At the end of the day using a hardware device is going to be way more secure than exposing your private key to a general purpose computer.
If vendor and supply chain attacks are in your threat model, then use multisig, otherwise single-sig + passphrase with an airgapped coldcard device should be ok and is simpler to backup over long periods of time. This was my goto-recommendation for ages but I’m not sure how long that will be if supply chain attacks ramp up.
Alternatively you can just do a 2of2 or 2of3 multisig with two different hwws and a tapsigner for convenience. Just make sure to have plate backups for both wallets stored in two physically separate locations.
This is a bit more complicated, this is why Ive always like the simplicity of singlesig + passphrase. Passphrase acts like a two factor in case the physical security of the seed is compromised.
jb55 / Will
npub1xt…vkk5s
2024-03-31 15:28:58
in reply to nevent1q…v4dd
Author Public Key
npub1xtscya34g58tk0z605fvr788k263gsu6cy9x0mhnm87echrgufzsevkk5sPublished at
2024-03-31 15:28:58Event JSON
{
"id": "b89d5dcc962cbddc3c3ae080d136ca33d3a8226a4bb8f5aadbb7908496a7cb8c",
"pubkey": "32e1827635450ebb3c5a7d12c1f8e7b2b514439ac10a67eef3d9fd9c5c68e245",
"created_at": 1711898938,
"kind": 1,
"tags": [
[
"e",
"c74ae58e6f11bb078bf7cbc21d687808910748cad12676349912f95eed7cfc2c"
],
[
"e",
"a5a6c0af5f271ad32a41710ebcb63afa10cbf31f4a35bbbb8088e9cee1557f5d"
],
[
"p",
"896cfb0f31561b6c54d59d5f9c1cc9d183aab4cb066a30b1a588e2bde7fc4cfa"
]
],
"content": "At the end of the day using a hardware device is going to be way more secure than exposing your private key to a general purpose computer.\n\nIf vendor and supply chain attacks are in your threat model, then use multisig, otherwise single-sig + passphrase with an airgapped coldcard device should be ok and is simpler to backup over long periods of time. This was my goto-recommendation for ages but I’m not sure how long that will be if supply chain attacks ramp up.\n\nAlternatively you can just do a 2of2 or 2of3 multisig with two different hwws and a tapsigner for convenience. Just make sure to have plate backups for both wallets stored in two physically separate locations.\n\nThis is a bit more complicated, this is why Ive always like the simplicity of singlesig + passphrase. Passphrase acts like a two factor in case the physical security of the seed is compromised.",
"sig": "281218cfd894395967745bf87ed62f29926369314c1ab311d5100396a9d4cc3a44ef6655470d0b9f153df0355b7dc820be063c4b08e84e9d90edda3a5d5bed95"
}