How do you secure your NFT to keep people from stealing them?
Where are my NFTs out there in the metaverse? How do I store them? How do I safely transfer my NFT assets to my loved ones?
I’ve been asked these questions a few times too many times, so I decided to write about the best solutions for you to secure your NFT in 2022.
There is a lot of confusion about wallets and NFT storage. This article is going to try to cover everything from the basics for our new NFT friends, aka “frens” to some advanced topics for OGs.
NFT Security Notice:
Security is difficult. Everyone makes mistakes, especially with new technology and innovation. Also, new attack vectors may emerge.
In this article, I discuss specific solutions that will help you to secure your NFT pieces, however, they might have bugs and someone may claim to have other better solutions.
This is my best view from experience and research, but I can’t take responsibility for your NFTs. I am only trying to help you secure your NFT in the best way possible.
Now that we have that out of the way and you are convinced that you’re in the right place, let’s proceed!
Basic Concepts of NFT & Blockchain
These concepts may be trivial and obvious to you, or they may be a bit confusing. It’s not a problem. All you need to do is read what you don’t understand again, and it’ll start to make sense.
Why waste time on the basics?
You need to understand these concepts first. Otherwise, you will never really understand what you are doing with your wallet.
I have chosen to use ETH (Ethereum) in this article for simplicity, but the same basic concepts apply to most blockchains.
Where is your NFT stored?
In order to help you easily understand this, let’s rephrase the question to “where is your NFT not stored?”
For example, you may have assumed that your NFTs are stored on your Metamask wallet, your computer, your Trezor, or your Ledger. But these are places where your NFTs are not stored. Most of them merely display a link to your NFT.
Your NFT is a token and it is on the Ethereum blockchain (or any other blockchain). On the Ethereum blockchain, a copy of each of your NFTs is held by about 3,000 Ethereum nodes that are running globally.
Check out the Ethereum Node Tracker.
The best thing about this is the level of backup and redundancy you have. It is nice to have a backup of your files, and right now, for your ETH tokens, you have about 3,000 backups distributed around the world. Anyone, including you, could also add another backup to the system.
You don’t understand it yet? No need to panic. Let’s put it another way.
When you sell an NFT to someone else, nothing is moving from your computer or trezor to their computer or trezor.
All that is happening is that the database which in this case is the ETH blockchain is changing the information about which address the NFT is owned by as a result of your transaction. The NFT itself doesn’t leave its location or about 3000 backup locations on the blockchain.
What about the JPG or JPEG file?
Your NFT has a URI field (like a URL) that points to where the JPG/JPEG is. The best blockchain practice is that your NFT JPG is stored on IPFS or Arweave which are both “decentralized storage”.
Alternatively, it might be on someone’s server (centralized). Whether centralized or decentralized, it is still just a server somewhere.
The main difference between IPFS and AWS is that as a decentralized network, anyone (including you) can join your computer to IPFS and decide to also store any IPFS object (including your JPEG).
Now that we’re clear on this, let’s move to the next agenda.
Public and Private Keys
What is a public key?
A public key is an ETH “address” or wallet address. For example, 0x98b7AAeb419394b13D46C9508d79b335FF6D98A0. This is an address @punk6529 uses for small acquisitions. It’s mostly spam there now.
The best way to describe a public key is like your email address. You can safely share it publicly and people can send things to it.
In this case, the things sent are mostly:
– ETH (Ethereum token)
– ERC20 Tokens (fungible tokens, like UNI or SUSHI)
– ERC721 or ERC1155 tokens (non-fungible tokens or NFTs for short)
Like your email, you have no control over what people send to your public address so you will probably receive spam. But unlike your email, in this case, your ‘inbox’ is also public. Everyone can see every transaction in every ETH address and what assets are currently stored in them.
Check out this example and come back to continue. Click the link to go & see what is in @punk6529’s address earlier shared: https://etherscan.io/address/0x98b7AAeb419394b13D46C9508d79b335FF6D98A0
It is now clear that your public key is also not what you are storing and trying to keep safe. What you should be trying to keep safe is your private key.
What is a private key?
Your Private Key is your “password” for your public key or wallet address.
Your private key allows you to:
- Move tokens out of your address.
- Sign messages proving you have the private key for that address.
Unlike your public key, you must never ever show your private key to anyone. If anyone has your private key, it is GAME OVER. They can easily take every single asset (ETH, fungible tokens, NFTs) from your address.
Your private key is the key to the kingdom.
We are getting closer to the heart of our discussion – how to secure your NFT and now we’ll talk about your wallet.
What is a blockchain wallet?
A “blockchain wallet” is a piece of software that contains a set of private keys. These private keys control a public key (wallet address).
Every blockchain wallet, whether software or hardware, is simply this. A piece of software that holds a set of private keys that allow you to execute transactions on specific blockchain addresses such as ETH.
To better grasp this, let me tell you about some other blockchain concepts such as “seed phrase” and “passphrase”.
What is a seed phrase?
A seed phrase is a set of 12, 18, 24, or more words that serve as an extra layer for your private key protection and storage.
Take your private key as your password, your seed phrase would then be your password recovery method. So, If you lose your private keys, you can recreate them from your seed phrase.
As with your private key, never ever share your seed phrase. Once someone has it, your wallet can and more often than not, will be emptied.
And what about passphrase?
This is an unusual concept with no great comparison with any of our already existing activities or web2 tools. Nonetheless, I’ll do my best to help you understand it.
Your passphrase is a series of characters or words that, when combined with your seed phrase create a wallet with a set of private keys. For example, if I created my wallet/private keys with:
- seed phrase + “secure your NFT”
- seed phrase + “EVO3D”
- seed phrase + “Nwanja”
- seed phrase + “best blockchain marketing agency”
Each one would create a wallet with different private keys for different public keys (wallet addresses).
One strange thing about passphrases is that there are no ‘wrong’ answers. If you put the wrong passphrase, you don’t get some type of error message, you just get a different set of private keys that work fine, but don’t have your tokens in them.
The strangest thing about passphrases is that even when you don’t use a passphrase, you are still using a passphrase. By default, the empty set passphrase of “” (no characters) is used. Be warned; there is NO RECOVERY system if you lose your passphrase.
In summary, how do you secure your NFT?
The whole discussion about wallets (software or hardware) and how to secure your NFT is a discussion about two topics:
- Security: How do you keep someone else from getting a hold of your private keys?
- Resiliency: How do you ensure that you don’t lose control of your private keys?
In this article, I have highlighted and explained different concepts and buzzwords to you. My final advice is that you adhere to these final words:
- Wallet Address/Public Key: Can be shared.
- Private key: Never share it.
- Seed phrase: Never share it.
- Passphrase: Never lose it.
- If someone gets a hold of your private keys OR your seed phrase AND passphrase (if you used a passphrase) = GAME OVER
- If you lose your private keys AND seed phrase AND passphrase (if you used one) = GAME OVER
Would you like to create your own NFT? Check out how to create your own NFT on Binance.
Interested to learn about the best tools to secure your NFTs? Leave me a comment.