BitGo Wallet Security Best Practices
Computer security is crucial to protecting your digital funds. This document provides an overview of the key action items to secure hot/warm wallets by:
Using a clean, uncompromised computer.
Applying a set of robust policies.
Adding multiple admins to the wallet.
Securing the Keycard.
Laptop/PC Security Best Practices
These recommendations apply to the computer that you will use to access BitGo’s Dashboard (https://www.bitgo.com/login) in order to generate a wallet.
Obtain a new computer or reinstall the OS in an older one. If installing the OS yourself, verify the integrity of your installation image using a secure cryptographic checksum (such as SHA256, see https://help.ubuntu.com/community/HowToSHA256SUM)
Update your computer software regularly and do not use an outdated operating system. Outdated systems are not updated to patch known security holes and vulnerabilities.
Install security software. Schedule routine antivirus scans and/or see an IT professional to have your computer fully inspected for trojans, keyloggers, and mischievous applications/browser plugins.
Ensure that your computer is entirely free from any form of malicious software.
Once you have generated your wallet, it is best to use only that computer for all interactions with BitGo (transactions, updating the account, etc.). If you do use multiple computers, then it is best to apply the above practices to all of them.
Warm Wallet vs. Hot Wallet
A hot wallet can send to any address, or in some cases to a fairly broad whitelist of addresses (such as a list of regular vendors).
A warm wallet is configured much like a hot wallet, with two important differences:
The warm wallet has a whitelist policy so BitGo will only co-sign transactions that send to the static addresses of the hot and cold wallets. This way if an attacker compromises a warm wallet, they can send only to other wallets you control.
The warm wallet should generate all of the receive addresses on your system – for instance when a new user joins and they request an address to send funds to.
Thus your hot wallet is meant to be used only for Send transactions from your system. The warm wallet is used for all deposits to your system, and can send funds only to the cold storage or the hot wallet.
This separation of a warm wallet for receives and a hot wallet for external sends/withdrawals makes operating your wallet easier because you need to worry only about keeping your hot wallet sufficiently funded to service withdrawals. The warm wallet is easier to operate than a cold wallet but less secure, and as simple to operate as the hot wallet but more secure.
Configuring Wallet Policies
Wallet policies are a last line of defense for your wallet if your account has been compromised. Properly constructed policies used in conjunction with multiple admins on a wallet, are a key element in keeping your funds safe.
Policies can limit spending per hour, day and transaction. Wallet policies also include the ability to create a whitelist of approved recipient wallet addresses.
It is crucial to the security of your crypto assets that, at a minimum, you create policies on your wallets that limit the amount that can be sent per transaction, per hour, or per day, or on the addresses that a wallet can send coins to.
If you have a wallet that is used only to interact with a particular address, apply a whitelist.
If you have a hot wallet with a lot of use, apply both a daily velocity limit and a per transaction velocity limit.
If you have a warm wallet that you use to fund the hot wallet, apply a daily velocity limit no higher than the daily limit on the hot wallet.
But the policies also need to be constructed and “layered” effectively. For example, a policy that sending to 50 coins per transaction is still going to allow an attacker to send 50 BTC per transaction until they have completely depleted the wallet. To remedy this, we recommend using hierarchical wallet policies (daily, hourly, transaction) that restrict the amount of coin that can be transferred without approval from another admin on the wallet.
Note: Once a policy has been set and unchanged for 48 hours, this policy will be unchangeable without intervention by BitGo technical support. This is a security measure so that if an account gets compromised, the policy cannot be simply removed by the attacking party
Freezing your wallet can be used in case of an emergency. By freezing your wallet, you can prevent BitGo from signing any transaction for any time frame between 1 hour and 30 days.
Along with effective wallet policies, multiple admins on the wallet adds an extra layer of security, as it requires that transactions that exceed policy limits get the approval of at least one other admin on the wallet.
We generally recommend having three admins on each wallet; this creates some redundancy in case one of the admins becomes incapacitated.
Advanced wallet setup features allow sharded keys for M of N admin approvals. For example if you have three admins on a wallet then you can use sharded keys to require that at least two of the three approve transactions.
Requiring admin approval on transactions might seem cumbersome, but the inconvenience offsets the risk of losing crypto assets due to theft.
Wallets that typically have high transaction volumes (also known as “hot wallets”) should carry relatively low wallet balances, and should have tight policies limiting the amount of coin that can be sent from the wallet per transaction, per hour, or per day, without requiring approval from another admin on the wallet.
For maximum security, we recommend that the policy states that any transaction exceeding 0 coins (in other words, all transactions) require admin approval before they can be sent.
The majority of your cryptocurrency should be held in wallets that are not directly exposed to transactions to external parties. Ideally, this should be a “cold storage” wallet that is completely offline, never connected to the Internet.
In the absence of a cold storage wallet, the next best solution is to insert an additional wallet in your architecture that would function as a cold wallet. This is known as a “warm wallet”. Warm wallets should have a whitelist policy that restricts the sending of coins from that wallet to the cold wallet or hot wallet. The diagram below illustrates this wallet setup:
Keycard Storage Best Practices
When you create a wallet, you will be asked to download a KeyCard from the browser. Download the KeyCard directly to a USB device plugged into your computer. We recommend that you use an encrypted USB Flash Drive for this purpose, for an added layer of security. Immediately remove the flash drive from your computer after the file has completed downloading.
Connect the USB device to your printer and print the document. Make sure to clear the printer history/memory. Information on how to do this is available from your printer manufacturer’s website.
You can laminate your KeyCard for durability. To protect your KeyCard against water or dampness you can store it in a sealed plastic bag.
Store the KeyCard in a long-term secure safe e.g. a safe deposit box to protect from fire and theft.
As a backup option, keep the KeyCard on the encrypted USB stick. Use this only as a backup for the hard copy described above. USB drives can be lost or even fail occasionally.
Avoid the following, as they can increase the attack surface available to a hacker:
DO NOT Store your KeyCard on a note taking app, computer, Email, Google Drive, or any cloud storage service. Doing so can compromise the credentials contained within your KeyCard and expose the KeyCard to a multitude of compromised or insufficiently secured
DO NOT Take a picture of your KeyCard or make digital copies.
DO NOT Tell anyone where and/or how you have stored your KeyCard.
DO NOT Share any details of your passphrase or KeyCard or BitGo credentials/login information with other parties – including BitGo. We will never ask for your KeyCard information, and you should not share it with us.
DO NOT Tell any service that hosts your wallet about your credentials unless absolutely necessary.