Cold Storage Explained

Understand the technology and security principles behind cryptocurrency cold storage and hardware wallets.

What is Cold Storage?

Cold storage refers to keeping cryptocurrency private keys completely offline, isolated from internet-connected devices and potential online threats. Hardware wallets like Trezor are the most popular and user-friendly form of cold storage.

Hot Wallets

Private keys are stored on internet-connected devices

  • • Desktop wallet software
  • • Mobile wallet apps
  • • Exchange wallets
  • • Web wallets

Risk: Vulnerable to malware, hacking, and remote attacks

Cold Storage

Private keys never touch the internet

  • • Hardware wallets (Trezor)
  • • Paper wallets
  • • Metal backup plates
  • • Air-gapped computers

Security: Protected from online threats and remote attacks

How Trezor Hardware Wallet Works

Transaction Signing Process

1

Create Transaction on Computer

You create a transaction in Trezor Suite (e.g., send 0.5 BTC to address xyz). This is done on your internet-connected computer.

↓ Transaction data sent to device
2

Verify on Trezor Screen

Transaction details appear on the Trezor screen. You verify the recipient address and amount directly on the trusted device display.

↓ User confirms
3

Sign with Private Key (Offline)

Inside the secure chip, the transaction is signed using your private key. The private key NEVER leaves the device.

// Inside Trezor secure element:
signature = sign(transaction, private_key)
// private_key stays in device
↓ Signed transaction returned
4

Broadcast to Network

The signed transaction is sent back to your computer and broadcast to the blockchain network. Only the signature is exposed, never your private key.

Key Principle

Your private keys are generated and stored exclusively on the Trezor device. They never appear on your computer, in memory, or transmitted over the internet. Even if your computer is infected with malware, your funds remain secure.

Private Key Generation

When you initialize a new Trezor, it generates your private keys using a cryptographically secure random number generator built into the device's secure chip.

// Simplified key generation process:
// Step 1: Generate entropy (randomness)
entropy = secure_random_generator(256_bits)
// Step 2: Create mnemonic seed (24 words)
mnemonic = entropy_to_mnemonic(entropy)
// Result: 24 words from BIP39 wordlist
// Step 3: Derive master key
seed = pbkdf2(mnemonic, passphrase, iterations=2048)
master_key = hmac_sha512(seed)
// Step 4: Derive account keys (BIP32/44)
bitcoin_key = derive(master_key, "m/84'/0'/0'/0/0")
ethereum_key = derive(master_key, "m/44'/60'/0'/0/0")
// Different path for each cryptocurrency

Deterministic Wallets

All your private keys are derived from a single seed. This means your 24-word recovery phrase can restore ALL your cryptocurrency wallets across different blockchains.

Secure Chip Isolation

The secure element (chip) in Trezor is designed to resist physical attacks, power analysis, and tampering. Private keys cannot be extracted even with direct hardware access.

Security Architecture Diagram

Computer (Untrusted)

Trezor Suite
• Creates unsigned transactions
• Displays wallet balance
• Broadcasts signed transactions
⚠ Potentially compromised by malware
USB Connection (data only)

Trezor Device (Trusted)

Screen & Buttons
• Verify transaction details
• Confirm with physical button press
🔒 Secure Element (Isolated)
Private Keys stored here
• Never exposed
• Never transmitted
• Tamper-resistant
Firmware
• Signs transactions
• Derives addresses
• Open source & verifiable

✓ Private keys never leave the secure element

Only signed transactions and public keys are transmitted to the computer