Not your keys, not your coins (NYKNYC) is the best principle to follow to keep your bitcoin safe. But how do you keep attackers from stealing your keys? Cold storage is the best option. As a result, your keys are not used in any internet-connected devices. However, it is also convenient to be able to utilize your bitcoin for everyday payments, usually on your smartphone, but also on your laptop or desktop computer. As a result, we’d want to talk about operating system security.
Best operating system for bitcoin storage
Let us begin with the most obvious observation: the Windows operating system is not secure. Do not keep your coins on any Windows-powered system. Other systems are sufficient for small amounts. We must also distinguish between power users and ordinary users who can barely install a wallet.
iPhones and iPads are running iOS (formerly iPhone OS). iOS is a heavily locked down system, so as long as you don’t directly fear Apple or state actors are not after you, devices running iOS are a fairly good choice for a software wallet. Muun and BlueWallet are available on Apple Store.
Android is a bit more open than iOS. Google isn’t monitoring the software in the Play Store as tightly as Apple. And there are many manufacturers like Samsung that add a lot of garbage to your system. If you don’t do too much weird stuff like installing hundreds of applications, it’s still generally safe enough for some sats.
Because the number of Android users outnumbers the number of iPhone and iPad users, many bitcoin wallets are available on Google Play Store. If you have a choice, though, it’s better to go for Google Pixels. There’s less garbage on these and they have additional security hardware.
Graphene is the most secure, open source choice for a smartphone (it would be more secure to not use a smartphone at all, though). GrapheneOS can only be installed on Google Pixels, starting from the Pixel 4 and these days there’s even a convenient web installer.
CalyxOS is a free Android mobile operating system that focuses on privacy and security. It supports Google Pixels, Fairphone and eSIM. CalyxOS was designed with frontline human rights defenders, journalists, lawyers, and political and social activist groups in mind.
DivestOS is an attempt to backport Graphene features onto LineageOS. It is a free operating system, which prioritizes privacy, security, and compatibility with older devices. Here’s a list of DivestOS supported devices
Windows is still okay if you’re using an external signing device like Trezor or Coldcard. Like this, the keys are not directly under threat. If you’re storing a significant amount of satoshis, you have to consider that a potential attacker who gets control over your machine will know the balance of your wallet. And lots of other information about you, most likely your address if you access your email account from this machine.
It’s good to understand that accessing exchanges is exposing you to risk of theft as well. If an attacker has full control over your machine, they will also be able to log in to the exchange and withdraw coins. Two-factor authentication (2FA) can mitigate the risk, but only if it’s from a separate device. If you are using 2FA through your email, this will likely not help you.
Linux is a great choice if you are a geek. Also, if you are a wannabe geek. Linux is actually GNU/Linux. There are various distributions of GNU/Linux. Here we cover the ones we think are most relevant to Bitcoiners. Bitcoin wallets that are compatible with Linux include Sparrow, Wasabi, Electrum, and Specter.
Linux bitcoin wallet reviews
Debian has been around for longer than last week. Ubuntu is a spin-off of Debian. Purists hate it. It’s also worse for your privacy than Debian, out of the box. And Mint is a spin-off of Ubuntu, some people prefer it.
Tails is a Linux based live USB system designed to protect against surveillance and censorship. You can download it, verify the signatures, put it on a USB stick with the appropriate software. Now you have a USB stick that you can boot your system from. By default, it doesn’t store anything on the device, it does not use the internal harddrives. When you shut down the machine (or pull the stick out of the machine, it’s what Ross Ulbright should have used with a thread around his wrist) the RAM of the machine is wiped and there is no more trace of what happened. You can however create persistent password encrypted storage on the USB stick. Without the password, no one has access to this data.
By default, Tails uses Tor, so if you are going online with it, you are fairly anonymous. Alternatively, you can also decide to not go online when booting. If you are appropriately paranoid, you could even use a separate machine only for the purpose of dealing with bitcoin, and take out the Wi-Fi chip and never let the machine go online. You can use ElectrumElectrum bitcoin wallet with Tails.
Qubes is based on Fedora, it’s a “reasonably secure operating system”. You can secure your bitcoin with Qubes OS’s “split bitcoin wallet” functionality by splitting your wallet into an offline “cold storage” wallet and an online “viewing only” wallet. Because of the way Qubes OS works, malware will be unable to access your offline virtual computer devoted to offline cold storage, hence keeping your bitcoin safe. Find out how to set up “split bitcoin wallet” here.
We think the command-line is a great way to interact with technology, but macOS is a good choice if you don’t ever want to deal with the command-line. Make sure you run regular security upgrades.