Taking care of any significant amount of crypto assets is not for the faint of heart. There are no banks, no intermediaries and no security except the one you create yourself.

IMPORTANT: NEVER EVER SHARE, REUSE OR TAKE PICTURE OF PRIVATE KEYS YOU WILL USE. THE PRIVATE KEY USED HERE IS JUST AN EXAMPLE; AND ANYONE READING THIS BLOG POST HAS FULL ACCESS TO ALL ASSETS IN IT.

There are many different ways to store the private keys of a crypto account. For anyone with significant funds I would generally recommend to split the funds into several parts, and store these using different kinds of technological and non-tech solutions.

There are already many different methods to store the private keys that are used to control crypto funds. This includes multi-sig online wallets (like Gnosis and Parity), paper wallets, hardware devices (Ledger and Trezor), storage on exchanges and others. This will not be a long post about crypto security, or a comparison of methods but a very practical instruction for how to store funds in a way that is pretty secure and complements other methods and that I have not found good instructions for elsewhere - the multisig steel crypto wallet.

The paper multisig wallet

The most basic form of offline (also know as cold) storage is to create a new crypto wallet (or set of keys), save the private key on a piece of paper and then lock or hide that piece of paper somewhere safe, while all digital traces of the keys are destroyed.

If the key generation is done on a clean computer, no one else should in theory be able to access the key. Now the only problem is to store the piece of paper in a safe and persistent way.

Now, a problem with paper is that it is easily lost or destroyed and having the entire private key accessible by just reading or copying the piece of paper is not safe.

A sample Ethereum private key, 64 characters long

2 of 2 paper multisig

A good solution for safety is to create a multisig paper wallet. The most basic form would be to take the piece of paper and cut it into two pieces, storing these at different locations or with different people. To access the funds both pieces of the private key is required, solving many possible attack vectors and securing against catastrophic events. However, if one of the paper pieces is lost for any reason the key will also be lost forever, along with access to whatever asset held in that wallet.

The private key split into two parts

2 of 3 paper multisig

To remedy this problem and create a safe and more persistent paper multisig wallet the private key can be split into three parts, copied to three pieces of paper and stored in three different locations where each location has two pieces of the key. This way, the entire key can be reconstructed using the key parts from two of the three paper pieces.

The private key split into three parts

Location 1: part 1 + part 2

Location 2: part 2 + part 3

Location 3: part 1 + part 3

Just reassemble the key parts in the right order from two of these locations (as part 1+ part 2+ part 3) and the complete private key is back.

2 of 3 steel multisig

The final iteration to create a safe and persistent offline multisig wallet is to replace the paper pieces with something more durable — enter the Cryptosteel device (consumer advice, other devices like this might exist). This is a stainless steel device that can hold most passwords or cryptographic keys in a pretty durable way (check this video).

In the system above, each location will just get a Cryptosteel device with two parts of the key instead.

Step by step instruction to create an Ethereum steel multisig wallet

Equipment needed:

A clean air gapped computer (i.e. not connected to the internet) The current version of myetherwallet as a zip file 3 Cryptosteel devices

Step 1: Download Myetherwallet and run it offline

Download the current version of www.myetherwallet.com as a zip file from their Github. Choose the file named something like etherwallet-v3.10.4.3.zip. Find the URL to myetherwallet Github in the footer of their official website. Double check that you are on the official website before downloading anything.

Extract and copy the contents of the zip file to a usb drive and copy it to the air gapped computer.

Open index.html in the etherwallet-xxx folder

For more info on keeping an air gapped computer secure, see this blog post by Bruce Schneier.

Step 2: Create a new Ethereum wallet

On the main myethereumwallet landing page, enter a long and very strange password. You will not use this password again and do not need to remember it, so don’t write it down. Press “Generate New Wallet”.

Press “Download Keystore File (UTC / JSON)”. These files should be deleted when finished with the process.

Then press “I understand. Continue.”

Now your private key is displayed on screen, this is what will be used to create the multisig key.

Step 3: Prepare the private key

Copy the private key to a new text document (notepad/textedit or similar is perfectly fine).

Divide it into 3 parts. It’s 64 characters in total so each part should be around 20–22 characters long.

Device 1: part 1 + part 2

Device 2: part 2 + part 3

Device 3: part 1 + part 3

The private key split into three parts

Step 4: Enter private key parts into device

With the key now prepared, enter two parts into each of the three hardware devices.

The devices I use, Cryptosteel, have a total of six lines, each with 16 characters of space to store codes.

As an example, for device 1 in a scheme like the above the following can be stored in the device.

On line 1, positions 1 through 4, I add the first 16 characters of the public key to use as an identifier of the device.

Line 2 and 3, positions 5 to 10, is part 1 of the private key with an added 1x as identifier of the private key part.

Line 1 and 2 of the backside (positions 13 to 18) is used to store part 2 of the private key, with 2x added to the beginning as an identifier.

I have added 1x, 2x and 3x added to the beginning of each key part to make it clear which is which.

The device with the beginning of the public key and part 1 of the private key

Step 5: Finish up all devices

Now finish up by repeating the process above for each of the devices, replacing the private key parts according to the schema:

Device 1: part 1 + part 2

Device 2: part 2 + part 3

Device 3: part 1 + part 3

Remember to permanently delete any wallet utc or json file you still might have.

After a lot of fiddling with very small pieces of metal you now have your very own Ethereum multisig steel wallet! Congratulations! Double and triple check that everything was entered correctly.

The full set of devices

Step 6: Testing

To access your public address, goto myetherwallet (still on your secure air gapped computer) and press “Send ether and tokens”. Select “Private key” and enter the full private key, then press “Unlock”

Now your address will be displayed on the right side of the page that opens (under “Account Address”).

Test the wallet by sending some nominal amount of ether to this address. Sending ether to the new wallet can be done from any other wallet or account. Verify that the ether has been sent to the wallet by checking the transaction at Etherscan or some other online service.

Verifying that you can send ether or tokens from the new wallet can be done from the air gapped computer. This is done as an offline transaction on Myetherwallet, just press “Send Offline” in the top menu and follow the instructions. The last step have to be done from an internet connected computer, so when the transaction data is ready it’s copied as text from the air gapped computer and copied into the same field in an internet connected computer.

Notes about the Cryptosteel device:

The devices were delivered without any kind of instructions which led to some frustration as I tried to figure them out. The first one is opening them up for the first time. They are constructed as two parts bolted together at the lower end. You open it up by sliding the top side counter-clockwise, just figure out where the middle layer is and slide it apart.

The second potential frustration is opening up the “lid” securing the tiny letters. This is done by first unscrewing the screw 90 degrees, then pushing out the sprint (see image below) and folding out the lid.