Security of digital assets in blockchain system is controlled by controlling the access of private key to only one user in the system. If private key gets compromised or lost then there is no way by which access to the assets can be regained. Linked to every private key there is a public key using which one can send assets to another user. So, if user A has to transfer assets to user B then user A will have to transfer the assets to the public key of user B and user B will be able to use the assets by using his/her private key.
In other words, if you have to send an email to someone then you will send the email to the receiver’s email address. Here, email address is equivalent to public key. Now the receiver needs his/her password in order to see the email. The password used by the receiver is equivalent to the private key. Both Bitcoin & Ethereum uses ECDSA security.
As you can see above, your asset on the blockchain system is as secure as your private key. There are millions of ways available by which you can keep your private key secure, but history shows that even the most complex security system got hacked because of which private key got compromised. Among all the other ways there is only way using which you can make your private key really secure from online attacks and that one way is storing your private key offline. An air gapped system is one of the most secure and recommendable way of storing your private key.
The way this system works is that you install a small offline wallet on a computer system which is not connected to any network. You make sure that this computer system is at a location where it cannot be physically accessed by anyone but only by you.
To setup a cold storage you basically need any computer system which is completely offline and located at physically secure location.
Now using the ECDSA algorithm you need to generate a public and private key pair on this offline system. Private key will be encrypted again by the password which you will supply during key generation process. Since ECDSA encryption is used by Bitcoin and Ethereum system, therefore equivalent public key will automatically become a valid public address on both the system. You can start providing this public key to anyone who wants to send assets to you.
Once you have received some assets you can also send out any number of assets without bringing your private key online. In order to do it, using the wallet installed on the offline system you can create a signed transaction to send asset to anyone. Once the transaction gets created just take that transaction in some pen drive and execute it on an online system which is already connected to main Bitcoin or Ethereum network and you will see that once the transaction gets mined, assets will get transferred to the requested party. The magic here is that at any point of time you were not required to bring your private key online. By keeping private key offline, if by any chance your online system gets hacked still all your assets will remain safe in this cold storage.
As a general recommendation, each cryptocurrency user is advised to have at least two set of public and private key pair. One pair he/she can keep online and can use to do daily transaction in real time. Storing of key pair online is called Hot Storage in cryptocurrency world. Similarly, a user is also advised to keep another private key offline on an air gapped system and keep most of the assets using this offline pair of key. It is similar to today’s banking system where, in your chequing account, you keep limited assets which you need to fulfill your daily liquidity and you keep your saving somewhere else securely. Similarly, in cryptocurrency world you never want to keep all your saving with you always.
If your private key is on some storage which is online and you can conveniently use to make transaction in real time, then such storage is called Hot Storage.
In order to keep your identity anonymous to a certain extent and increase security, it is also advised to use new public key every time you receive a payment. Generally, most of the wallet provide this functionality where they generate new public key for each transaction and manage all the public key for you. For you it’s always only one password which you need to maintain. For hot storage, it’s easy to generate a new public key for every transaction. But how to do the same for cold storage. In order to do it on cold storage every time you will have to go to an offline system to generate a new public key, and then transfer that public key to online system. Another way is to generate public key in batch and then transfer all the public key to an online system and start using the key one by one. But this is not an ideal way to use public key for every transaction. Therefore, ECDSA system allows you to generate a master public key using which you can generate any number of public key but using this master public key you will never be able to guess the private key. Now whenever you want to receive assets just use this master public key to generate a new public key on an online system and ask the receiver to transfer the assets directly to your cold storage.