Hardware wallets for your company
Simple guide for bootstrapping your business on-chain
This simple guide is intended for companies just bootstrapping their blockchain presence. If your business needs a workflow for minting tokens or operating smart contracts as a corporate entity using multisigs and you just purchased a few Ledgers for that, this guide shines some light on how to use hardware wallets in a safe way.
Core concepts
To sign transactions on most blockchain networks you need a private key. You can think of it as a file with secret data. If your private key is stolen, your identity is compromised and there is no way to recover from it: an attacker can impersonate you and sign transactions as if they were you.
A seed phrase is a sequence of words which are used to derive a private key. Stealing a seed phrase is the same as stealing a private key.
Hardware wallets are designed to make your private keys and seed phrases hard to steal by storing them on a separate device (instead of your laptop/pc which could be easily hacked).
Rule #1: Don't enter your seed phrase anywhere
During onboarding, your hardware wallet will generate a random sequence of 24 words, displaying one at a time on the device's screen — this is what is called a seed phrase. Write those words down on paper and put it in a deposit box in your bank.
Under no circumstances should you share the seed phrase with anybody. That includes typing these words anywhere, including your own laptop or your phone.
Rule #2: Use your wallet only for multisigs
Your wallet will be used for signing multisig transactions only. Do not store any funds on your wallet and do not use it for any personal activities.
Attackers will try to trick you into signing malicious transactions and it will not be possible to distinguish when it happens. To use most multisigs you will have to enable Blind signing so it will be impossible to validate what you are signing on the display of your wallet.
Connect your wallet only to the multisig website and nothing else.
Rule #3: Keep identities private
The address of your wallet is usually not considered to be private but it is important that your identity and the identities of other participants of multisigs are not disclosed.
If attackers know who the addresses belong to it makes it much easier to target these individuals with spear phishing. Protecting your identities will also minimise risks of targeted physical attacks and many other risks.
This is far from the exhaustive list of best practices but it is a good foundation keep you going. Read more about protecting yourself on-chain and keep an eye out for more posts!