In 2014 we saw the release of the first hardware Bitcoin wallets. Now the unicorn is real: offline coins that can be spent, using an Internet-connected and even malware-infected computer, all without risk of losing your money.

How is this possible? It’s important to first understand how bitcoins get stolen.

To say that someone’s bitcoins are “on her computer” is actually a misleading statement. What is stored on a Bitcoin-owner’s computer is actually the private key that corresponds to her Bitcoin address (the public key). When the owner wants to spend her funds, her wallet software combines her private and public keys to create a signature—the digital equivalent of signing the back of a check. This digital signature unlocks the funds and they’re now spendable.

This is why storing your private key in an Internet-connected laptop, desktop or phone—or with an online wallet service—always carries risk. It’s always possible that malicious software (“malware”) could enter your device through the Internet, enabling someone to discover your Bitcoin private key and spend your money.

Cold storage savings—that is, sending your bitcoins to a public address whose private key is not stored on any Internet-connected device—provided an answer to this problem. But it was inconvenient. You couldn’t spend from your savings without first importing the private key into Internet-connected software, defeating the whole purpose of cold storage. Could a “hot” wallet (spend-ready) and a secure wallet ever be one-and-the-same? This unicorn—cold storage you could spend from—was what we were all hoping for.

Hardware wallets appeared as the white winged creatures, and the most popular among them is the Trezor.

The Trezor, which is not Internet-enabled, stores your private key. Using the USB cable provided, you connect it to your computer and create a wallet at MyTrezor.com. The Trezor device then generates a seed of 12, 18 or 24 random words (your choice) on its own small screen, which you write down and store away. These words never touch the Internet and can be used to recover your private key if your Trezor is ever lost, destroyed, or stolen.

You can also choose to enable PIN and/or passphrase protection, so that if your device were ever stolen, the thief would also have to know two additional pieces of private information to access your coins.

Worried that your computer could be infected with a keylogger (malware that records your keystrokes)? You’re still safe. If you choose to enable PIN protection, MyTrezor wallet will ask for your PIN before a transaction is sent. The 9-digit number pad is only displayed in cleartext (scrambled out of standard order) on your Trezor itself. Only question marks appear on your computer screen, which you click with your cursor.

You may be wondering: what if I want multiple private keys because I (duh) want to have more than one Bitcoin address? No problem. The Trezor is a deterministic wallet, which means that an unlimited number of public addresses are recoverable from the same, single seed.

The Trezor is the creation of Prague-based SatoshiLabs, which was founded in fall 2013. All the software for the Trezor is open-source and viewable on GitHub, and the device ships for free internationally. At the time of writing, a Trezor costs 0.32 BTC ($119 USD).

If you own or plan to own bitcoins, and if you’re worried about computer security (who isn’t?), consider shopping around for hardware wallets. Store your private keys offline while retaining the ability to spend your Bitcoin easily.