How to Protect Your Crypto Assets When You Die
You can’t take bitcoin with you when you die. So where does your bitcoin go? How can you ensure your cryptoassets move on to your loved ones?
Making end of life plans around your cryptoassets can be challenging. You need to protect your cryptoassets from theft today, but you also need to ensure their value transfers forward when you die (assuming you want someone to get your bitcoin).
This is increasingly becoming a problem that needs to be solved in the bitcoin community. You can find plenty of guides online about planning your cryptoasset inheritance system.
Jameson Lopp, blockchain infrastructure engineer, recently published an article titled Fifteen Men on a Dead Man’s Switch: Crypto Asset End of Life Planning Complexities.
We talked about Lopp last week when he stress tested several different cold storage devices. He exposed these devices to high levels of heat, stress, and tension to determine which one legitimately stood the test of time. Now, Lopp is focusing on his crypto assets.
How do you protect your cryptoassets today while simultaneously ensuring they go to loved ones when you do? Let’s take a look at what Lopp found during his research – including how to setup a secure dead man’s switch for your cryptocurrencies.
Remember That Your Relatives May Not Understand Blockchain Technology
One of the biggest problems with cryptoasset inheritance planning is that you have to assume nobody understands how crypto works.
There may come a day when everybody understands bitcoin and how to transfer crypto between addresses – but we’re a long way away.
It’s easy to leave cash and other assets for relatives. Leaving cryptoassets, however, can be more complicated.
The Optimal Solution Is A Dead Man’s Switch
You want to access your cryptocurrency today. However, you also want to setup a dead man’s switch, allowing your cryptoassets to be transferred at your time of death.
The tricky part is making sure nothing accidentally triggers that dead man’s switch. You want to make sure hackers can’t trick the switch, for example.
You can often find dead man’s switches on heavy machinery and similar equipment. They’re safety devices designed to protect everyone else when the operator is incapacitated.
A digital dead man’s switch, however, is trickier to setup than, say, that thing you’re supposed to clip to yourself on the treadmill at the gym. With a digital dead man’s switch, you’re dealing with long timescales and the most uncertain thing we deal with: our own deaths.
There Are Two Digital Dead Man’s Switches
Lopp mentions that there are two popular dead man’s switches available to internet users today, including:
- Stochastic Tech’s Dead Man’s Switch
- Google’s Inactive Account Manager
The problem with these dead man’s switches is security. Would you trust your entire life savings to the security of these dead man’s switches? What happens if these switches are accidentally triggered? What happens if a hacker manages to flip the switch and transfer your life savings?
As Lopp mentions, your best option is to use multiple services:
“…the optimal scenario would be to use hundreds or thousands of these services to bring the odds of all of them failing or colluding against you close to 0.”
Unfortunately, this isn’t realistic either, as nobody wants to setup hundreds or thousands of dead man’s switches.
“Thus it looks like the optimal solution is not a practical solution, at least not at time of writing.”
Nevertheless, there are options outside from dead man’s switches, including setting up an effective cold storage solution and distributing shards among your executors. Lopp explains this system in detail next.
Setting Up Cold Storage For Your Heirs
Lopp recommends setting up a cold storage system for your heirs. Ideally, this cold storage system would use an unhackable system like the Glacier Protocol. However, if you don’t have the time and money to implement the Glacier Protocol, then Lopp has a slightly more accessible solution:
Step 1) Buy a cheap laptop to act as an airgapped computer (i.e. a computer that isn’t connected to the internet). Something in the $300 to $500 range should be fine, because all it needs to do is boot from a USB drive
Step 2) Disable Ethernet, Wi-Fi, Bluetooth, the microphone, and any data input or output hardware. You can do this in the operating system settings. Or, if you’re feeling extra cautious, you can open the laptop case, expose the motherboard, and physically remove or destroy those parts.
Step 3) Wipe the computer, then install your favorite Linux distribution.
Step 4) Install VeraCrypt from a USB drive or other media
Step 5) Create an encrypted file container that you’ll use to store all of your seed phrases, private keys, and recovery data.
Step 6) Choose “standard VeraCrypt volume”
Step 7) Select your encryption options. Lopp recommends choosing an option that layers multiple algorithms, like a setup with AES(TwoFish(Serpent)).
Step 8) Choose the size of your container. Remember that private keys are relatively small. If you create a 100MB or 1GB container, then that should be plenty of room.
Step 9) Encrypt the container using a randomly-generated long passphrase. You can generate this passphrase by rolling device if you want to create your own randomization sequence. The passphrase should be 30 to 64 characters long. You can buy a 30-sided die. Or, use a normal 6-sided die paired with Diceware. The reason you’re rolling dice is simple: you want your randomness (your entropy) to be generated away from the computer.
Step 10) Format the file container as FAT. This will allow it to be compatible with all operating systems.
Step 11) Generate entropy in the window by moving your mouse around, then complete the creation of your file container. Close the creation wizard and mount the file container as a new volume.
Step 12) Copy all of your private keys, seeds, and recovery data into files on the newly mounted encrypted volume. Unmount the volume after all the data has been stored.
Step 13) Use Shamir’s Secret Sharing Scheme to split the decryption passphrase into your preferred setup. To decide how you want to split it, you’ll want to consider how many trusted friends and family you have. You’ll be sharing shards with each of these people. You’ll also want to leave enough overlap or redundancy to ensure the scheme doesn’t become useless if 1 or 2 members loses their data or cannot participate in the recovery ceremony.
Step 15) Copy the encrypted file container onto USB drives and place one Shamir’s share on each drive.
Step 16) Type a note to each person to whom you’re giving the USB drives. Include instructions on what to do when you’re no longer around. Explain what you did, including the step by step processes. Consider adding a technical tutorial and a super-basic tutorial – particularly if you’re not confident in the tech skills of your friends. Save this information as an unencrypted plaintext file on each drive. You may want to avoid listing the people and places where you’ve stored the other USB keys. Consider keeping that with your last will and testament – say, with your attorney.
Step 17) Test your instructions to make sure they work as advertised. Ideally, you’ll run one of the executors through the tutorial. Make sure you can reconstitute the decryption passphrase and use it to mount the encrypted file container.
Step 18) Once you’re comfortable with your system, delete and destroy the master decryption passphrase. If you want to give yourself access to the vault in the future without accessing your friends and relatives, then create a new decryption passphrase and store it in a good password manager.
Step 19) Hand out USB drivers (Lopp actually recommends storing these drives in Faraday bags) to the executors of your will
Step 20) Update annually to protect against bit rot, a type of data degradation that will compromise data stored on the USB keys
Ultimately, after much deliberation, this was the best solution created by Jameson Lopp. It’s effectively a dead man’s switch secured by your friends and relatives, with no real points of failure in terms of someone cracking the encryption.
Alternatively, you can just leave a paper wallet tucked into your safe like the rest of us.
All credit for this tutorial goes to Jameson Lopp and his Fifteen Men on a Dead Man’s Switch post on Medium.