Brilliant video as always. Ian does the best walkthroughs available, highly detailed and thorough which is exactly what I want from a tutorial. And yes, BTC Sessions also does excellent tutorials however I find Ian's tutorials cover more detail and he explains everything really well. I very much appreciate Ian's expertise.
This video came at the best time, haha. I just ordered my cold card, and it's in the process of being sent. This tutorial will be super helpful come the time I need to set it up!
Hello Ian, is it best practice to keep backups of the xpubs for easy recovery or not necessary for single sig? As the same xpub should be generated when you recover via the 24 word seed import ? Is that correct?
A very, very detailed video! Love it and thanks for some clarity on the cold cards passphrase. I hard questions about that and couldn’t find it anywhere on UA-cam but your video cleared up every question I had about that. 👍🏾👍🏾
Around 19:18, you said "The device won't even run or process firmware that has not been been signed by Coinkite." Were you referring specifically to the MK4 model, or to all the Coldcard models in general? Anyway, you're absolutely right that file verification is a lot more difficult and requires way more steps on Windows compared to other operating systems like Linux. Windows and Apple are only easy when used according to how the companies that designed those products expect the average user to use them. If you're not an average user, you may struggle to get stuff done on their platforms. Some users may have an easier time booting Linux off a USB drive and verifying the firmware that way instead of downloading, verifying, and installing the PGP tools for Windows. Previous versions of Kleopatra had fatal errors when I tried running them on Windows, but thankfully the newer versions work without issue.
I'm fairly certain it's in relation to all models - you can find the text in this section here coldcard.com/docs/upgrade#upgrading-your-coldcards-firmware which is a generalized tutorial in their docs, not specific to Mk4. Interesting - I've fortunately not run into those issues with Kleopatra, but I'm with you... Windows makes this very very tedious. That's an interesting approach with Linux - I've been meaning to look into Linux more generally
Great tutorial. From 1:04:30, you describe how to tell the Coldcard that a multisig wallet has been created with the Trezor. Is this step essential? Does making the Coldcard aware that it has joined a multisig wallet preclude that Coldcard from being used separately as a single signature wallet or as part of other multisig wallets? Is there any limit to how many multisig wallets the same Coldcard can join?
That step is indeed a requirement. However that does not preclude the ColdCard from being used as a single sig setup simultaneously (there are separate keys that a wallet uses to sign single signature setups vs. multisig setups), and you can indeed also use your ColdCard as a signer across multiple multisig setups. That’s a great question on how many, and it appears from their documentation that the limit is up to 8 M-of-3 wallets: coldcard.com/docs/multisig
There are some guardrails in place that make the manual firmware verification somewhat redundant, but it is certainly the case that air-gapped usage like what's being shown here is more complex in general! Always take your time with any of this and test things out with tiny amounts until you're comfortable.
Excuse my newbie question. At 53:09 , how to send that 100k sats to the coldcard? Or it's already in the coldcard once the transaction is confirmed on Sparrow wallet? If not, how to send it to the coldcard? Thank you!
Hey all good! If you rewind to about 51:53 you'll see the step where I go to the "receive" tab in order to generate an address from my Coldcard. This is the address I'm going to send bitcoin to from another wallet. And then at 52:10 you'll see I pull up a different bitcoin wallet where I scan the QR code in order to send the bitcoin. Does that make sense?
@@IanMajor Hi Ian! Thanks a lot for taking the time to reply my totally newbie question. I'm sorry if my question was not clear enough.. Let me put it another way, and hopefully it would clarify things up: what I understand is that you sent100k sats from the blue wallet to the sparrow wallet and it took some times before it's finally confirmed that 100k sats showed up in the sparrow wallet. Now that the100k sats sat in the sparrow wallet. What puzzles me still is whether that 100k sats in that sparrow wallet is (automatically) already in the coldcard as well? Or do we have to perform another transfer from that sparrow wallet to the coldcard (so there is no balance left anymore in the sparrow wallet).. Here is the summary: 1. Sats from Blue wallet --> Sparrow wallet. 2. Sats from Sparrow wallet --> Coldcard wallet. (Do we need to perforn this action? Or what sits in the Sparrow wallet, automatically sits in Coldcard wallet). again.. thank you for time!
Thanks for clarifying and this is indeed a common point of confusion so don't worry. In this setup where you're pairing your Coldcard with software like Sparrow, think of Sparrow merely as an interface you're using to make it easier to interact with your Coldcard. Since Coldcard does not have its own accompanying software (e.g. something like Ledger Live for Ledger or what Trezor has for their devices), you need to pair Coldcard with something like Sparrow (and there are many other options as well). What's happening when you "pair" is that you're uploading into Sparrow the extended public key of your Coldcard device. The private keys are still securely held on your Coldcard, but by importing the extended public key of your Coldcard into Sparrow you can do things like: -Visualize your balance -Receive bitcoin using the addresses derived from that extended public key -Construct transactions that will later be signed by the private keys stored on the Coldcard itself So the sending of 100K sats in my video *IS* sending it to my Coldcard since Sparrow is simply the interface I've chosen to pair with my Coldcard. Does that make sense?
@@IanMajor PERFECT!! Crystal clear now... So, basically the Sparrow wallet itself acts as a graphical user interface that Coldcard doesn't have, like that Ledger and Trezor has their own 'suite'... Sincerest thanks for being patient and taking time to reply my question, Ian!
Thanks! There are adapters these days for just about everything so you could try something like the following assuming your laptop has a USB or USB-c connection: a.co/d/fcYi6o4
I really trust your opinion and would like to see a BC Vault review. This wallet takes a completely different approach to security that seem to be more advantageous for true long term storage.
@@IanMajor Yes, this interview seems to answer a lot but also seems like old tech. Would love to hear your thoughts. ua-cam.com/video/YOMWKZ-xIJA/v-deo.htmlsi=eX-9oqs4YsoeCUuB
I appreciate the detail you provide. Using your instructions, I was able to complete the somewhat complicated process in Windows to upgrade to the latest MK4 firmware. Question though. When I created the backup in Backup Systems, it gave me a 12-word phrase, but two of the words were the same. Have you encountered words being duplicated in backup phrases before?
Very glad to hear that! Good question and yes, it is indeed possible for the same word to appear twice (but not more than twice) in your seed phrase. While it’s less common, it doesn’t detract from your security so nothing to worry about.
About multisig xpub export At 1:01:25 when it asks for account number you want to export , you just proceeded without entering anything, what if you entered 0 ? Is it going to be the same if you proceeded without entering anything ?? Thanks for vlaue content
Correct, the default (i.e. entering nothing) is 0. This might be overkill, but the BIP has some more context on wallet structure for modern bitcoin wallets if you're curious: github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#user-content-Specification_Wallet_structure Glad you found the content useful!
Excellent video. Thank you. What cable does it come with? Also, can I plug this into a portable battery charger; USB to the ColdCard USB-C? Sounds like one will ALWAYS need a microSD if you want to be air-gapped, correct?
Good question and it's one of the few things I don't like about Coinkite/Coldcard is that the Mk4 model (currently priced at $147.94) doesn't actually come with a cable or anything else. So you'd need to get either their power-only USB-C cable or the Coldpower adapter - I'd generally recommend the latter, but yes you should also be able to plug this into a portable battery charger. And yes, you will always need a microSD if you want this to be fully air-gapped. They've incorporated NFC tech that can serve as an alternative method to transfer data, but it might be a little while before other software wallets that you're pairing your Coldcard with support that. Hope that helps! I am a massive fan of Coldcard and continue to use one, but I'm also a big fan of the Foundation Passport in case you want to check that out as well. Their model comes with a microSD card and takes normal batteries which is nice.
Superb video - thank you! It would be a lot easier, rather than shuffling SD cards back & forth, to plug the Coldcard into the computer, as I've been doing with my Trezor. I presume there must be a major security down-side to doing that? How bad is it?
Thanks! It's hard to quantify the degree to which it's more secure unfortunately - I definitely don't think using a Trezor or Coldcard in a non-air-gapped fashion places you in imminent security risk, but air-gapped usage of a device is a meaningful enough difference to where it's worth doing if you want to maximize your security. I think of it this way: does the inconvenience of shuffling SD cards back and forth more than offset the incremental security gains? Unless you're using your hardware wallet very very frequently (most people aren't), the answer is probably 'no'
@@IanMajor Thank you so much for taking the trouble to reply. I am trying to get my head around the various technical aspects of using Bitcoin. The Trezor was a doddle, but Matthew Kratter has been warning of possible security concerns, at least with their coin-join facility. I might add that I was born long before computers as such even existed, and while the great Alan Turing was still with us! But I am naturally wary of the digital world, and of computers - to paraphrase Francis Bacon, I believe they make good servants but bad masters. Having said all that, I am fully on board with the Bitcoin revolution, and I understand the huge significance of Satoshi's gift to humanity. So I've had to embark on a bit of a learning curve - especially since I bought a Cold Card! My understanding is that the 'seed phrase' would always stay trapped inside the Cold Card regardless, and that any risk of plugging the Cold Card into the computer would be confined to the current transaction? Am I being unduly complacent? Thank you once again for your excellent tutorials, which I find far better than anything else out there. Best wishes, Hugo Miller
Amazing video! Can I use the ColdCard MK3 I've been using for a single sig in Sparrow as 1 of 3 devices in a new multi-sig I'm setting up? If so, will I still be able to access my single-sig wallet?
Glad you found it useful Larry! Yes you certainly can. Your Coldcard is capable of producing addresses and signatures for both single-sig and multisig, so you can add your MK3 as one of the co-signers in a multisig setup without messing with your single-sig. Keep in mind that you'll need to specifically export the multisig extended public key from your Coldcard as the key-pairs for multisig will be different.
When generating seed words you were given your original 24 words before adding the 6 dice rolls. Once the rolls are done and you are given the new set of seed words, does this make the original 24 words useless and is the new set of words all you need to keep? Thanks!
That's correct that the new set of words is all you need to keep - the entropy you've created with dice rolls produces a unique private key that is used to derive your updated 24 words. One point I also should have emphasized more: do A LOT of dice rolls! At least 100. Humans are bad at creating randomness, so just make sure you're doing lots and lots of dice rolls if you're going the user-generated entropy route.
Thankyou Ian for helping on the path to multisig setup. High quality videos taking me through every aspect. I do have one question for you. If you want to restore the multisig from scratch. You only have your seedphrase for wallet 1 and 2 and the xpub and script for wallet 3. Say in this instance we have 3 coldcards that i just lost. Would you be able to restore wallet 1 and 2 with whatever wallet you like. (ledger, trezor, keystone, electrum etc) When you then set up the multisig wallet with your to newly 2 restored wallets and your xpub for wallet 3. Will you then have restored the original multisig? thankyou.
Great question - just recapping the scenario to make sure I have it right: -you have 3 coldcards and lost them all -you have seed phrase for 2 of them and at least the pubkey and script type for the 3rd Assuming that's right, you would indeed be able to recreate the multisig elsewhere using the 3 xpubs (you may or may not need the script types depending on what software you're using to recreate the multisig, but of course always have them for good measure). The individual devices you restore the 2 seeds into shouldn't matter as long as they support multisig. I'm also assuming this is a 2 of 3 multisig, so you'd then be able to sign with the 2 private keys that you still have. Hope that makes sense!
Sorry for the dumb question. Trying to understand how I’m protected by being only one knowing my 24 seed words. If someone shows up and kills me haha…all they need to know is my sparrow wallet password with access to my coldcard, right? They could just do what you just showed. Of course they would need pin to coldcard as well. Just trying to work out ways I can lose my funds. Are the seed words more about recovery if you needed a new hardware wallet?
Hey sorry for missing this one. Yes what you're describing is what some call the $5 wrench attack :) If someone comes and attacks you all they actually need is the 24 seed words. They can just take your seed and restore that into a different wallet, so they wouldn't even need to figure out your pin or sparrow password. Some individuals may choose to store their seed phrase in a safe or potentially have portions of it written down in separate locations, but as of now there's no silver bullet. You might find the following video interesting which talks about additional safeguards to protect against some of these attacks that we may see in the not-distant future: ua-cam.com/video/GFBnRiiy3IM/v-deo.html Multisig is another option you could consider - and having those component seed phrases in geographically separate locations. I've done a video on that type of setup here: ua-cam.com/video/nvE3c7DlNHg/v-deo.html or ua-cam.com/video/ZE8F7laSX84/v-deo.html While I'm always going to advocate for true self-custody, this is also why you see mixed custody models like Unchained Capital exist too. Hope that helps!
@@IanMajor thanks for the reply. I figured a lot of this out in these last few weeks. Just took a lot of hearing different takes on the same concept and playing around with the wallets for it to sink in. It’s going to be interesting to see what happens in the future. A majority of people will never be able to manage self-custody in my opinion. $5 wrench attack…I like that lol.
What's the difference between the final-txn file and the demo-signed file once you sign the transaction on the MK4 and you're ready to import it back to Sparrow?
Good question - the "final" file is finalized and ready for broadcast to the network, whereas the "signed" file is still a PSBT that could potentially be passed elsewhere to apply another signature or bit of data for example. I suspect Sparrow should be able to ingest and broadcast either, but I haven't tried that personally.
This is such a great video! Question though ... what if you export the JSON file to sparrow before you do the 'restore test?' So, the Sparrow wallet is loaded with XPUB and receive addresses from the COLDCARD, then you destroy seed ... then restore the seed onto the COLDCARD. Here's the question ... will the first x number of receive addresses on the device still match the receive addresses on Sparrow? I guess if they don't you could always delete the wallet and run through the export JSON drill again with the restored wallet, eh? Thanks again for this video!
Thanks for the kind words Kevin! And yes, assuming you've restored the exact same seed into the coldcard, it should deterministically create the same set of addresses that you saw previously.
Ian, you are correct! I was curious so after I destroyed the seed and then restored it to the COLDCARD, I checked the addresses and they matched with my Sparrow COLDCARD wallet. It was good to go through that drill to see it first hand. Thanks again for all of the great content!
I suppose you could create your private key on the coldcard and then simply access the "Address Explorer" option to grab an address that you can send to from another wallet without ever having paired the coldcard to another wallet interface. The challenge is that with the small screen size this would be very prone to error to write down an address and then enter it elsewhere, but still possible: coldcard.com/docs/address-explorer/
In this scenario, think of Sparrow more as software that you can pair your hardware wallet with to see your balances, receive funds, etc. Ledger already comes with its own software (Ledger Live), so while it's not necessary to pair it with something else like Sparrow, you can still do so. Pairing your hardware wallet with software doesn't move the bitcoin since the private keys controlling those bitcoins are still on your hardware wallet regardless of which software you pair it with. I believe Ledger Live is fully open-source (like Sparrow), so I suppose it comes down to whether you like the interface of Sparrow better or not. However, when it comes to the hardware device itself I would personally choose a Coldcard or Foundation Passport over the Ledger since the Ledger firmware is not open-source. Hope that makes sense!
I no longer use mine, and I also took down the standalone Ledger tutorial video I had done awhile back (it’s still featured in a couple of the multisig vids I’ve done, but I no longer recommend folks using one)
First things first: as long as you have the seed, you’ll have access to your funds even if something were to happen to the Coldcard. To prove that to yourself, you could always import the seed into a different wallet (although probably not recommended as you ideally don’t want to expose your seed to an internet-connected device). I know it’s somewhat of a waste of fees, but you could also send the vast majority of the funds out of your Coldcard to a different wallet, wipe the Coldcard, practice restoring the seed (and seeing the expected balance), and then send back the vast majority of your stack. Potentially worth it for the peace of mind, but I wouldn’t stress too much either!
@@IanMajor what I'm stressing about more now is multisig. I was reading that with a multisig setup you have WAY more potential failure and loss of funds, mainly, that to restore a multisig setup you must have backups of all xpubs in addition to the private keys. So that's 3 private keys, and 3 xpubs to store and keep track of in a 2 of 3 setup. Even more info with derivation paths, fingerprints, etc. 6 steel plates? 😳 Is that right?
Great question - I can't think of any attack vectors though beyond breaking the encryption itself or guessing the password/code depending on how the backup file is encrypted
Was scanning my comments and came upon this one again. Given the debacle that just occurred with Luke Dash Jr (see my latest video for context), I just wanted to add that under no circumstances should you have the *key* for decrypting the backup file saved on an internet-connected computer :) That probably goes without saying given your original question, but just mentioning this to be safe
Good question - as long as you have the same devices, you'll be able to recreate but I'd always recommend having the individual seeds (which you would do anyway), the pubkeys for all devices in the multisig, and ideally the derivation paths (e.g. m/48/0/0/2) which should all display in the Settings section on Sparrow. Those last pieces are sometimes useful depending on what wallet software you're trying to recreate the multisig in to ensure it gets recreated properly. Hope that helps!
I noticed when I exported my coldcard wallet to Sparrow, the balance wasn’t getting transferred. Took a while to figure out that the derivation was wrong. My Arculus card had a 12 word pass phrase. And the software didn’t like that. Changed the derivation to m/0’ fixed the problem and now my balance is there.
Interesting - thanks for sharing your experience here! I'm not familiar with Arculus myself and have generally seen Sparrow do a good job of finding the right key paths when importing, but this is good to know.
@@IanMajor Thanks for your response. Do I still need to transfer the files into the memory stick and do encryption? I ask because when I try to connect my coldcard to sparrow, It returns the error ' no fingerprint detected'.
@@BioinfoHQ Hmm interesting, and you created your seed already on the device, correct? 'No fingerprint detected' is an odd error - even though it appears you have the latest firmware, I might still suggest trying those steps to install the latest just to be doubly sure. If that doesn't work, I might suggest trying to DM Coldcard on twitter as I will likely quickly run out of good other ideas to try here!
@@IanMajor You can say that again! I've been using a trezor, which is a doddle to set up and to use. But I'm giving myself brain-ache with all the new stuff I've had to learn for the Coldcard. I like the philosophy behind it though, but I'd be quite lost without your tutorials. This is the first tutorial of yours I have seen, and it is far & away the best I have come across - it is a God-send. Thank you so much!
In this setup, you'd see the balance in Sparrow Wallet which is "paired" up with your Coldcard. If you go to "Transactions" on the left-hand side of Sparrow, you'll see your balance at the top
So if the coldcard first address is different from the sparrow wallet, what went wrong? Thanks for the video. This is all really confusing coming from a ledger
Yes, alas it's definitely a learning curve to go from something like a ledger to a fully air-gapped device like the Coldcard. That's strange that the addresses are different - did you definitely export the Generic JSON option from the Coldcard? (Advanced > MicroSD Card > Export Wallet > Generic JSON). One other thing you can check is the master fingerprint - you'll see this on the Settings tab of Sparrow in the "keystores" section of the page near the bottom. You can compare this on the Coldcard device by going to Advanced > View Identity Assuming you haven't yet sent any funds to these keys, you could also try "nuking" the device by going to Advanced > Danger Zone > Destroy Seed and then try creating a new seed and trying the export again. If none of that works, I'm probably out of ideas unfortunately :( I think both Coldcard and Sparrow have pretty decent support so you could try messaging either of them on Twitter to see if other users have experienced anything similar and what steps to try.
Brilliant video as always. Ian does the best walkthroughs available, highly detailed and thorough which is exactly what I want from a tutorial. And yes, BTC Sessions also does excellent tutorials however I find Ian's tutorials cover more detail and he explains everything really well. I very much appreciate Ian's expertise.
Wow, very high praise here 🙏 Sincerely appreciate this feedback and am thrilled that you're getting value from the content!
One of the best instructional videos I've seen! Thanks for the clarity and great work!
Thrilled to hear you found this helpful! Thanks for the kind words 🙏
Great tutorial! Waiting for my new Mk4...I feel pretty confident in using it after viewing this video twice...Thanks!!!
Great to hear - glad you found this useful!
This video came at the best time, haha. I just ordered my cold card, and it's in the process of being sent. This tutorial will be super helpful come the time I need to set it up!
Love it! Glad this video found you at the right time - enjoy your Coldcard 🤝
Hello Ian, is it best practice to keep backups of the xpubs for easy recovery or not necessary for single sig? As the same xpub should be generated when you recover via the 24 word seed import ? Is that correct?
A very, very detailed video! Love it and thanks for some clarity on the cold cards passphrase. I hard questions about that and couldn’t find it anywhere on UA-cam but your video cleared up every question I had about that. 👍🏾👍🏾
Awesome - I'm really glad to hear this! Enjoy your Coldcard 👊
48:57 caption is why I thumb this up. I could never quite get my head around this Coldcard - Sparrow pairing. This caption explains it.
Love seeing comments like this! I try to be thorough because it's easy to miss small yet important context on some of these steps
Great video! I am on my third cold card, and I still use your video to help me with steps.
Love that! Always great to have you tuning in
Excelent speaker, Ian!! We can always rewind to listen more carefully. Thanks.
Appreciate that!
at 44:33 would you export the XPUB (not the generic json) if you just want to create Watch Only in Sparrow?
41:00 Putting in the seeds again looks challenging to say the least; in this instance the Coldcard Q can't come soon enough.
Your videos are priceless. Thank you so much!
Love hearing this, and am glad you're finding the content valuable! 🙏
Around 19:18, you said "The device won't even run or process firmware that has not been been signed by Coinkite." Were you referring specifically to the MK4 model, or to all the Coldcard models in general?
Anyway, you're absolutely right that file verification is a lot more difficult and requires way more steps on Windows compared to other operating systems like Linux. Windows and Apple are only easy when used according to how the companies that designed those products expect the average user to use them. If you're not an average user, you may struggle to get stuff done on their platforms.
Some users may have an easier time booting Linux off a USB drive and verifying the firmware that way instead of downloading, verifying, and installing the PGP tools for Windows. Previous versions of Kleopatra had fatal errors when I tried running them on Windows, but thankfully the newer versions work without issue.
I'm fairly certain it's in relation to all models - you can find the text in this section here coldcard.com/docs/upgrade#upgrading-your-coldcards-firmware which is a generalized tutorial in their docs, not specific to Mk4.
Interesting - I've fortunately not run into those issues with Kleopatra, but I'm with you... Windows makes this very very tedious. That's an interesting approach with Linux - I've been meaning to look into Linux more generally
Cant wait to watch it all!!
Excellent video! You have a new subscriber!
Welcome! Great to have you, and I'm glad you found the content useful :)
Great tutorial. From 1:04:30, you describe how to tell the Coldcard that a multisig wallet has been created with the Trezor. Is this step essential?
Does making the Coldcard aware that it has joined a multisig wallet preclude that Coldcard from being used separately as a single signature wallet or as part of other multisig wallets?
Is there any limit to how many multisig wallets the same Coldcard can join?
That step is indeed a requirement. However that does not preclude the ColdCard from being used as a single sig setup simultaneously (there are separate keys that a wallet uses to sign single signature setups vs. multisig setups), and you can indeed also use your ColdCard as a signer across multiple multisig setups.
That’s a great question on how many, and it appears from their documentation that the limit is up to 8 M-of-3 wallets: coldcard.com/docs/multisig
great! thx very much. good job
Excellent tutorial!
🙏
May all be very safe and ingenious, but the very complexity of this procedure is a risk in itself.
There are some guardrails in place that make the manual firmware verification somewhat redundant, but it is certainly the case that air-gapped usage like what's being shown here is more complex in general! Always take your time with any of this and test things out with tiny amounts until you're comfortable.
Thank you for great video.
You are most welcome
Xfp not involved is what I get when I try and sign. What’s that mean
Excuse my newbie question. At 53:09 , how to send that 100k sats to the coldcard? Or it's already in the coldcard once the transaction is confirmed on Sparrow wallet? If not, how to send it to the coldcard? Thank you!
Hey all good! If you rewind to about 51:53 you'll see the step where I go to the "receive" tab in order to generate an address from my Coldcard. This is the address I'm going to send bitcoin to from another wallet. And then at 52:10 you'll see I pull up a different bitcoin wallet where I scan the QR code in order to send the bitcoin.
Does that make sense?
@@IanMajor Hi Ian! Thanks a lot for taking the time to reply my totally newbie question. I'm sorry if my question was not clear enough.. Let me put it another way, and hopefully it would clarify things up: what I understand is that you sent100k sats from the blue wallet to the sparrow wallet and it took some times before it's finally confirmed that 100k sats showed up in the sparrow wallet. Now that the100k sats sat in the sparrow wallet. What puzzles me still is whether that 100k sats in that sparrow wallet is (automatically) already in the coldcard as well? Or do we have to perform another transfer from that sparrow wallet to the coldcard (so there is no balance left anymore in the sparrow wallet).. Here is the summary:
1. Sats from Blue wallet --> Sparrow wallet.
2. Sats from Sparrow wallet --> Coldcard wallet. (Do we need to perforn this action? Or what sits in the Sparrow wallet, automatically sits in Coldcard wallet).
again.. thank you for time!
Thanks for clarifying and this is indeed a common point of confusion so don't worry. In this setup where you're pairing your Coldcard with software like Sparrow, think of Sparrow merely as an interface you're using to make it easier to interact with your Coldcard. Since Coldcard does not have its own accompanying software (e.g. something like Ledger Live for Ledger or what Trezor has for their devices), you need to pair Coldcard with something like Sparrow (and there are many other options as well).
What's happening when you "pair" is that you're uploading into Sparrow the extended public key of your Coldcard device. The private keys are still securely held on your Coldcard, but by importing the extended public key of your Coldcard into Sparrow you can do things like:
-Visualize your balance
-Receive bitcoin using the addresses derived from that extended public key
-Construct transactions that will later be signed by the private keys stored on the Coldcard itself
So the sending of 100K sats in my video *IS* sending it to my Coldcard since Sparrow is simply the interface I've chosen to pair with my Coldcard.
Does that make sense?
@@IanMajor PERFECT!! Crystal clear now... So, basically the Sparrow wallet itself acts as a graphical user interface that Coldcard doesn't have, like that Ledger and Trezor has their own 'suite'... Sincerest thanks for being patient and taking time to reply my question, Ian!
Great video. I realized my laptop doesn't have a micro SD slot though. Any ideas?
Thanks! There are adapters these days for just about everything so you could try something like the following assuming your laptop has a USB or USB-c connection: a.co/d/fcYi6o4
great value tutorial. thanks for your passion.
How could you not get excited about this stuff? Haha. Appreciate the feedback, and glad you found it valuable! 💪
I really trust your opinion and would like to see a BC Vault review. This wallet takes a completely different approach to security that seem to be more advantageous for true long term storage.
This one? bc-vault.com
@@IanMajor Yes, this interview seems to answer a lot but also seems like old tech. Would love to hear your thoughts.
ua-cam.com/video/YOMWKZ-xIJA/v-deo.htmlsi=eX-9oqs4YsoeCUuB
@@IanMajor Is JAM the best alternative to a coinjoin/mixer these days?
I appreciate the detail you provide. Using your instructions, I was able to complete the somewhat complicated process in Windows to upgrade to the latest MK4 firmware. Question though. When I created the backup in Backup Systems, it gave me a 12-word phrase, but two of the words were the same. Have you encountered words being duplicated in backup phrases before?
Very glad to hear that! Good question and yes, it is indeed possible for the same word to appear twice (but not more than twice) in your seed phrase. While it’s less common, it doesn’t detract from your security so nothing to worry about.
About multisig xpub export At 1:01:25 when it asks for account number you want to export , you just proceeded without entering anything, what if you entered 0 ? Is it going to be the same if you proceeded without entering anything ??
Thanks for vlaue content
Correct, the default (i.e. entering nothing) is 0. This might be overkill, but the BIP has some more context on wallet structure for modern bitcoin wallets if you're curious: github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#user-content-Specification_Wallet_structure
Glad you found the content useful!
Wow. Great video. Thanks for doing this.
🙏
Very helpful, thanks dude!
Glad you found it helpful!
Excellent video. Thank you. What cable does it come with? Also, can I plug this into a portable battery charger; USB to the ColdCard USB-C? Sounds like one will ALWAYS need a microSD if you want to be air-gapped, correct?
Good question and it's one of the few things I don't like about Coinkite/Coldcard is that the Mk4 model (currently priced at $147.94) doesn't actually come with a cable or anything else. So you'd need to get either their power-only USB-C cable or the Coldpower adapter - I'd generally recommend the latter, but yes you should also be able to plug this into a portable battery charger.
And yes, you will always need a microSD if you want this to be fully air-gapped. They've incorporated NFC tech that can serve as an alternative method to transfer data, but it might be a little while before other software wallets that you're pairing your Coldcard with support that.
Hope that helps! I am a massive fan of Coldcard and continue to use one, but I'm also a big fan of the Foundation Passport in case you want to check that out as well. Their model comes with a microSD card and takes normal batteries which is nice.
Thank You for the video!
You're welcome!
great guide. Thank you
You're very welcome - glad you found it useful
Thank you for posting! What are your thoughts on security of blockstream jade?
I haven't personally dug into the Jade yet, but it's on my list!
Superb video - thank you! It would be a lot easier, rather than shuffling SD cards back & forth, to plug the Coldcard into the computer, as I've been doing with my Trezor. I presume there must be a major security down-side to doing that? How bad is it?
Thanks! It's hard to quantify the degree to which it's more secure unfortunately - I definitely don't think using a Trezor or Coldcard in a non-air-gapped fashion places you in imminent security risk, but air-gapped usage of a device is a meaningful enough difference to where it's worth doing if you want to maximize your security.
I think of it this way: does the inconvenience of shuffling SD cards back and forth more than offset the incremental security gains? Unless you're using your hardware wallet very very frequently (most people aren't), the answer is probably 'no'
@@IanMajor Thank you so much for taking the trouble to reply. I am trying to get my head around the various technical aspects of using Bitcoin. The Trezor was a doddle, but Matthew Kratter has been warning of possible security concerns, at least with their coin-join facility.
I might add that I was born long before computers as such even existed, and while the great Alan Turing was still with us! But I am naturally wary of the digital world, and of computers - to paraphrase Francis Bacon, I believe they make good servants but bad masters.
Having said all that, I am fully on board with the Bitcoin revolution, and I understand the huge significance of Satoshi's gift to humanity. So I've had to embark on a bit of a learning curve - especially since I bought a Cold Card!
My understanding is that the 'seed phrase' would always stay trapped inside the Cold Card regardless, and that any risk of plugging the Cold Card into the computer would be confined to the current transaction? Am I being unduly complacent?
Thank you once again for your excellent tutorials, which I find far better than anything else out there.
Best wishes, Hugo Miller
Amazing video! Can I use the ColdCard MK3 I've been using for a single sig in Sparrow as 1 of 3 devices in a new multi-sig I'm setting up? If so, will I still be able to access my single-sig wallet?
Glad you found it useful Larry! Yes you certainly can. Your Coldcard is capable of producing addresses and signatures for both single-sig and multisig, so you can add your MK3 as one of the co-signers in a multisig setup without messing with your single-sig. Keep in mind that you'll need to specifically export the multisig extended public key from your Coldcard as the key-pairs for multisig will be different.
When generating seed words you were given your original 24 words before adding the 6 dice rolls. Once the rolls are done and you are given the new set of seed words, does this make the original 24 words useless and is the new set of words all you need to keep? Thanks!
That's correct that the new set of words is all you need to keep - the entropy you've created with dice rolls produces a unique private key that is used to derive your updated 24 words. One point I also should have emphasized more: do A LOT of dice rolls! At least 100. Humans are bad at creating randomness, so just make sure you're doing lots and lots of dice rolls if you're going the user-generated entropy route.
Thankyou Ian for helping on the path to multisig setup. High quality videos taking me through every aspect. I do have one question for you. If you want to restore the multisig from scratch. You only have your seedphrase for wallet 1 and 2 and the xpub and script for wallet 3. Say in this instance we have 3 coldcards that i just lost.
Would you be able to restore wallet 1 and 2 with whatever wallet you like. (ledger, trezor, keystone, electrum etc) When you then set up the multisig wallet with your to newly 2 restored wallets and your xpub for wallet 3. Will you then have restored the original multisig?
thankyou.
Great question - just recapping the scenario to make sure I have it right:
-you have 3 coldcards and lost them all
-you have seed phrase for 2 of them and at least the pubkey and script type for the 3rd
Assuming that's right, you would indeed be able to recreate the multisig elsewhere using the 3 xpubs (you may or may not need the script types depending on what software you're using to recreate the multisig, but of course always have them for good measure). The individual devices you restore the 2 seeds into shouldn't matter as long as they support multisig.
I'm also assuming this is a 2 of 3 multisig, so you'd then be able to sign with the 2 private keys that you still have.
Hope that makes sense!
Such an excellent video! Merci !
🤝 You are most welcome friend
Sorry for the dumb question. Trying to understand how I’m protected by being only one knowing my 24 seed words. If someone shows up and kills me haha…all they need to know is my sparrow wallet password with access to my coldcard, right? They could just do what you just showed. Of course they would need pin to coldcard as well. Just trying to work out ways I can lose my funds. Are the seed words more about recovery if you needed a new hardware wallet?
Hey sorry for missing this one. Yes what you're describing is what some call the $5 wrench attack :) If someone comes and attacks you all they actually need is the 24 seed words. They can just take your seed and restore that into a different wallet, so they wouldn't even need to figure out your pin or sparrow password.
Some individuals may choose to store their seed phrase in a safe or potentially have portions of it written down in separate locations, but as of now there's no silver bullet. You might find the following video interesting which talks about additional safeguards to protect against some of these attacks that we may see in the not-distant future: ua-cam.com/video/GFBnRiiy3IM/v-deo.html
Multisig is another option you could consider - and having those component seed phrases in geographically separate locations. I've done a video on that type of setup here: ua-cam.com/video/nvE3c7DlNHg/v-deo.html or ua-cam.com/video/ZE8F7laSX84/v-deo.html
While I'm always going to advocate for true self-custody, this is also why you see mixed custody models like Unchained Capital exist too.
Hope that helps!
@@IanMajor thanks for the reply. I figured a lot of this out in these last few weeks. Just took a lot of hearing different takes on the same concept and playing around with the wallets for it to sink in. It’s going to be interesting to see what happens in the future. A majority of people will never be able to manage self-custody in my opinion. $5 wrench attack…I like that lol.
What's the difference between the final-txn file and the demo-signed file once you sign the transaction on the MK4 and you're ready to import it back to Sparrow?
Good question - the "final" file is finalized and ready for broadcast to the network, whereas the "signed" file is still a PSBT that could potentially be passed elsewhere to apply another signature or bit of data for example. I suspect Sparrow should be able to ingest and broadcast either, but I haven't tried that personally.
This is such a great video! Question though ... what if you export the JSON file to sparrow before you do the 'restore test?' So, the Sparrow wallet is loaded with XPUB and receive addresses from the COLDCARD, then you destroy seed ... then restore the seed onto the COLDCARD. Here's the question ... will the first x number of receive addresses on the device still match the receive addresses on Sparrow? I guess if they don't you could always delete the wallet and run through the export JSON drill again with the restored wallet, eh? Thanks again for this video!
Thanks for the kind words Kevin! And yes, assuming you've restored the exact same seed into the coldcard, it should deterministically create the same set of addresses that you saw previously.
Ian, you are correct! I was curious so after I destroyed the seed and then restored it to the COLDCARD, I checked the addresses and they matched with my Sparrow COLDCARD wallet. It was good to go through that drill to see it first hand. Thanks again for all of the great content!
Is it possible to receive funds on a coldcard wallet without ever paring it to a computer?
I suppose you could create your private key on the coldcard and then simply access the "Address Explorer" option to grab an address that you can send to from another wallet without ever having paired the coldcard to another wallet interface. The challenge is that with the small screen size this would be very prone to error to write down an address and then enter it elsewhere, but still possible: coldcard.com/docs/address-explorer/
@@IanMajor Thank you!! I just read about the qr code function in the address explorer which would make this easy too!
Are you sure you're screwed loosing the passphrase? Don't you think that can be brute forced provided you have the seed phrase?
True, at least if it's not a very good passphrase. But then what's the point of adding one in the first place? :)
So, let’s say you have two bitcoins on ledger then you would need to move them to sparrow??
In this scenario, think of Sparrow more as software that you can pair your hardware wallet with to see your balances, receive funds, etc. Ledger already comes with its own software (Ledger Live), so while it's not necessary to pair it with something else like Sparrow, you can still do so. Pairing your hardware wallet with software doesn't move the bitcoin since the private keys controlling those bitcoins are still on your hardware wallet regardless of which software you pair it with.
I believe Ledger Live is fully open-source (like Sparrow), so I suppose it comes down to whether you like the interface of Sparrow better or not. However, when it comes to the hardware device itself I would personally choose a Coldcard or Foundation Passport over the Ledger since the Ledger firmware is not open-source.
Hope that makes sense!
Which microsd that support coldcard?
It can be up to 32GB and then it also must be FAT12 or FAT32 format. I typically use a 16GB or 32GB Sandisk microSD
Do you still use your ledger?
I no longer use mine, and I also took down the standalone Ledger tutorial video I had done awhile back (it’s still featured in a couple of the multisig vids I’ve done, but I no longer recommend folks using one)
I never reset my cold card before adding my BTC and now I'm scared to test re-importing the seed.
First things first: as long as you have the seed, you’ll have access to your funds even if something were to happen to the Coldcard.
To prove that to yourself, you could always import the seed into a different wallet (although probably not recommended as you ideally don’t want to expose your seed to an internet-connected device).
I know it’s somewhat of a waste of fees, but you could also send the vast majority of the funds out of your Coldcard to a different wallet, wipe the Coldcard, practice restoring the seed (and seeing the expected balance), and then send back the vast majority of your stack.
Potentially worth it for the peace of mind, but I wouldn’t stress too much either!
@@IanMajor what I'm stressing about more now is multisig. I was reading that with a multisig setup you have WAY more potential failure and loss of funds, mainly, that to restore a multisig setup you must have backups of all xpubs in addition to the private keys. So that's 3 private keys, and 3 xpubs to store and keep track of in a 2 of 3 setup. Even more info with derivation paths, fingerprints, etc. 6 steel plates? 😳 Is that right?
is it ok to have a backup file saved to the sd card that gets placed into a computer connected to the internet, even as an encrypted zip file?
Great question - I can't think of any attack vectors though beyond breaking the encryption itself or guessing the password/code depending on how the backup file is encrypted
Was scanning my comments and came upon this one again. Given the debacle that just occurred with Luke Dash Jr (see my latest video for context), I just wanted to add that under no circumstances should you have the *key* for decrypting the backup file saved on an internet-connected computer :) That probably goes without saying given your original question, but just mentioning this to be safe
@@IanMajor great 👍🏻 thank you so much!
Backup for multisig? Or just recreate with same devices?
Good question - as long as you have the same devices, you'll be able to recreate but I'd always recommend having the individual seeds (which you would do anyway), the pubkeys for all devices in the multisig, and ideally the derivation paths (e.g. m/48/0/0/2) which should all display in the Settings section on Sparrow. Those last pieces are sometimes useful depending on what wallet software you're trying to recreate the multisig in to ensure it gets recreated properly.
Hope that helps!
I noticed when I exported my coldcard wallet to Sparrow, the balance wasn’t getting transferred. Took a while to figure out that the derivation was wrong. My Arculus card had a 12 word pass phrase. And the software didn’t like that.
Changed the derivation to m/0’ fixed the problem and now my balance is there.
I previously had an Arculus but it wouldn’t work for large sends… the card would show error. So got a cold card to replace it.
Interesting - thanks for sharing your experience here! I'm not familiar with Arculus myself and have generally seen Sparrow do a good job of finding the right key paths when importing, but this is good to know.
What are you thoughts on Arculus wallet?
I've yet to check it out! I do have one from Bitcoin 2022 though, so it's on the list
@@IanMajor awesome can’t wait to see your review
Tell me, what's harm if I use normal usb-c cable and power bank? Why I need spend extra?
That should be fine!
Hi, what if my firmware is up to date, do I still need to verify and sign the firmware?
Hey there - if your firmware is already up-to-date with the latest version, then no need for any further action on that step!
@@IanMajor Thanks for your response. Do I still need to transfer the files into the memory stick and do encryption? I ask because when I try to connect my coldcard to sparrow, It returns the error ' no fingerprint detected'.
@@BioinfoHQ Hmm interesting, and you created your seed already on the device, correct? 'No fingerprint detected' is an odd error - even though it appears you have the latest firmware, I might still suggest trying those steps to install the latest just to be doubly sure.
If that doesn't work, I might suggest trying to DM Coldcard on twitter as I will likely quickly run out of good other ideas to try here!
It’s very a really complicated cold wallet :)
It can definitely be a paradigm shift from other more "usable" hardware devices like Ledger, but once you get the hang of it you will be glad you did!
@@IanMajor agree. But won’t do all the verification. Already I bought the microsd to be totally “unplugged “:)
@@IanMajor You can say that again! I've been using a trezor, which is a doddle to set up and to use. But I'm giving myself brain-ache with all the new stuff I've had to learn for the Coldcard. I like the philosophy behind it though, but I'd be quite lost without your tutorials. This is the first tutorial of yours I have seen, and it is far & away the best I have come across - it is a God-send. Thank you so much!
How can I see the balance?!
In this setup, you'd see the balance in Sparrow Wallet which is "paired" up with your Coldcard. If you go to "Transactions" on the left-hand side of Sparrow, you'll see your balance at the top
@@IanMajor wooow maaan, thank you soooo much 🙏🙏
This video broke my brain
Anything I can clarify?
Go get a clone
We are in the army now
👍
When you censor information rather than engaging in discourse, do you actually stand for what bitcoin stands for?
What is being censored exactly?
No way people gonna do this for mass adoption
I would agree. I think you'll see mixed custodial solutions like Fedi for the masses
So if the coldcard first address is different from the sparrow wallet, what went wrong? Thanks for the video. This is all really confusing coming from a ledger
Yes, alas it's definitely a learning curve to go from something like a ledger to a fully air-gapped device like the Coldcard. That's strange that the addresses are different - did you definitely export the Generic JSON option from the Coldcard? (Advanced > MicroSD Card > Export Wallet > Generic JSON).
One other thing you can check is the master fingerprint - you'll see this on the Settings tab of Sparrow in the "keystores" section of the page near the bottom. You can compare this on the Coldcard device by going to Advanced > View Identity
Assuming you haven't yet sent any funds to these keys, you could also try "nuking" the device by going to Advanced > Danger Zone > Destroy Seed and then try creating a new seed and trying the export again.
If none of that works, I'm probably out of ideas unfortunately :( I think both Coldcard and Sparrow have pretty decent support so you could try messaging either of them on Twitter to see if other users have experienced anything similar and what steps to try.