An Easy Guide To Use The ColdCard Bitcoin Hardware Wallet
This opinion editorial is by Arman The parman, a Bitcoin educator passionately about privacy and contributor of Bitcoin Magazine.
Make sure to read the “Using Bitcoin Hardware Wallets ” section first. I will only briefly go through the steps and concentrate on the ColdCard specifics.
This guide is for ColdCard MK3 as well as the Mk4.
Buy the device directly from the manufacturer, Coinkite. This is mandatory. Don’t buy from Amazon or Ebay. A micro SD card is also required. This card should be the smallest and most affordable. You can get them at Amazon, Target, Walmart, Target, or other local stores. A connection cable is also required, as the device does not include one. You can either find one from an old phone or buy one.
The Coldcard Mk4 has an USB-C connector attached to the shell, while the Mk3 has one. You will need to find a USB cable that matches your device and your computer’s USB port type.
For example, if you use a modern Mac, it’ll have USB-C ports like the ColdCard does, and you’ll need a cable like this:
For the Mk3 ColdCard and a computer with regular USB ports, you’ll need a cable with micro USB and regular USB, like this:
In addition to the cable, you’ll need a 5-volt charger, like the ones most phones use. For power, you can connect your wallet to your computer, but we prefer to avoid this for maximum security.
When you place your order with Coinkite, ideally you shouldn’t ship it to your home address, as the packaging (available to see by the entire delivery distribution chain) states that the content is a “ColdCard calculator.” You don’t want to reveal to the world that you own bitcoin, and where you live. Use a fake name and send it to your workplace or a post office box. Box. This is a good practice, but it’s not likely to be a fatal error.
Setting Up The ColdCard
When the device arrives from Canada, make sure you inspect the tamper-evident bag for any disturbance/compromise. You will also find a number on the bag. Keep it as the device will ask you to compare the number with the number in its memory. This will ensure that you receive the correct device and not a duplicate.
Power On the device, and carefully read all information presented to you by it. You can scroll down to the bottom all messages by using the arrows on your keypad. Sometimes, at the end of a message it will prompt you to press a number to verify that you have read it. If you don’t understand the message and click the checkmark to continue, the device will loop back to the beginning and you will think it’s faulty.
You’ll be instructed how to set a pin. I will explain why the name of the PIN is confusing and unfortunate. In fact, there are two PINs. You will enter PIN-1 when you turn on your device. Two “phishing” words will be displayed that are specific to your device. These words will appear the same each time. You just need to confirm that you recognize them. Recognizing the words confirms that you have entered the correct PIN-1 and that the device is yours. It has not been stolen without your knowledge. After you have confirmed that the device is yours, enter PIN-2.
The ColdCard device refers to PIN-1 as the prefix for a PIN. When prompted for PIN-2 it asks you to enter “rest of PIN .”
” when setting PIN-1 or 2. You can choose between 2-6 digits each for each PIN.
You will then have the option to create a brand new wallet or import an existing wallet (restore a previous wallet). I will show you how to create a new wallet. The device will give you 24 words, one at a time. You will be asked to confirm each word by writing them down. Follow the prompts. Keep a copy of the words and keep them in two different places to avoid total loss.
After you’re done, the device will display the top menu that reads “Ready for Sign.” You can then remove the device. Connect the device again and ensure you know how to turn it on and enter your PIN numbers.
A “wallet” has several meanings. Here I’m using it to describe the unique collection of 2^32 addresses that belong to the
- seed phrase (words)
- plus passphrase (your choice of text up to 100 characters)
- plus derivation path
Those three things, when combined, create a “wallet” -> roughly 4.3 billion addresses each with a private key.
Don’t worry too much about the derivation path; in a way, it acts like a second passphrase, and users should just leave this as a default, usually, m/84’/0’/0′; even advanced users shouldn’t edit these in my opinion. It is a good idea to keep the derivation path handy in case you need it. You will have access to the 4.3 million addresses that belong to your seed every time you turn on the ColdCard (no need for a passphrase).
You can apply any passphrase you want (100 character limit) and when you do, the ColdCard forgets the original 4.3 billion address from its temporary memory (it only holds one collection of addresses at a time), and you get a fresh new set of addresses (a wallet) that belong to the original seed phrase plus the passphrase you chose. All wallets are erased from the device’s memory when you turn it off (but not the seed). You’ll return to the original wallet, with seed and no passphrase, when you turn it back on. You will need to apply the passphrase once again in order to get your passphrase wallet back. This allows you to have unlimited wallets, each with 4.3 billion addresses. Each wallet is derived from one seed phrase that you have backed up.
If you lose your device, you can buy another one (or one of a different brand name, if you prefer), and restore the seed that you have kept safe. You’ll then get your original wallet back. To get your passphrase wallets (and the bitcoin) back, you can use any passphrase. Your bitcoin is not bound to the ColdCard device, it is bound to the BIP-39 (Bitcoin Improvement Proposal 39) protocol. You can learn more about this protocol by following the instructions of this fun exercise. To apply a passphrase go to the passphrase menu and select “edit phrase.” These buttons allow you to change which symbols you want to use. To select a symbol, use the up/down arrows to select it. Next, use the left/right arrows to move your cursor to the desired position. Once you are done, click the checkmark. You will still need to “apply”, which is a way to commit the passphrase to your memory. Scroll down to the bottom and click “apply”. Read the message. You will have the option to save your passphrase to your microSD card. This will avoid the tedious task of typing it. However, be aware that you are recording sensitive information and must keep it safe. To retrieve your passphrase wallet when you turn on the device later, go to the passphrase menu. If your microSD card is inserted, select “restore stored.” If not, go to the passphrase menu and edit phrase. Then, apply.
Remember if you ever want to “export” a wallet from the device to make a watching wallet (don’t worry if you don’t know what that means for now), you need to have the correct wallet in memory at the time you make the export; either the wallet with no passphrase or a wallet from one of your passphrases.
In previous articles, I explained how to download and verify Sparrow wallet, and how to connect it to your own node, or a public node. This guide does not cover this, but you can refer to these guides if you are interested. Continue reading.
An alternative to using Sparrow bitcoin wallet is Electrum desktop wallet, but I will proceed to explain Sparrow’s bitcoin wallet as I judge it to be the best for most people. Advanced users may prefer to use Electrum as an alternate. To install Sparrow, click the “Install Sparrow Bitcoin Wallet” link above. Then return to this page.
Run Sparrow Wallet
This pop-up can be deceiving. It is important to read it. The toggle and “offline” button are image , so you can’t interact with them (people have tried!). Click the next button.
Again, that yellow toggle is an image only. Read and click “Next.” And the same with the next two pop-ups, until you see this:
Here we are about to connect to a public server that belongs to Emzy. Emzy is a great guy. I would not object to connecting to his server, but it is best to connect to your own server. To verify that Emzy can connect, click the “Test Connection” button.
Then you can click the giant blue “General” tab on the left:
All of this can be left as defaults. Go ahead and select “Create New Wallet.”
Name it something pretty:
Then click “Create Wallet”
We can set up all sorts of wallets from here. There are two ways to set up a wallet. One with the ColdCard connected directly by cable to your computer. This is fine but not as effective as the second. The second is more cumbersome, i.e. air-gapped.
Go ahead and connect the ColdCard to the computer and enter the PIN. If you wish to use the passphrase, then connect the ColdCard to the computer and enter your PIN. Click the “Connect Hardware Wallet” button.
Then click “Scan” …
Sparrow should detect your device. Some troubleshooting if you fail at this step:
- Make sure you have proceeded past the PIN-entering stage on the device.
- If you previously connected the device to another wallet, unplugging and reconnecting may be necessary to “forget” the old connection.
- Make sure the USB option is not turned off in the ColdCard settings.
Now we are presented with some details about the wallet. You can save the xpub and zpub to a file. This will allow you to restore your wallet (but not spend ability). Although the xpub is still sensitive it is not as sensitive as the passphrase and seed words. The computer doesn’t know what the seed phrase is: it is kept secret in the ColdCard. This is its primary job. To proceed, click “Apply”.
A copy of the watching wallet is going to be made on the computer and this will encrypt it. Don’t confuse “password” with “passphrase.”
Once the computer does it’s thinking, all the blue buttons on the left are available to you. Click “Addresses” to see your wallet. Although you have 4.3bn addresses, only the first few are displayed. You also have 4.3 Billion change addresses. I should have mentioned earlier that each wallet contains 8.6 Billion unique addresses.
To receive some bitcoin, go to the Addresses tab on the left and choose one of the addresses to receive. Right-click the address that you wish to copy and choose “Copy Address.” Next, go to the exchange where the money is being sent and paste it there. You can also give the address to a customer to use to pay you.
When you first use the wallet, you should only receive a small amount. To prove that the wallet works as expected, you can send it to another address within the wallet or back from the exchange.
Once this is done, you will need to back up what you wrote. A single copy is not sufficient, as we mentioned earlier. Keep at least two copies of your paper copy (metal is better), and keep them safe in two different locations. See “Using Bitcoin Hardware Wallets” for a full discussion on this.
When making a payment, you need to paste in the address you are paying to in the “Pay to” field. You can adjust the fee manually by entering the amount.
The ColdCard must be connected before the wallet can sign the transaction. This is the job of the hardware wallet. To receive the transaction, sign it and then give it back signed. You should ensure that the address you are paying is visible on the device as well as the invoice.
If you choose to use a larger amount of coins than the payment amount, the remaining will be sent back at one of your change addresses. Some people didn’t know this and thought the transaction was sent to an attacker’s address. However, it was actually their change address.
Installing the firmware yourself on the device is best practice, but outside the scope of this guide. There are instructions here by Coinkite.
This article showed you how to use a ColdCard hardware wallet in a safer and more private way than advertised – but this article alone is not enough. As I said at the start, you should combine it with the information provided in “Using Bitcoin Hardware Wallets.”
This is a guest post by Arman The Parman. Opinions expressed do not necessarily reflect the views of BTC Inc or Bitcoin Magazine HTML1.
I’m a journalist who specializes in investigative reporting and writing. I have written for the New York Times and other publications.