I don't have a fortune in cryptocurrency and probably present a less-than-ideal target for most attackers, but I take security seriously and know some solid practices that I think anyone can learn. This will be a multi-part tutorial to show you how to get up and running with a robust setup and the lowest amount of fuss and investment. This guide assumes basic familiarity with computer hardware and a willingness to try free software solutions. Please let me know if you find it useful.
Step One: The Journey Begins
If you're accustomed to using an online wallet or keeping your cryptocurrency on an exchange, you may wonder why going to any extra effort is necessary for the sake of security. Here's where we all have a principle to keep in mind:
If your currency is accessible by anyone other than you, it's not truly yours.
By this, I mean that internet-connected machines and exchanges are large, vulnerable targets that will be compromised eventually. Could there be a security breach of the exchange? That's vulnerable. Could your software wallet have an obscure bug that allows an attacker access? That's vulnerable. Is it easy for people to tell where your wallet is and how much is in it? That's vulnerable. And even if direct compromise doesn't happen, if an exchange or online service goes down, it will take your currency with it.
What does all this mean for your security? It means you need to maximize the control and protection of your cryptocurrency. Your best defense isn't digital at all. It's your own knowledge and careful setup.
Step Two: Battle Armor (Hardware)
I'm going to advocate starting your journey by making a highly secure router for yourself, and maybe even two identical routers with a failover configuration. Though this sounds intimidating, its complexity is entirely dependent on what you want from it. One of the cheapest ways to get a reasonable setup is to use a small PC (thin clients also work) with around 1 GB of RAM and around 2 GB of hard disk space, a network switch, and two network cards or one card and an Ethernet dongle. Ideally you want to install a security-focused operating system on it and have a BIOS that is 100% free software if possible. While it is possible to do this with an SBC like the Raspberry Pi, I strongly recommend against doing so. The ethernet speed is just too unreliable and the SOC's firmware is proprietary.
When strapped for cash, I have successfully hooked up a used Wyse R90L for this purpose. It runs the latest OpenBSD without a hiccup (but more on the software later).
A dedicated pfSense router from a reputable company would be an even better option. See https://www.pfsense.org/products/ for further information.
Next, choose your PC setup carefully. When it comes to a PC's security, we need to think of the machine and network as an ecosystem where the elements must work together and anything that can readily be compromised will be the first point of attack. This means the use of trusted hardware, devices that don't require binary-only drivers to work, and secure storage with backup options are essential. For a real tank of a machine that also doesn't break the bank, I recommend buying a Lenovo TS140, specifically the model with a Xeon processor (you'll see why in the next post). It makes a supremely reliable workstation or server, its onboard hardware is well-supported by free software operating systems, and its expansion options are immense. Even though this machine was purchased 3 years ago, it is far from obsolete. The only way it could be any better is if it could run Libreboot for its BIOS.
I also suggest avoiding wireless connections if at all possible. Not only is a direct connection more secure, it is also more reliable. If you purchase a gigabit Ethernet switch (a good investment!), choose from well-known brands like Cisco, D-Link, and the like. Used switches with lots of ports are often cheap as dirt on ebay, perhaps since most home customers don't use large switches for their networks.
Lastly, we need a good black-and-white laser printer without network access or the ability to save documents when it is disconnected. Laser printers are preferable because they tend to use their toner efficiently, the prints are not as vulnerable to water damage, and they are cheaper than they have ever been. I'll leave the selection up to you, but I'm fond of my Brother HL-2230.
Hardware wallets are a good investment, but they have two major issues that I can see. The first is centralization. If your funds are all located in one place, there is a single point of compromise to get your money. The second issue is that, if you can lose a USB drive, you can lose a Ledger. As such, feel free to use one (or several), but try to spread your assets across different wallets to avoid a catastrophe later.
Next up - Step Three: The Ghost in the Machine (Software)