2019 Improved Keepkey Setup Guide (24 Word Seed, BIP39 Passphrase, Electrum. Works for Trezor)

Summary: Steve’s Recommended Keepkey Setup…

  1. Update Firmware (with Keepkey Updater Tool)
  2. Download Keepkey Client of Chrome Web Store (It’s good for wiping it and verifiyng recovery)
  3. Download Electrum or Electron Cash (Even if you don’t want to use BCH)
  4. Initialise the device with a 24 word seed
  5. Verify the Recovery Seed via Keepkey Client (Or wipe and restore)
  6. For Advanced Users: Enable a BIP39 passphrase (Can’t use ShapeShift wallet if you do this)
  7. Use a 3rd party wallet… (That supports BIP39 passphrases, native segwit, own node…)
    Electrum for BTC, Electrum-LTC for Litecoin, MyEtherWallet for Eth, Electron-Cash for BCH

This guide looks at how to initialize your keep key using Electrum, as that
allows you to use a full 24 word seed allows you to also use some of the more
advanced features that are supported by this that simply are not supported at
all by the shape shift platform at this time… So this guide will be using
Electrum which is an open-source Bitcoin wallet but the thing is that even if
you’re not planning to store Bitcoin on your Keepkey, Electrum is still a great
tool to securely initialize the wallet.

So as much as I find the default Keepkey workflow if you follow their getting started instructions to be a complete disaster it’s still a very capable hardware wallet if you do things slightly differently. You want to follow their getting started guide and totally skip step 1, totally skip step 2 and you want to update your device.

Step 1 – Download Firmware Updater (https://beta.shapeshift.com/updater-download#)

Download the updater app, that’s this one here you need that to put the firmware on your device.

You can close this tab, we don’t need their instructions any more…

Step 2 – Download Keepkey Chrome Client ( https://chrome.google.com/webstore/detail/keepkey-client/idgiipeogajjpkgheijapngmlbohdhjg)

So the next thing you want to get is the Keepkey client off the Chrome Web Store. It’s very good for wiping the device and also for verifying the recovery and if you’re someone who loves the command line, you can do all of that using Keepkey-python…

Step 3 is you want to download Electrum… ( https://electrum.org/#home )
So you want to make sure you download Electrum from Electrum.org and I’ve actually got a video that looks at how to verify the download of Electrum to make sure that what you’re downloading is authentic…

So when you’re an Electrum for the first time you’ll be presented with this screen here and you can just say auto connect unless you’re running your own Electrum server which is way beyond the scope of this guide…

It’s going to ask you to do is to create a new wallet so we’re just going to say next because the name of this doesn’t matter, we just want to initialize the device…

Now we’re going to say we want to standard wallet

and we’re going to say we have a hardware device

If you haven’t run Electrum an administrator you’ll actually notice that it won’t find your Keepkey no matter what you do.

That’s actually a current issue that’s been introduced by the latest versions of Windows. (Will be fixed in future versions of Electrum) but if you just run a Electrum as an administrator

it’ll actually find your Keepkey without a problem.

So once we’ve found our hardware keystore we’re going to say next. What we want to select is this first option here “let the device generate a completely new seed randomly”

So we’re going to say next and we want a full 24 word seed, we don’t want a 12 word seed. I think it’s fair to say that a 12 word seed isn’t insecure but if your device supports a 24 word seed it is just as easy to generate to store and to use a
24 word seed and it is significantly more secure, not just today, but also into
the future. We willl give the device a name, will enable pin protection and say next…

Now if we look on the screen it’s going to show us the internal entropy of the
device that we can check.

That looks good so we’ll just click through and now we’re assigning a PIN. So this is the same as before in that we just type in the pin here the numbers on these boxes correspond to what’s on the device.

I’m recommending that you go the nice long pin, not something short, and if you forget the pin you can always just reset the device using your seed phrase.

it’s not a problem now thisis the same as before except this time
we actually have two screens worth ofwords so you can actually download a
template for recovery sheets for like alegend Nano or anything else like that
that has space for the full 24 words Idefinitely recommend using something
like this or at least numbering thewords rather than just scribbling them
out on a page in any random orderbecause you cannot rely on your ability
to remember if you’re looking to storeyour seed phrase in something a bit more
robust than a piece of paper there are afew products that do that you can get a
cold ti which is essentially a sheet ofmetal that you just stamp it into or you
can get a crypto steel which basicallycomes with everything you need to
essentially put it together like apuzzle which just has the first of all
letters of each word and your phrasewhich really you need there’s also a
newer option called a cobo wallet whichis basically priced in between two and
if you were to help me out in theprocess for either of those i’ve got an
affiliate link in the description sobasically you need to write down the
words i’ve actually printed the recoverysheet nice and big as well because it
doesn’t have to be small you would thenwrite down the first twelve words and
only once you’ve double-checked thatthey’re all correct you can say next and
then you can write down the secondtwelve words and once you have done that
you have a recovery sheet that has thefull 24 words that you can secure
somewhere and you now have your deviceinitialized with a full 24 word seed and
now we’re create our wallet type ifyou’re just starting out and just new to
crypto this middle option is probablythe best one that’ll give you addresses
that start with a three which verycompatible across a range from wallets
and we’re going to say we want toencrypt the wallet file and I’ll show
you why in a sec so now that we’ve gotthis default wallet and we’ve encrypted
it unless you have the keep keyconnected with the correct seed on there
you’re not gonna be I’ll actually openthis wallet file or that’s something
really useful it has a veryfinding the recovery seed using Electrum
so before putting any funds onto thewallet we’re also going to verify that
the recovery seed you’ve got is correctand just for the sake of completeness
we’re going to do this using Electrumand it’s also a good way to just
familiarize yourself with the process ofrestoring a wallet seed onto your Keepkey just a quick warning for those whomight be watching this video but already
actually have funds on their Keepkeyyou want to make sure that if there are
already funds on your Keepkey that youuse the Keepkey chrome app to verify
your recovery seed because you can dothat without wiping the device and I
cover that in my previous video onsetting up the Keepkey so we’re going
to click on this little Keepkey icondown there and we’re just going to go in
to the Advanced tab and wipe the deviceit’ll asks us to and firm that on the
key key itself and we can just press thebutton and it will wipe it clean so once
we’ve wiped the device what we’re goingto want to do you say file new create a
new wallet file one of the standardwallet hardware device and we basically
run through the process again but thistime we’re going to say on recover from
a seed I previously written down we givethe device a name so we set the pin so
we’ll just get a nice long one alrightso what’s going to happen now is we’re
going to have the same thing that we sawon the twelve word recovery in that we
have a cipher here where the letterscorrespond in the gray to what the
letter says on the card on the top rowand as we type those words in we can
accept a word and we can restore all 24words that way now the reset the device
we’re just going to run Electrum andit’s going to prompt us and says it’s
file is encrypted using a hardwaredevice that’s what we want let me say
next will see our device shop there wesay next now we type in our pin and if
we restore the device correctly and havethe same seed on it will open the
wallet if however the seed we’verestored is different we’ve made some
other mistake restoring it and some hasto look at a valid seed it’ll actually
say failed to decrypt device if you’rean advanced user you
and enable a bip39 passphrase thatprovides a lot of extra protection in
case one gets their hands on a recoverysheet but it also does make it a lot
easier to straight-up lose your funds ifyou forget your bip39 passphrase have
some typos in it that you didn’t realizeor something like that just recently
there was a security disclosure from theteam at Kraken they offered quite
detailed instructions on how you’d goabout doing key extraction on the device
and because of that shapeshift have nowissued a bit of a best-practice reminder
to essentially recommend the people usea bip39 passphrase that means if
someone gets their hands physically onyour Keepkey even if they do manage to
do a key extraction attack they actuallycan’t get your crypto so I’ll just run
through how to do that quickly now so Ihave another video that looks at how to
select a bip39 passphrase and I’lljust link to that here in the top corner
but once you’ve selected a bip39passphrase you can actually easily just
turn it on using Electrum so basicallyyou just click in the little plug in in
the bottom right corner you can saysettings advanced and you can say enable
pass phrases and it gives you a warninghere saying that because the thing with these BIP39 pass phrases is thatthere’s no error checking on them every
passphrase you enter is technicallyvalid and every single one gives you a
completely different wallet so acompletely different set of addresses so
we’ll say yes and we’ll confirm thataction on the device but the thing is
that the normal wallet that you wouldsee without having a bip39 passphrase
is actually exactly the same wallet thatyou see if you just enter a blank bip39
passphrase so I’ll just show you whatthat looks like so once you’ve got a bip39 passphrase enabled after you type inyour PIN you’ll be prompted to enter a
pass phrase so just for this first demowe’ll just leave the passphrase blank
and you’ll see that’ll actually happilyreopen the previous wallet that we had
so we’re going to do now is we’re goingto create a wallet with a passphrase
that we want to use and then we justcreate a new wallet file if to give a
different name to this old one and whatwe’re going to do is a standard wallet
so we have a hardware device now thething you’ll notice is it will never
discover your keep key while you stillhave another window open that is using
your kit key and in this case that isElectrum that’s using it so we’re gonna
close this previous wallet that we hadand then we’re gonna say next and we’ll
find the key key now we’re going to typein the pin okay so this passphrase we’re
going to type in here is the passphrasewhen you use for this wallet so it can
be whatever you like and we’re justgoing to use youtube or lowercase one
word for this video and then we say okaywe’re gonna select the same wallet type
as before and we want to encrypt thewallet file now here is our new wallet
that is encrypted using a bip39passphrase now you’ll notice all the
transactions before are gone and all ofthe addresses we now see when we hit
receive are completely different now theother thing you might have noticed if
you’re paying attention is it actuallyonly asked you for that passphrase once
it didn’t ask you to correctly retype itor anything like that at all so if you
made a typo typing your bip39passphrase you wouldn’t actually realize
that you’d done that at this point sowhat I’m going to do is just to verify
that you had indeed typed it correctlyi’d suggest that you actually close Electrum open
it again and by default it’s going towant to reopen the last wallet that it
had so in this case that was wallet onewe’re going to say next
we’re going to select the Keepkey andit’s going to prompt us for the pin and
then the passphraseso we retype the past rose we say okay
and because we encrypted the wallet ifwe type it in correctly it will open back
up so I’ll just quickly show you what itlooks like if you were to have a typo in
the passphrase because we encrypted thewallet if I were to type in the
passphrase with the typo so let’s sayYouTube with a capital y at the front
because it is case sensitive and thensay okay it’ll actually throw this error
which says fail to decrypt using thishardware device if you use passphrase
make sure it’s correct so using theencrypt wallet function on Electrum is a
good way to make sure that you’ve gotyour passphrase right because again it’s
not very forgiving if you have a typo inyour passphrase so when the advisory
came out for everyone to use bip39pass phrases unfortunately shape-shift
didn’t actually support the passphrasewhereas just in the last few days they
actually have enabled that so it’s thatfresh and new that they’ve still got the
warning they’re saying disable a bip39passphrase so let’s see if it
actually worksand yeah as of mid-december 2019 I’ve
actually just had a look and even whenyou log in to shape-shift and enable a
bip39 passphrase it’s actually stillgenerating the same addresses from this
earlier wallet that I had before withouta bip39 passphrase so the issue here is
that if for example you were usingshape-shift and thinking that you’re
using your bip39 passphrase basicallywhat’s happening is you’re actually not
using your bip39 passphrase at all eventhough it accepts it without an error
messages it’s not actually using itthese addresses correspond to a blank
passphrase so what could happen there isview sent a bunch of crypto to this
account thinking that you’d enabled yourpassphrase and they went to log back in
in a week or two after they’ve made itso the passphrase actually works you’ll
notice the balance of all your accountsis zero so if that happens to you you’ll
need to log in with a blank passphraseand then move everything to a new
account with the passphrase once theyactually get that fixed
the last step in this process is use athird party wallet so one that supports
things like BIP 39 pass phrases becauseshape-shift doesn’t let you
do that one that allows you to havenative seg wit which again the shape
ship doesn’t let you do things likelitecoin so yeah you know you can use
lots of other wallets like a lecture ofa Bitcoin Electrum ltc4 litecoin my
ether wallet for aetherium or electroncash for bitcoin cash there’s really no
reason why you need to use shape-shiftat all until they improve their user
experience a lot so there you have itthe Keepkey is a really capable device just
let down by frankly really terriblesoftware and fortunately you don’t have
to use the stuff they supply and if youuse third-party wallets and third-party
tools you have a really competent walletthanks for watching I hope that was
helpfulhit like if you think that other people
would find this video useful and hitsubscribe if you’d like to be kept in
the loop about future content I makethat helps people stay safe in the
crypto space and to recover if they getinto trouble if you have any questions
about this video or a topic that you’dlike me to cover just leave a reply