Make sure you go through the other piece “Using Bitcoin Hardware Wallets” first. I will skim through some steps and focus mostly on what is specific to BitBox2 here.
Setting up the BitBox02
The BitBox02 has a USB-C connection attached to the shell. If your computer uses the regular USB port, you’ll have to use the adaptor that comes with the device.
Connect it to your computer and the device will power on (don’t do it yet).
It has sensors above and below, and it will prompt you to touch the top or bottom to orientate the screen the way you’d like.
Download the BitBox02 App
Visit https://shiftcrypto.ch/ and click on the “App” link at the top to get to the download page:
Click the blue Download button:
To verify the download (it adds complexity, but recommended, particularly if you store a lot of bitcoin), see Appendix A.
After the download, you can unzip the file. On a mac, just double-click the downloaded file, and a BitBox App icon will appear in your downloads directory. You can drag it to your desktop (or anywhere) for easy access.
Double click the App to run it (it doesn’t get “installed”).
On the Mac, your computer nanny will give you a warning. Just ignore it and click “open”:
You’ll then see this:
Go ahead and connect the device to the computer.
It will show you a pairing code. Check they match, and then touch the sensor to select the checkmark. Then back to the screen, the continue button will become available for you.
You’ll then have the option to create a new seed, or restore a seed. I’ll demonstrate creating a new seed (It’s important to also restore the seed you created to test the quality of your backup, before you load any bitcoin on the wallet).
The device came with a microSD card. Go ahead and insert it if you have’t.
Name your device and click continue, then confirm on the device.
You’ll then be asked to set a password for the device. This is not part of your seed. It is not a passphrase either (that’s part of your seed). It is simply a password to lock the device. When you poweron the device, you’l’l be asked to enter this password each time. You have 10 consecutive failures allowed before the device will wipe itself of all memory, so be careful. The animation on the screen will teach you how to use the devices controls to set the password.
Read the next screen, and check each box, then continue.
And this is how the wallet looks once it’s ready to go.
NOT SO FAST!!
It’s quite odd, but the BitBox02 is telling us we’re ready to use the device, but it hasn’t promputed us to write down the seed words! The ONLY backup we have is the file saved to the microSD card. This is inadequate. These storage devices do not last forever (due to “bit rot”). We need a paper backup, and duplicates, kept in a safes (as explained in the general how-to-use-hardware-wallets guide)
To get our seed phrase and write it down, go to the “manage device” tab on the left, and then click “show recover words”
You can then go through the confirmation, and the device will present you the words. Write them down neatly, and never let anyone see the words.
After that, you can click on the Bitcoin tab on the left to get your receiving addresses.
It shows one at a time, but at least it lets you choose which address to use from the first 20:
Clicking the blue button will show the full address, and you’ll be prompted to check the address matches the display on the screen. This is good practice to confirm that no malware on your computer is tricking you to send bitcoin to an attacker’s address.
To send bitcoin to this wallet, you can copy the address and paste it into the withdrawal page of the exchange where your coins are. I recommend you send a small test amount first, then practice spending it either back to the exchange or to the second address in your wallet.
For larger amounts, I suggest you create a passphrase (see below). The original wallet (no passphrase) can be used as your decoy wallet (it will need to have a reasonable amount in there for it to be a believable decoy).
Connect to a node
The BitBox02 will automatically connect to a node. Let’s see where it’s connecting to. Click on the settings tab on the left, and then “connect your own full node”.
And here we can see it’s connecting to shiftcrypto’s node. Not great. We have betrayed all our bitcoin addresses to them, and our IP address (not the seed of course; they can see our addresses/balances, but can’t spend them). We can enter our own node details in this page (beyond the scope of this particular guide), or we can use better software like Sparrow Bitcoin Wallet, Electrum Desktop Wallet, or Specter Desktop. I’ll demonstrate Sparrow Bitcoin Wallet later in the guide.
Add a passphrase
Now that we have set up the device with the BitBox02 App (and revealed our addresses, unavoidable with this particular hardware wallet), we can add a passphrase to our seed phrase. This will allow us to create a new wallet using the same seed, and ShiftCrypto will never see our new addresses. We’ll be connecting this wallet to our own software only.
Go ahead now and “enable” the passphrase feature (but we’re not setting a passphrase yet). Got o the “manage device” tab, and click on “enable passphrase” (red circle below).
Read through the steps…
Now disconnect the device, and shut down the BitBox02 App
In previous articles, I explained how to download and verify Sparrow wallet, and how to connect it to your own node, or a public node. You should follow these guides:
An alternative to using Sparrow Bitcoin Wallet is Electrum Desktop Wallet, but I will proceed to explain Sparrow Bitcoin Wallet as I judge it to be the best for most people. Advanced users may like to use Electrum as an alternative.
We will now load it up and connect the BitBox02, with a wallet containing a passphrase. This wallet has never been exposed to BitBox02 App because it will be created AFTER we connected the device to the BitBox02 App. Make sure you never connect it to the BitBox02 again to not expose your new private wallet. If you must, make sure the passphrase is not applied. (It’s easy to mess this up, see the Firmware section below for instructions on how to avoid this mistake).
Power on the BitBox02. It will ask you to “See the BitBox App” – DON’T.
Run Sparrow Bitcoin Wallet, and create a New Wallet:
Name it something pretty
Notice the checkbox, “Has existing transaction”. If this is a wallet you’ve used before, then check this otherwise your balance will incorrectly show as zero. Checking this box asks Sparrow to examine Bitcoin Core’s database (the blockchain) for previous transactions. For this guide, we’re using a brand new wallet, so you can leave the box unchecked.
After this screen, the device will ask for your password, and then allow you to enter any passphrase you like. Note that each unique passphrase will create a unique wallet (when combined with the seed phrase contained in the device.)
Once you apply the passphrase on the device, you can click “Connected Hardware Wallet” and then Apply:
Click “Scan” and then “Import Keystore” on the next screen.
There’s nothing to edit in the next screen, the BitBox02 has filled it for you. Click “Apply”
The next screen allows you to add a password. Don’t confuse this with “passphrase”; many people will. The naming is unfortunate. The password allows you to lock this wallet on your computer. It is specific to this software on this computer. It is not part of your Bitcoin private key.
After a pause, while the computer thinks, you will see the buttons on the left change from grey to blue. Congratulations, your wallet is now ready to use. Make and send transactions to your heart’s content.
To receive some bitcoin, go to the Addresses tab on the left and choose one of the addresses to receive. Just right-click the address you want, and select “copy address”. Then go to your exchange where the money is being sent from and paste it there. Or you may give the address to a customer who can use it to pay you.
When you use the wallet for the first time, you should receive a very small amount, practice spending it to another address, either within the wallet or back to the exchange, to prove that the wallet is functioning as expected.
Once you do that, you must back up the words that you wrote down. A single copy is not enough. Have two paper copies at least (metal is better), and keep them in two different, well secured, locations. This reduces the risk of a natural disaster destroying your HWW and paper back up in one incident. See “Using Bitcoin Hardware Wallets” for a full discussion on this.
When making a payment, you need to paste in the address you are paying to in the “Pay to” field. You can’t actually leave the Label blank (I think this has changed since the time of writing), it’s just for your own wallets’ records, but Sparrow doesn’t allow it – just enter something (only you will see it). Enter the amount and you can also manually adjust the fee you want.
The Wallet can not sign the transaction unless the HWW is connected. That’s the job of the HWW – to receive the transaction, sign it, and give it back, signed. Make sure when you sign on the device, you visually inspect the address you are paying to is the same on the device and on the computer screen, and the invoice you receive (eg you might have received an email to pay a certain address).
Also pay attention that if you choose to use a coin that is larger than the payment amount, then the remainder will be sent back to one of your wallets’ change addresses. Some people have not known this, and looked up their transaction on a public blockchain, and thought that some bitcoin was sent to an attackers address, but in fact, it was their own change address.
I have not yet updated the firmware on the BitBox02. It may require you to connect to the BitBox02 App. Make sure you don’t apply the passphrase when you connect to the App.
YOU MUST DISCONNECT THE DEVICE FROM THE COMPUTER TO CLEAR THE PASSPHRASE FROM THE MEMORY.
For example, you might have applied the passphrase to the device and connected it to your Sparrow Wallet. If you simply shutdown sparrow, and open BitBox02 App, you would have connected your passphrase wallet accidentally! Instead, shutdown Sparrow, AND disconnect the device and reconnect, before opening the BitBox02 App.
This article showed you how to use a BitBox02 HWW in a safer and more private way than advertised – but this article alone is not enough. As I said at the start, you should combine it with the information provided in “Using Bitcoin Hardware Wallets“.
Here I’ll show you how to
- Verify the SHA256 checksums
- Verify the signature
First, on the download page, click “show checksums” to reveal the hashes:
On a Linux/Mac, open Terminal, on Windows, open CMD.exe
For Linux/Mac, navigate to the downloads directory (where the BitBox02 zip file is. Not the capitalisation of the following command. Type it and hit <enter>:
shasum -a 256 XXXXXXXXXX
where XXXXXXXXXX is the name of the zip file you downloaded.
On windows, it’s almost the same. Navigate to the downloads directory
C:\> certutil -hashfile xxxxxxxxxx sha256
Where xxxxxxxxxx is the name of the zip file you downloaded.
Compare the output of the hash function with the hash that’s printed on the webpage and make sure it’s identical.
Next, to verify the signature.
If you have a Mac, you’ll need to download and install GPGsuite, and if you Windows, you’ll need GPG4Win. Instructions are here. For Linux, you can skip this step.
Click on “verify signature”
You’ll be taken to GitHub.
Copy the command shown below, highlighted in blue, and paste it into Terminal or CMD.exe
You’ll get confirmation that the key was imported to the computer’s “keyring”.
Next, scroll to the bottom to find the “.asc” file.
I’ve circled in red the three relevant files to download for Mac, Windows, or Linux, respectively.
Make sure the App file and the “.asc” file are in the same directory (usually Downloads). Navigate to the directory using Terminal or CMD.exe
Enter this command…
gpg –verify ZZZZZZZZZZ XXXXXXXXXX
Where ZZZZZZZZZZ is the “.asc” file and XXXXXXXXXX is the App file.
You should see “Good signature from …” and if you se this, you can be sure the file you downloaded was not tampered with since it was digitally signed by the developers.