ciphergoat

Best Practices

Practice first

Practice ciphergoat before any real usage. Download the app, play with it, create fake recovery seed phrases and learn how to recover and export them.

What are the risks?

There are three possible attack vectors on your recovery seed phrase security:

Anytime you create or read your recovery seed - e.g. using a compromised device, or accessing it in a public setting etc.
Enabling access to your encrypted recovery phrase, whether stored on your device or as a SeQR code or file.
Compromising your passphrase, or not using a complex enough passphrase.

Other risks include:

Forgetting your passphrase.
Losing all your backups.
Sharing both encrypted backups and passphrase with others.

How to maximize security:

Self custody is the only way to assure sovereignty, but the tradeoff is responsibility - you are ultimately responsible for your own property and actions. Ciphergoat goes a long way in helping you achieve that level of sovereignty and security, but nothing can guard against poor judgment. Here are some tips to help you understand the risks and how to maximize security

Don't use a trivial passphrase to encrypt your recovery phrase. These include known sequences of words (“good morning sunshine”), or something people who know you can guess.
Forgetting your recovery passphrase: don’t make it simple, but don’t make it so complicated that you may forget it yourself. First write it down on a piece of paper, practice it for a few days before destroying it. If you lose it, you lose access and we can’t help you either.
Understand how ciphergoat works, start with a fake recovery phrase, and practice before using your real wallet recovery phrase.
Compromised device (i.e. with spyware) - use a dedicated device, and one only you control and have access to.
Only use the app while in airplane mode, and switch off your wifi.
Next store your encrypted recovery and passphrase together. Commit the passphrase to memory, backup or share it with great care.
Use ciphergoat only on a device you alone control and have access to.
Don’t talk about your crypto holdings, never say how much you own or where you hold it.
Only use the app you directly download from a store our site cipergoat.com. Make sure you are downloading the correct application.
Create a good passphrase.
Secure your encrypted backup file or SeQR Code, share it only with people you trust.
Abstraction: if you save encrypted versions of your recovery as files, name as a common file that will not raise attention.
When setting up, write down the passphrase you set on paper, keep it until you are completely confident with having your passphrase memorized, then destroy the note.
Set reminders and practice your passphrase once a week, then once a month.
See more advanced options here

How do I know I have a genuine copy of your app?

On your laptop, only download from ciphergoat.com
If using the Apple App Store, make sure…
If using Android Google Play, make sure…
When running the app - you are always asked to turn off wifi and work in airplane mode

Advance security tips

Create an additional seed passphrase. This is a phrase you create, in addition to the 12 or 24 word recovery phrase given by your wallet software, and is available on most hardware wallets. Memorize and do not include it in your ciphergoat backup.

Split your recovery phrase into 2 or more separate parts and use slightly different passphrases to encrypt them.

Use Shamir backups if possible (available with Trezor model T)

Increasing security also increases complexity and always increases your responsibility. For example, splitting your recovery seed into 3 parts will make it harder for someone to construct it, but will also make it harder for you to manage.