Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Two-part PIN on the Coldcard device
Seed Backup recovery codes
Wallet passphrases
The Seed Backup allows you to recover your Bitcoin wallets
Your Passphrase allows you to unlock the recovered Bitcoin wallets
The PIN protects unauthorized access to your Coldcard device, should it fall into the wrong hands.
They will be able to unlock the device, but they will not have access to your Bitcoin wallets without the Passphrase
They will not be able to recover your Bitcoin wallets without the Passphrase.
A Coldcard Mk.3 (buy here)
A USB-A to micro USB cable
A microSD card (32GB or less)
An adapter to connect the USB-A cable and/or the microSD card to your computer
A desktop or laptop computer with one of the following operating systems:
MacOS
Windows
Debian / Ubuntu
Linux
Paper and pen for the wallet backup process
60 minutes of your time
An internet connection
Hardware Wallets must be used in combination with a mobile or desktop Bitcoin Wallet app
In this guide, we will teach you how to use the Coldcard in combination with a desktop application called Wasabi Wallet.
The best way to think about the Coldcard is that it is simply a sophisticated calculator that will take care of all the cryptographic algorithms that protect your Bitcoin wallet.
The device doesn't have access to the internet and does not come with a user interface.
Instead, it is designed to be connected to be used in combination with another mobile or desktop Bitcoin wallet, such as Wasabi Wallet.
To view your Bitcoin balance, to monitor your incoming transactions and to make Bitcoin payments you need access to the Bitcoin Network, which requires the internet.
The purpose of Wasabi Wallet is to connect to the Bitcoin Network and provide a nice user interface which lets you receive, send and monitor payments.
When making Bitcoin transactions, you will enter the amount you want to send and the destination Bitcoin address into the Wasabi Wallet interface, but you will also need to "plug in" your Coldcard device into your computer, unlock it with your PIN, then unlock the wallet with your passphrase directly on the device, then physically confirm on the device which amount you want to send and to which address you want to send it.
If you only want to monitor your balance or receive Bitcoin payments and monitor transactions, you do not need to plug in your Coldcard (after the initial connection). This is commonly referred to as "watch-only" mode.
Inspect that the sealed bag hasn’t been tampered with;
Open bag and remove its contents;
Make sure the serial number inside of the bag matches the one on the outside;
Using the USB-A to micro USB cable, plug the Coldcard to your computer;
Use the USB adapter if necessary.
Make sure the number displayed on the device screen matches the one on the bag;
Accept Terms of Service.
The next step involves choosing a PIN for the Coldcard device. The pin is the first layer of security that prevents unauthorized access to the device, should it fall into the wrong hands. This PIN is extremely difficult to hack.
If you lose the PIN, you will lose access to the device. However, you will be able to recover access to the Bitcoin using your Bitcoin backup and your passphrase (see below).
Write down the PIN you want to use before entering it in your Coldcard.
Use at least 4 digits for each half of the PIN (8 in total).
The PIN is required every time you want to use the Coldcard.
Ideally, create a unique PIN that nobody can guess but that you can remember.
If you lose the PIN, you lose access to your Coldcard forever.
You cannot change your PIN.
If you want to change your PIN, you will have to start the process all over again.
The Coldcard Mk.3 is an open-source Bitcoin-only hardware device dedicated to the purpose of creating ultra-secure Bitcoin wallets and making Bitcoin transactions. It allows you to manage all of your Bitcoin private keys and access your funds securely, even if your computer or your phone is compromised.
The Coldcard is created by cypherpunks and adheres to the highest standards of Bitcoin security hardware. It is the optimal device for those seeking extreme security and individuals and businesses wishing to store several bitcoins for a long time.
Read about the benefits of self-custody.
✅Ultra-secure access with pin and passphrase
✅Fully open-source and heavily reviewed
✅Easy backup and secure recovery
✅Bitcoin-only firmware
✅Advanced transaction features
✅Plausible deniability options
✅Great for long-term storage
✅Perfect for day-to-day usage of large amounts
✅Very reputable and renown team
✅Setup time: 60 minutes
❌Requires shipping
❌Less convenient usage
Note
The Coldcard device is designed to be used in combination with laptop or mobile Bitcoin software wallets. Our recommendation is to use the Coldcard in combination with the Wasabi Wallet desktop app.
Buying Bitcoin from a non-custodial exchange.
Ability to transact with Bitcoin on a laptop (funding exchanges, making payments).
Storing Bitcoin with backups for long-term before upgrading to a hardware wallet.
Managing different wallets for different purposes.
Transact easily using the QR code capabilities.
This guide will cover, in order:
Installing the desktop interface
Device initialization
Creating a Bitcoin wallet
Using passphrase security
Updating the firmware
Creating a backup to recover lost wallets
Receiving Bitcoin payments
Sending Bitcoin payments
There are also additional advanced features present throughout the guide (optional). Some are relatively easy to implement, but others required more time and resources.
By the end of this guide, you will have an interface installed on your computer which lets you receive, send and store bitcoins from your Coldcard device. Your wallet will be secured with a passphrase, and you will have proper backups in case your Coldcard is damaged, lost or stolen. You will know how to use the privacy features of your Bitcoin wallet to stay anonymous.
This is perfect if you want to buy great amounts of Bitcoin and store them privately and securely and for a long time.
Entering this is a two-step process. The PIN is composed of two parts, the prefix and the suffix. Use at least 4 numbers for each half of the PIN.
PIN example: 10101-1971
After entering the prefix, two words will be generated and displayed on the device. These are known as your anti-phishing words. The same two words are supposed to appear each time you enter the prefix. The purpose of these words is checking that the Coldcard has not been compromised and is safe for you to use before entering in the rest of the PIN.
Enter the PIN prefix;
Write down the two anti-phishing words;
Enter the Suffix (second half of your PIN);
Confirm your PIN Prefix and Suffix.
Updating the firmware is essential to making sure that your Coldcard is not vulnerable to any new attack vectors.
Insert microSD card in computer (often it will appear as “NO NAME”);
Download latest firmware version from here onto microSD card;
Eject microSD card and insert it in your Coldcard;
To view your current version on your Coldcard, select “Advanced” > “Upgrade” > “View Version”.
4. Select “Advanced” > “Upgrade” > “From MicroSD card” > select the .dfu file.
5. Enter PIN code once upgrade is complete.
You don't need to update the firmware each time you want to receive funds. However, it's important to make sure it's up to date before sending bitcoin.
You will be back on the Coldcard's main menu, stay there until you read the instructions on the next page.
Now that your device is up to date with the latest firmware, we will proceed with the actual creation of your wallet.
You will need to download in order to complete the PGP signature verification.
Open to view its contents.
Open the Terminal, navigate to the directory where you saved the firmware and use the command shasum -a256 20...-coldcard.dfu
and hit the 'Enter' key on your keyboard.
The file should be in your downloads folder, so type cd downloads
in the Terminal in order to go to that directory.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt
file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md
line).
The hash is confirmed if the values are the same.
Save the file in the same location as the new firmware file.
This should be in the 'Downloads' folder.
To save it, right click on the page and select 'Save page as'.
Save the as a .txt
file in the same location as the firmware and signatures.txt
files.
To save it, right click on the page and select 'Save page as'.
Open GPG Keychain.
Click the Import button and navigate to the file saved in step 2 called lookup
. Select the file and click Open. A pop-up message should appear saying "Import successful".
You will have the fingerprint from Peter D. Gray
Open Terminal and make sure you are in the correct directory by typing cd downloads
Enter gpg --verify signatures.txt
in the Terminal.
The output in Terminal should include Good signature from...
and should include the following RSA key : 4589 779A DFC1 4F33 2753 4EA8 A3A3 1BAD 5A2A 5B10
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
You can ignore this, the signature has been verified!
Use the command line to navigate to the directory where you saved the firmware and enter the command sha256sum 20...-coldcard.dfu
.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the result in your Terminal with the line of text in the signatures.txt
file next to the firmware version you saved (it should be the one found directly under the ChangeLog.md
line).
The hash is confirmed if the values are the same.
On the command line, enter curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import
to import the public key.
Next, enter gpg --verify signatures.txt
to verify the file's signature versus its content.
The command output should include Good signature from...
.
It is normal to see WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.
You can ignore this, the signature has been verified!
Kleopatra requires you to have an OpenPGP signature to complete verification. If you don't have a signature to import, you can make one in Kleopatra.
Open Command Prompt and enter certutil -hashfile C:\..\20...-coldcard.dfu SHA256
, where C:\..\20...-coldcard.dfu
is the full path to the saved firmware file.
The 20...-coldcard.dfu
component is the name of the latest upgrade, make sure to enter the name of the file in full.
Compare the output values in Command Prompt with the line of text in the signatures.txt
file next to the firmware version you saved. The hash is confirmed if the values are the same.
The hash is confirmed if the values are the same.
Open Kleopatra and click Import...
.
Navigate to the public key .asc
file and open it.
You will be asked to check the fingerprint of the file and given suggested options. The Keybase public key window is the trusted website. Click Yes
.
A Certify Certificate window will show the file's fingerprint, your certification, and the fingerprint's owner - in this case, Peter D. Gray. Resize or reposition the Certify Certificate window and the browser window opened in step 3 so you can see them both at the same time.
Make sure the fingerprints in each window match and click Certify
. If you have a passphrase on your certificate, you'll be asked to enter it. A pop-up box should appear saying, "Certification successful." Click Ok
.
Click Decrypt/Verify...
and open signatures.asc
.
Kleopatra will verify the signature. You may save or discard the file Kleopatra generates, it is not needed.
The signature is verified.
Before you create a backup for your Bitcoin Wallet, make sure to understand what you are doing by reading this section.
The most important job of a Bitcoin Wallet is generating and managing cryptographic private keys which allow you to control your Bitcoin. The keys are generated and stored on the device itself.
Creating a backup means exporting these keys from the device and making a physical copy of them.
If the device on which your Bitcoin private keys are stored is lost, broken, stolen or otherwise inaccessible, you can import the physical backup into a new device and your Bitcoin will be recovered there.
A Bitcoin backup consists of a series of 24 words generated randomly by the Coldcard’s secure element.
These words, in combination with your passphrase, allow you to recover access to the keys of your Bitcoin wallet in case you lose them.
If you do not have a backup and you lose access to the Coldcard, you will lose access to the Bitcoin permanently.
If you have a backup but you forgot the passphrase, you will lose access to the Bitcoin permanently.
If someone finds the backup of your wallet, they cannot steal your money unless they also know your passphrase.
Never store your passphrase in the same place as your backup. If someone finds the backup and they also know your passphrase, they will be able to take your bitcoin.
Know your enemy, know yourself.
The risks of losing funds by getting hacked are very low, unless you are specifically targeted by a highly skilled attacker. You must develop a "threat model" by analyzing different risks based on different situations.
Always keep the following scenarios in mind when creating and using your Bitcoin wallet.
The most common causes of people losing their bitcoin is accidental loss and physical theft.
You forget your passphrase.
You lose your Coldcard device (or it breaks) and you don't have a backup.
Someone finds a copy of your backup and you hadn't put a passphrase.
Someone finds a copy of your backup, but you were also storing your passphrase at the same place and now they have both.
You write down your PIN and your passphrase (or you don't put a passphrase) in the same location as you keep your physical device and someone steals all of it.
Most people who lose Bitcoin simply get scammed and voluntarily send their Bitcoin to ponzi schemes. Be wary of anybody soliciting you for unsolicited investment or payment in Bitcoin.
Many people get tricked into revealing their passhprases and handing over their Bitcoin backups by fraudsters impersonating technical support for your Bitcoin wallet.
Extortion, ransom, assault
People who know you are the owner of Bitcoin may attempt to violently coerce you into handing it over to them. This is a very real risk and should not be taken lightly (it is also why Bitcoin privacy matters).
The Coldcard uses a random number generator for creating your Bitcoin backup. You can avoid using this if you are wary that it might be compromised or if you wish to input your own source of entropy by rolling a six-sided dice.
Roll your dice 100 times in order to achieve 256 bits of entropy.
Before we attempt the dice rolls in their entirety, we will make sure that the Coldcard isn't duping us into believing that the entropy that we provided is legitimate and they are somehow providing us with a random-looking number that isn't actually random.
Using a pen and paper, note down the results of 6 dice rolls
In the main menu, select 'Import Existing'
Select 'Dice Rolls'
Using the Coldcard's keypad, enter the results you obtained by pressing on the corresponding numbers (1 to 6)
The Coldcard will produce 24 words, write them down
Open the Terminal or Shell of your computer to input a command line
Enter one of the the following commands :
Replace '123456' by the dice roll numbers you obtained
Verify that the hash value output matches that on the Coldcard device screen.
Now we want to verify that the hash value really generates the same 24 words.
In your Terminal, change the directory to where the above file is saved
Run the following command, using the same dice rolls used for your test by replacing the '123456':
Verify that the 24 words output in your Terminal matches those on your Coldcard!
If they match, then you are good to go with the complete dice roll process.
Using a pen and paper, note down the results of 100 dice rolls
In the main menu, select 'Import Existing'
Select 'Dice Rolls'
Using the Coldcard's keypad, enter the results you obtained by pressing on the corresponding numbers (1 to 6)
The Coldcard will produce 24 words, write them down
You now have your 24 word backup generated using your own source of entropy!
Coldcard and Wasabi Wallet Combo
Coldcard in combination with Wasabi Wallet is one of the safest ways you can use Bitcoin.
Both Coldcard and Wasabi Wallet are open-source and have been reviewed independently to make sure there is no malware or backdoor that could compromise your Bitcoin.
The Coldcard device is extremely difficult to hack, tamper-proof, tamper-evident, using a secure element. The only purpose of the device is to protect your Bitcoin.
The private keys that control the Bitcoin are generated securely on the Coldcard device itself. Everything is encrypted and protected by multiple layers of advanced security.
You create a secret "passphrase" which is required to unlock access to your funds when you make transactions or during the wallet recovery process. It is impossible for anyone to steal your Bitcoin without this passphrase.
The Coldcard has a keypad which you will use to type in your passphrase. You never have to type in your passphrase on a computer or mobile app: everything happens directly on the device.
Even if your computer is compromised by malware which affects Wasabi Wallet, the Coldcard device will prevent unauthorized access to your Bitcoin wallet. That's what it's for.
Coldcard lets you create backups easily and securely which let you recover access to your money if your computer is damaged, lost or stolen.
Coldcard has a double-entry PIN feature which is required to unlock the device.
The device can be used securely in combination with Wasabi Wallet on your computer by connecting it via a USB cable. For maximum security, you can use a microSD card instead (called an "air-gapped" method).
See their
Additional
support group
Open so you can view its contents.
Save the file in the same location as the new firmware file.
These instructions use Kleopatra, which is a part of . You only need the GnuPG Privacy Guard and Kleopatra components to verify the PGP signature.
Open so you can view its contents.
Save the text from with an .asc
file extension in the same location as the saved firmware file. Do not save the file as .txt
, Kleopatra will not recognize it.
Save the as an .asc
file in the same location as the firmware and signatures.asc
files.
Open a browser and go to . Click on the text next to the key icon to open the public key window. You will need this window for a later step.
Save the script found here:
Using the Seed XOR function in your Coldcard allows you to separate your original seed phrase into two parts, each looking like it’s own 24-word seed phrase. Combining them will produce your original 24-word seed phrase.
You will need both parts generated with Seed XOR in order to recover your original seed phrase.
You will also need your passphrase to access the wallet containing your funds.
Each Seed XOR component can also function as a Bitcoin seed phrase. You can keep some funds on it to satisfy a potential attacker or to alert you that your storage is compromised if someone finds it and takes the funds held on it.
Steps for Seed XOR
We will be splitting the main seed phrase into two parts.Steps:
Select Advanced
Select Danger Zone
Select Seed functions
Select Seed XOR
Select Split existing seed
Press 2
Press OK
If any parts are lost, then funds are lost if you do not still have in your possession your Coldcard or the original seed phrase with the passphrase.
Make sure to store the 24th word of your original seed phrase alongside both parts obtained through Seed XOR. This allows you to be sure you've gotten all the parts and assembled them correctly.
Take out a pen and paper
Two lists of words (A and B) will be generated. Write down each list in their respective order.
Press on the checkmark when done.
Complete the test to make sure that you have correctly written them down.
The seed is now split into two parts!
This is an advanced feature that requires you to write down and safe-keep an additional set of 12 words.
You will need an additional microSD card in order to create an ecrypted backup of your 24-word seed phrase, as well as a pen and paper.
Make sure that your Coldcard is unlocked with your PIN;
Insert the new microSD card into your Coldcard;
In your Coldcard go to "Advanced" > "Backup" > "Backup System";
Write down the 12 words in the order in which they are displayed on a piece of paper.
These words are unrelated to your 24-word backup.
In your Coldcard, go to "Advanced" > "Backup" > "Verify Backup".
This is useful for verifying that the backup file on the microSD card was not damaged or written incorrectly.
You must have at your disposition either a new Coldcard or one with no wallet generated (the Backup has been wiped from the device).
In your Coldcard, go to "Advanced" > "Backup" > "Restore from backup".
You will still need your passphrase to access your funds!
The next step involves entering a passphrase. This prevents you from getting your funds stolen if someone gets access to your device and its PIN or to your 24-word backup. Before doing this step, please read below to know some important basics.
It acts as a password that you add on top of your wallet backup (24-word seed phrase).
You can create as many passphrase-protected wallets as you like, with each new passphrase generating a completely new wallet.
The default wallet does not have a passphrase, adding one gives you plausible deniability, meaning that you can unlock the device normally containing no to little funds, with the majority of your bitcoin in a passphrase-protected wallet.
If someone comes into contact with your 24-word seed or digital backup, they won’t be able to steal your funds since they also need the passphrase to unlock the funds.
Write down the passphrase you want to use before entering it in your computer.
The passphrase is required every time you want to spend the funds from your Coldcard.
Use a combination of words as a passphrase to have less trouble remembering it.
Use at least 12 characters in your passphrase, 24 characters offer more security.
If someone has access to your PIN and Coldcard, the passphrase will prevent them from taking your Bitcoin.
Create a unique passphrase that nobody can guess but that you can remember.
If you lose the passphrase, you lose access to your Bitcoin forever.
You cannot change your passphrase.
You can only create a new one, which in turn will generate a new wallet.
The passphrase is required to recover your access to your Bitcoin if your Coldcard is damaged, lost or stolen.
In your Coldcard device go to:
Advanced
Danger Zone
Seed functions
Seed XOR
Restore Seed XOR
OK
Enter the words from list A
At the 24th word, The Coldcard will display a short list of words for you to choose the correct word from.
Repeat for list B
You must have both parts in order to restore your seed phrase. The order in which you enter them (either seed XOR A or B) does not matter.
The imported seed XOR will only remain temporarily.
You will be asked if you want to use the existing seed by pressing on 1 - DON’T, press OK
Follow the instructions below if you are restoring your seed on a new, uninitialized Coldcard device.
Import Existing
Seed XOR
Enter one of the parts (lis A or B)
When done, press on 1 to enter the next part
Enter the other list of words
Confirm that the 24th word of your original seed phrase is correct
Press 2 to complete the import
To verify the imported seed:
Use this to see the backup stored in the device and if it matches the original that you have written down.
Advanced
Danger Zone
Seed functions
View Seed Words
OK
It is possible to recreate your original backup using the two seed XOR word lists by hand. Follow the intructions below to do so:
Using this worksheet, enter the words from the two lists that have been generated using seed XOR on your Coldcard.
Using this wordlist, write down the 3-digit hex code associated with each word in your worksheet.
Once lists A and B have been written down in the worksheet, use the table in your worksheet to complete the A + B row.
To do so, associate the hex digits of each word from list A with those from list B.
Whether you look up the row or column first does not change anything since it will produce the same value.
Enter the digit that you obtain from the table in your worksheet. At the end of the process, you will have a new hex code.
Using the wordlist and the newly generated hex codes, retrieve the words that form your seed phrase.
Write down the passphrase you want to use before entering it in your computer.
Select “Passphrase”.
Select the following:
Add Word
You will have a selection of words to choose from, taken from the .
Select at least 4 different words, and choose up to 12.
Find the word you want by first selecting its first letter. You will also have the option to add a space before or after the word and if you want to use upper or lower case letters.
Once entered, select “APPLY”.
A new wallet identifier, also called a fingerprint, will be created. Note this down.
Press on the check mark.
You must enter the passphrase each time you want to access the passphrase-protected wallet, else you will be in the default, or passphrase-free, wallet.
In this step, we will be connecting the Coldcard to Wasabi Wallet to view your wallet balance, send and receive Bitcoin.
Make sure your Coldcard is connected to your computer and that you have accessed the passphrase protected wallet on the device.
In Wasabi wallet, select Add wallet
.
Select Connect to hardware wallet
.
Enter a name for your wallet and click on Continue
.
If the device isn't immediately detected, click on Rescan
.
When your Coldcard is connected, click on Yes
and then proceed to open the wallet.
With PGP signatures you can verify that the software package you download is actually the one by the developers.
Every release of Wasabi is signed by , the company behind Wasabi.
You can verify that the PGP public key is actually the one of .
This protects you against malicious man in the middle attacks where bad guys give you a fake version of Wasabi with malicious code.
Steps:
On the Wasabi download page, click on 'SIGNATURE' under the operating system that you are using.
Open your terminal and go to the directory that contains the file.
Verify the signature by typing the following in your terminal window:
gpg --verify Wasabi-1.1.13.deb.asc
for Debian / Ubuntu
gpg --verify Wasabi-1.1.13.dmg.asc
for MacOS
gpg --verify Wasabi-1.1.13.msi.asc
for Windows
gpg --verify Wasabi-1.1.13.tar.asc
or gpg --verify Wasabi-1.1.13.gz.asc
for other Linux
If the PGP key in your terminal matches the one above, then you are certain that the software is authentic.