Security Procedures
This is an overall introduction to security practices for those who may be unfamiliar with common sources of security mistakes. It assumes no knowledge at all of best practices and is intended to help users avoid the most common problems associated with using crypto. It is extremely important to understand the dangers associated with securing your funds and keys, and the risks associated with using it incorrectly. It will cover common areas that affect other things as well, apart from key security, such as email and other accounts.
Skip any sections that you are already familiar with. This is intended to be a comprehensive guide for new users.
Password Managers
Passwords are the most common way to secure accounts. They are also the most common way to lose access to all of your funds. It is extremely important to understand how to use passwords correctly, and how to secure them. Password re-use is incredibly common, and rotation is an unrealistic expectation for most people and no longer a security recommendation in most cases. The first and most important practice you should follow is to use a password manager.
If you are extremely technically proficient, you can use a password manager like KeePass or KeePassXC (better cross-platform support) to manage your passwords. This is the most secure option as they are both open source and run locally with E2EE. However, they are not user-friendly and require manual setup for cloud syncing and backups and cross-platform usage. The next best option is relying on a self-hosted manager like Vaultwarden which you can setup to gain access to other features. This also requires a huge amount of technical knowledge and is not recommended for most users.
The best option for most users is to use a cloud-based password manager like
iCloud Keychain, or Firefox's password manager,
or even Google's Password Manager. These are all secure enough for most
users depending on your preferences and integrate directly with browsers. The last tier would be things like
BitWarden, 1Password or LastPass.
Please read up on each of these last solutions as both 1Password and LastPass have had security issues in the past,
but they are still a step above re-using passwords for each site.
It is strongly recommended you store a recovery key for your password manager in a secure location, or at least be aware of the process. The process for this is dependent on the password manager you choose. Please see later discussions for best way to store this.
Browser Security
Brave is generally the most recommended secure browser in terms of privacy and security, but it requires some customization to remove all the default tracking. Firefox is also highly recommended for security, but has less contributors versus Brave's Chromium base. Chrome is also widely regarded as relatively secure, but comes at a cost of extremely invasive privacy related issues. For any of these browsers, it is recommended to install the common privacy preserving extensions (AdBlock, uBlock, etc.) and to disable all tracking and telemetry. Whichever browser you choose, you should ensure that your password manager solution works properly with it.
Hot Password
The first password you will need to create is your 'hot' password. This is the password you will use to secure your password manager (if using Cloud Sync) / primary email. It is recommended if you don't understand much about password selection to please search for more information about what constitutes a secure password. This password is one you will be needing to enter very frequently, as you will use this in your day-to-day life on an internet connected computer and likely submitting it to some external cloud service / email authentication. For most users, we don't make a distinction here between the level of security associated with a password manager and your primary email (as most people will simply use a Cloud based password manager and transmit hashed version over the internet to external service.) This password is likely the password you are already using. If you are already using this on some external hot accounts you should verify first with common breach detection websites whether or not this has been compromised or breached, and rotate it if it has.
The reason for calling this a 'hot' password, is that we are indicating this is a password you enter on an online capable computer, and transmit to external services for authentication. That makes it the most susceptible to security breaches from external actors (i.e. a breach out of your control and unrelated to a local breach.)
It is highly recommended to NEVER re-use this password anywhere else. Do not re-use this password with any other external online accounts. Limit your risk here to only the password manager and/or primary recovery email (same threat model.)
This is the first type of password mentioned in this doc and is the least secure as it requires interactions with external 'hot' services. Further types of more secure passwords will be discussed in later sections.
For email, use a secure service like ProtonMail -- this will also require you to setup 2FA and recovery codes. It's sufficient to re-use the 1st master hot password here (or rely on keygen) as your email and password manager should be considered roughly the same level of security given how many services allow resets. This also allows recovery despite losing all password manager details -- which is important. Gmail has a similar level of security here as well if you are comfortable with Google's invasive privacy policy and/or do not wish to pay for email.
For 2FA use a service like Authy which is compatible with previous steps. Avoid SMS. If you're super clever use a Yubikey or other physical 2FA device.
Please use and enable 2FA for all the websites you might use (such as Coinbase, banks, etc.)
It is also extremely important that you store recovery codes for your email, as without them you can potentially lose access to all of your accounts in the event of a disaster like forgetting your password or losing access to password manager.
E2EE Encryption / Warm Password
It is recommended that you setup an E2EE (end-to-end encrypted) volume for additional storage of personal documents or sensitive information and/or recovery codes. Here we make an important distinction in security levels by introducing a 'warm' password. This is a password that you would commonly use locally on a hot computer, but is never intended to be transmitted to an external service. This distinguishes the security level from those you transmit externally in the sense that a breach associated with an external service cannot compromise it, but a local hack can. This is the 2nd type of password mentioned in this doc and is more secure than the first.
Since this password does not need to be entered as frequently, it is okay to make it longer and use more entropy than the first. As many users will have trouble remembering multiple passwords, it is okay to make this a derivative of your primary password, but keep in mind this password should NOT be stored in your password manager.
If you are uncomfortable attempting to remember multiple passwords, you can re-use the same password manager as before, but it is still recommended you maintain and E2EE vault of some kind for documents, as this removes the temptation to rely purely on unencrypted documents in conventional cloud storage.
The most recommended tool to do this is Cryptomator, which is free and open source. This is better for cloud backed E2EE than tools like Veracrypt which produce an entire encrypted volume and do not work well with synchronization. Cryptomator creates a large number of individually encrypted files, so diffs can be synced immediately to cloud backups without re-uploading the entire volume for each change. It is also better since you can pair it with an existing cloud backup solution, and avoid using a closed-source E2EE product that is paired with your cloud backup.
Ideally, this password should never be submitted to any external service, so that the only risk is a local hack. This relies on the security of the system you're running on, so it's a partially hot password (hence warm) since it's assumed you'll most likely run this on a regular computer that has internet access for synchronization and backup. This can produce a recovery key if desired. Print that recovery key out and store somewhere secure if needed, otherwise not required so long as password properly memorized.
Install backup and sync services. pCloud is most convenient for synchronization
since it allows you to select an arbitrary folder instead of forcing a specific one.
For other services, nest the folders together. I.e.
~/Google Drive/Sync/Dropbox/..etc/your_vault -- at least 2 services should be used
in case of failure.
Cold Computer / Cold Password
The third and last password option we'll discuss here is one for use purely on cold computers. A cold computer is an air-gapped computer that has never been connected to the internet. This is the most secure type of computer. Ideally also it is running an ephemeral privacy-preserving operating system, and has no persistent storage. You may be familiar with air-gapped wallets in use on phones, but in this case, we're discussing usages related to cold high entropy password mixing and derivation for generation of mnemonics.
Right now, Redgold key generation software primarily supports Linux (does not yet have support for phones / android air gaps.) So we recommend starting with a Linux-compatible laptop. The motivation here, is that we want a password which has NEVER been entered on a hot computer, with a large amount of entropy, which is used very infrequently in order to generate other cold data (such as mnemonic seeds.) The motivation for this, is to produce a very secure set of data that can all be derived from a single value, and allow rotations in mnemonics. While BIP-85 allows for mnemonic derivations from a single source (and will eventually be integrated in the future), this solution is one step above that, in the sense that it allows for arbitrary offsets to allow better rotations and prevention of compromise.
The first step here is to buy a cheap linux-compatible laptop which acts as the cold computer. Example cheap laptop, as well as a few USB drives, one for for booting a live OS from, and a secondary for copying over data binaries.
Install TAILS or another equivalent secure live OS onto the USB drive. Never ever connect this computer to the internet, not even for updates or anything else. Keep it secure away from any usage other than dedicated password operations. Boot the laptop into it's BIOS -- hold a key dependent on manufacturer, Hold F2 for above linked example laptop -- and select the USB drive to boot into.
Copy the binary over from the main hot computer onto the secondary USB drive and open it on the cold computer.
From here, please follow the instructions in the Cold Password Mixing Guide for a detailed overview of how to use the GUI / CLI to proceed further.