
You could also write or etch your keys onto a physical object (like a commemorative coin), or save them in a word document on an external hard drive that is not connected to the cloud. Bitcoin.com has a handy guide to creating a “paper wallet” file on your computer that isn’t accessible to the internet.
Another form of cold storage is a “hardware wallet,” which are fobs that plug into your computer through the USB port. There are a number of hardware wallets on the market now, including KeepKey, Trezor, and Ledger. When you plug in a hardware wallet to your computer, it forces you to enter your pin before you can do anything, and you also have to know your bitcoin wallet address to send or receive any funds, so there are multiple layers of safety. (Some people still argue a hardware wallet isn’t as safe as paper, since they have software on them.)
To transfer your coins off of Coinbase, you simply need to send them to your other wallet. Click on your Coinbase wallet, then click “send,” and it asks for the bitcoin address you’re sending funds to.
But buyer beware: Coinbase fees for transferring coins can get sky-high, since they vary based on activity on the bitcoin blockchain. At times this week, the fee to send bitcoins from a Coinbase wallet to somewhere else has been as high as 15%.
Disclosure: The author owns less than 1 bitcoin, purchased in 2015 for reporting purposes.
Daniel Roberts covers bitcoin and blockchain at Yahoo Finance. Follow him on Twitter at @readDanwrite.