How to use the ColdCard hardware wallet, a popular choice amongst Bitcoiners concerned with security and privacy.
This is an opinion editorial by Arman The Parman, a Bitcoin educator passionate about privacy and contributor to Bitcoin Magazine.
Make sure you go through the other piece “Using Bitcoin Hardware Wallets” first. I will skim through some steps and focus mostly on what is specific to ColdCard here.
This guide will be appropriate for the ColdCard MK3 and the newer Mk4.
Buy the device directly from the manufacturer, Coinkite. This is mandatory; don’t buy from Amazon, Ebay or used, to eliminate the possibility of tampering by a scammer who may later try to steal your bitcoin. You’ll need to get a micro SD card as well (the smallest and cheapest will do) and for this Amazon is probably your cheapest option (or locally and quicker, Walmart or Target, etc, also usually carry them). You’ll need a connection cable as well, as one does not come with the device. You might have one lying around from an old phone, or just buy one.
The Coldcard Mk4 has a USB-C connection attached to the shell, and the Mk3 has a micro USB connection. You need to source your own USB cable that matches the device and your computer’s USB port type.
For example, if you use a modern Mac, it’ll have USB-C ports like the ColdCard does, and you’ll need a cable like this:
For the Mk3 ColdCard and a computer with regular USB ports, you’ll need a cable with micro USB and regular USB, like this:
In addition to the cable, you’ll need a 5-volt charger, like the ones most phones use. You can connect your wallet to the computer for power, but we want to avoid that if we can, for optimal security.
When you place your order with Coinkite, ideally you shouldn’t ship it to your home address, as the packaging (available to see by the entire delivery distribution chain) states that the content is a “ColdCard calculator.” You don’t want to reveal to the world that you own bitcoin, and where you live. So, use a fake name, and ship it to your place of work, or a P.O. Box. This is best practice, but probably not a devastating error if you don’t.
Setting Up The ColdCard
When the device arrives from Canada, make sure you inspect the tamper-evident bag for any disturbance/compromise. There is also a number on the bag – keep it, as the device will require you to compare that number with a number the device provides from its memory, to ensure you are receiving the correct device, and not a swapped one.
Power on the device, and read everything the device presents to you carefully. The keypad has arrows; use them to scroll down to the bottom of all messages. Sometimes at the end of a message, it will get you to press a specific number to prove you read the message. If you didn’t read that and pressed the checkmark to proceed, you’ll loop back to the start and you’ll think the device is faulty.
You’ll be given instructions to set a PIN. The naming of the PIN is unfortunate and a bit confusing, and I’ll explain. There are two PINs in fact. When you turn on your device, you’ll be entering PIN-1. You will then be presented with two “phishing” words that are unique to your device. The words will be the same every time, and you just need to confirm you recognise those words. Recognising the words confirms you put the correct PIN-1, and that the device is really yours and hasn’t been swapped without your knowledge. Once you know the device is yours, the next prompt is to enter PIN-2.
The ColdCard device calls PIN-1 the PIN prefix, and when prompted for PIN-2, it says “enter rest of PIN.”
When setting PIN-1 or PIN-2, you can choose 2-6 digits for each PIN.
You will then be presented with the option to create a new wallet or “import existing” (restore a wallet). I will go through creating a new wallet. The device will give you 24 words, one at a time. Write them down in order, and then you’ll be asked to confirm the words. Just work through the prompts. Remember to make a duplicate of these words, and store the two copies in different locations to prevent total loss from a catastrophe such as a fire.
Once you are finished, the device will show you the top menu which reads “Ready to Sign.” You can then disconnect the device. Reconnect and make sure you get the hang of turning it on and entering your PIN numbers.
A “wallet” has several meanings. Here I’m using it to describe the unique collection of 2^32 addresses that belong to the
- seed phrase (words)
- plus passphrase (your choice of text up to 100 characters)
- plus derivation path
Those three things, when combined, create a “wallet” –> roughly 4.3 billion addresses each with a private key.
Don’t worry too much about the derivation path; in a way, it acts like a second passphrase, and users should just leave this as a default, usually, m/84’/0’/0′; even advanced users shouldn’t edit these in my opinion. If during any wallet creation process, the derivation path is presented to you, it is good practice to write it down, although if lost and you never changed it, it won’t be too difficult to recover the “default” numbers.
Every time you turn on the ColdCard, you will have access to the 4.3 billion addresses that belong to the seed (no passphrase).
You can apply any passphrase you want (100 character limit) and when you do, the ColdCard forgets the original 4.3 billion address from its temporary memory (it only holds one collection of addresses at a time), and you get a fresh new set of addresses (a wallet) that belong to the original seed phrase plus the passphrase you chose.
When you turn off the device, all wallets disappear from memory (but not the seed of course). When you turn it on, you’ll be back to the original wallet with seed plus no passphrase. To get your passphrase wallet back, you have to apply the passphrase again. In this way, you can have limitless wallets (each with 4.3 billion addresses) that are derived from a single seed phrase (which you backed up).
If you ever lose the device, you can simply buy another (or even one of a different brand name if you choose), restore the seed you have kept safe, and you’ll get your original wallet back. You can then apply any passphrase to get your passphrase wallets back (and the bitcoin in them of course). Your bitcoin is not bound to the ColdCard device, it is bound to the BIP-39 (Bitcoin Improvement Proposal 39) protocol. You can learn more about this protocol by following the instructions of this fun exercise.
To apply a passphrase, go to the passphrase menu, and select “edit phrase.” The 1, 2 or 3 buttons allow you to change the type of symbols to select from. Use the up and down arrow to select the symbol, then use the left and right arrows to move the cursor to the position you want to edit. When finished, click the checkmark. But that’s not it, you still need to “apply” the passphrase to memory. Scroll to the bottom and select “apply.” Read the message. If your micro SD card is inserted, you’ll have the option to save the passphrase to the card to avoid this tedious procedure of typing the passphrase, but be aware you are recording sensitive information on the card and need to keep it secure.
When turning on the device at a later time, to get your passphrase wallet, you go to the passphrase menu. If your micro SD card is inserted, you can select “restore saved.” If not, you have to repeat the above procedure (edit phrase, and then apply).
Remember if you ever want to “export” a wallet from the device to make a watching wallet (don’t worry if you don’t know what that means for now), you need to have the correct wallet in memory at the time you make the export; either the wallet with no passphrase or a wallet from one of your passphrases.
In previous articles, I explained how to download and verify Sparrow wallet, and how to connect it to your own node, or a public node. This is outside the scope of this guide, but you can follow these guides if interested. Otherwise, just read on.
An alternative to using Sparrow bitcoin wallet is Electrum desktop wallet, but I will proceed to explain Sparrow’s bitcoin wallet as I judge it to be the best for most people. Advanced users may like to use Electrum as an alternative.
To install Sparrow, follow the “Install Sparrow Bitcoin Wallet” link above and then return here.
Run Sparrow Wallet
This pop-up can be deceiving. Read it properly. The “offline” button and toggle is an image only, i.e., you can’t actually interact with it (people have tried!). Just click the next button.
Again, that yellow toggle is an image only. Read and click “Next.” And the same with the next two pop-ups, until you see this:
Here we are about to connect to a public server that belongs to Emzy. Emzy is a great guy and I wouldn’t object to connecting to his node, although best practice (which you can eventually strive for) is to connect to your own node. Click the “Test Connection” button to make sure you can connect to Emzy’s node.
Then you can click the giant blue “General” tab on the left:
All of this can be left as defaults. Go ahead and select “Create New Wallet.”
Name it something pretty:
Then click “Create Wallet”
We can set up all sorts of wallets from here. I will demonstrate two ways, one with the ColdCard directly connected by cable to the computer (this is fine, but theoretically not as good as the next method). The other is the more cumbersome way, i.e., air-gapped.
Go ahead and connect the ColdCard to the computer and enter the PIN. Then apply the passphrase if you want that.
Then click the “Connect Hardware Wallet” button.
Then click “Scan” …
Sparrow should detect your device. Some troubleshooting if you fail at this step:
- Make sure you have proceeded past the PIN-entering stage on the device.
- If you previously connected the device to another wallet, unplugging and reconnecting may be necessary to “forget” the old connection.
- Make sure the USB option is not turned off in the ColdCard settings.
Now we are presented with some details about the wallet. You can copy the xpub or zpub to a file – this will allow you to restore the wallet (but no spending ability) – sort of like being able to access your bank account online but as an observer only. The xpub is still sensitive, but just not as much as the seed words and passphrase. Note the computer doesn’t know the seed phrase: that is kept hidden in the ColdCard, its primary job. Click “Apply” to proceed.
A copy of the watching wallet is going to be made on the computer and this will encrypt it. Don’t confuse “password” with “passphrase.”
Once the computer does it’s thinking, all the blue buttons on the left are available to you. You can click “Addresses” now and see your wallet. Even though you have 4.3 billion addresses, only the first several are shown. By the way, you also have 4.3 billion change addresses, so I should have said earlier that each wallet has 8.6 billion unique addresses.
To receive some bitcoin, go to the Addresses tab on the left and choose one of the addresses to receive. Just right-click the address you want, and select “Copy Address.” Then go to your exchange where the money is being sent from and paste it there. Or you may give the address to a customer who can use it to pay you.
When you use the wallet for the first time, you should receive a very small amount, practice sending it to another address, either within the wallet or back to the exchange, to prove that the wallet is functioning as expected.
Once you do that, you must back up the words that you wrote down. As mentioned earlier, a single copy is not enough. Have two paper copies at least (metal is better), and keep them in two different, well-secured, locations. See “Using Bitcoin Hardware Wallets” for a full discussion on this.
When making a payment, you need to paste in the address you are paying to in the “Pay to” field. Enter the amount and you can also manually adjust to the fee you want.
The wallet cannot sign the transaction unless the ColdCard is connected. That’s the job of the hardware wallet – to receive the transaction, sign it, and give it back, signed. Make sure when you sign on the device, you visually inspect the address you are paying to is the same on the device and on the computer screen, and the invoice you receive (e.g., you might have received an email to pay a certain address).
Also pay attention that if you choose to use a coin that is larger than the payment amount, then the remainder will be sent back to one of your wallet’s change addresses. Some people have not known this, and looked up their transaction on a public blockchain, and thought that some bitcoin was sent to an attacker’s address, but in fact, it was their own change address.
Installing the firmware yourself on the device is best practice, but outside the scope of this guide. There are instructions here by Coinkite.
This article showed you how to use a ColdCard hardware wallet in a safer and more private way than advertised – but this article alone is not enough. As I said at the start, you should combine it with the information provided in “Using Bitcoin Hardware Wallets.”
This is a guest post by Arman The Parman. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or Bitcoin Magazine.