Secalot Review 2021
- 1 First impression
- 2 Setting up the Secalot Hardware Wallet
- 3 Handling of Secalot
- 4 Supported devices and currencies
- 5 Documentation and support
- 6 Security Aspects
According to its own statements, Secalot is an all-in-one digital security companion, since it combines many functions. This also includes the possibility of using the stick as a hardware wallet. For this reason I took a closer look at a copy, which was kindly made available to me free of charge.
Buy Secalot Online
Secalot can be purchased in the official webshop directly from the developer. There the small stick currently costs [acf_price], whereby still additionally forwarding expenses are computed. In addition to Bitcoin, credit cards and Paypal are accepted as payment methods.
There are no official resellers in Germany yet, but at amazon Secalot’s Hardware Wallet is also distributed.
Hardware Wallets should preferably be ordered directly from the manufacturer or official resellers if possible. Dubious stores or private sellers on platforms like ebay or amazon could manipulate the devices for their own purposes or trick the buyer. This way, the thieves can steal all the coins from your hardware wallet at a later time. Unfortunately there have been cases like this in the past.
Contents of the package
Shipping to Germany ran smoothly and took only three days. Depending on the type of shipment selected, it is also possible to track your shipment. The envelope contains a small plastic bag with the Hardware Wallet Secalot. A label on the bag provides information about the version number and the time of manufacture.
The Secalot Hardware Wallet
The Secalot stick looks exactly like a conventional USB stick: it has a size of 60x15x10mm, weighs only a few grams and a cap protects the USB-A connection.
There is no imprint, but two silver stripes on the front. Behind them are the two touch buttons. At the end of the Hardware Wallet there is an eyelet to carry the stick on your keychain or around your neck.
First impression: Conclusion
The dispatch of an order in the Secalot Shop is fast.
The scope of delivery is simple. A seal or other security measures, which could make possible manipulations visible, one looks for here in vain. Also accessories such as a quick start guide or a note for the Recovery Seed are not included.
Secalot itself looks like a simple USB stick. However, this is not necessarily a bad thing, as this sensitive safety device is not immediately recognizable by everyone as such.
Setting up the Secalot Hardware Wallet
Never use a hardware wallet that is already set up. You must choose your own PIN code or password and do the backup yourself. This is not given by anyone!
Depending on which feature you want to use, different setup steps are necessary. In this test report, the focus is of course on the use of crypto currencies.
Set up Bitcoin Wallet
Bitcoin can only be used via a modified version of the Wallet Electrum software. It can be downloaded from the Secalot download area. Start the initialization via the menu File > New Wallet.
First you choose a name to distinguish the Secalot Bitcoin Wallet from other wallets. In the next window, select the type of wallet. Normally a standard wallet is sufficient, but it is also conceivable to set up a multi-signature wallet, for example. Then you would need several wallets to sign a transaction, for example besides the Secalot Hardware Wallet also a TREZOR.
In the following window, select that the seed is to be generated via a hardware wallet. Electrum then detects all connected hardware wallets, including Secalot.
This is followed by the actual installation of the Secalot Bitcoin Wallet. You enter a PIN and Secalot generates a sealed seed on the device. A backup of this seed is output in the form of 24 words.
Your Recovery Seed is the backup key to all your cryptocurrencies and applications. The Recovery Seed (backup) can only be viewed once. Never make a digital copy of the Recovery Seed and never upload it online. Keep the Recovery Seed in a safe place, ideally also safe from fire and water. Special backup products, for example Cryptosteel Capsule or Billfodl are suitable for this.
No one but yourself can be held liable for any financial losses caused by improper handling of sensitive data.
Experienced users can then change the derivation path, for example to use Secalot as a SegWit Wallet. In this case, the path would have to be changed from “m/44’/1’/0′” to “m/49’/1’/0”. The Bitcoin Wallet is now ready for use.
Set up Ethereum Wallet
If you also want to use Ethereum with the Secalot Hardware Wallet, this is not possible via Electrum. For this purpose, the MyEtherWallet.com web wallet is used, whereby the wallet must be set up via a “Secalot Control Panel GUI”. These can also be downloaded from the Secalot download area.
Under Windows the application starts without installation and the Ethereum tab is opened directly. Here you can restore not only a new wallet but also an old one. Then, just as with Bitcoin, a PIN is selected and then the recovery seed is noted. Secalot is now ready for use via MyEtherWallet.com.
There you will also find Secalot in the list of available hardware wallets. If you select them, you will be asked to enter the pin. Then you can choose the derivation path as with Bitcoin, whereupon the wallet opens.
Secalot completely dispenses with its own software wallet and exclusively uses third-party software such as Electrum or MyEtherWallet instead. This means that there is no uniform and clear setup process, as is known from TREZOR or Ledger, for example. This could make it difficult for beginners and eventually lead to the generation of multiple seeds.
Using the widely used and proven Wallet Electrum and MyEtherWallet also has its advantages, since you have a large range of functions directly without being dependent on the developers of the Hardware Wallet. I find it a pity that Secalot support is not integrated in the official version of Electrum, but a modified version of the developer must be used.
Handling of Secalot
Manage crypto currencies with Secalot
After setup, Bitcoin, Ethereum and ERC-20 tokens can be managed via Electrum and MyEtherWallet software. For this you use the corresponding software as usual. The only difference is that a transaction must be confirmed via the touch button.
All cryptographic keys are stored in the device without being able to be read out. When a transaction is executed, the necessary information is transferred to the device, Secalot signs the transaction and returns the signature.
Other Secalot security features
Secalot is a comprehensive security companion and therefore offers additional functions in addition to the administration of crypto currencies.
Universal second factor (U2F)
With Secalot it is possible to register your device with various services as a second secure factor, which must then be connected when logging on to this service. So you have to click the U2F-Touch-Button at the top of the device next to the normal login data, if you are asked to do so. Secalot supports simultaneous registration for an unlimited number of websites. Currently the following services support this standard: Google, Facebook, Dropbox, GitHub, GitLab, Bitbucket or Nextcloud.
OpenPGP Smart Card
Secalot also behaves like a native smart card that allows many different cryptographic actions to be performed. This gives a Secalot owner the possibility to integrate his device into a variety of existing software using GnuPG or a PKCS#11 interface. The following scenarios are conceivable:
- E-mail encryption and signing
- Computer logon under Linux
- Hard disk encryption using TrueCrypt
- File encryption and signing
- VPN and SSH connections using the Secalot
Detailed instructions for setting up the smart card can be found in the documentation: OpenPGP Smart Card.
One-Time-Password Generator (OTP)
With OTPs you can securely log on to websites and applications like password managers and act as a second factor like U2F. This type of generation is probably known to many from the Google Authenticator app. Instead of the app you could now use a Secalot Stick. Pressing both keys generates the one-time password and enters it directly into the field, as Secalot behaves like a keyboard in this case.
New services can be added via the Secalot Control Panel GUI. Since the current date is required for some OTPs, a service must be running in the background.
The handling of this hardware wallet is very pleasant in everyday life. No additional accessories are required to use the stick: Simply carry it on your keychain and plug it into a free USB port if required. If everything is configured accordingly, the stick can now be used for secure communication and registration, but also as a hardware wallet.
Supported devices and currencies
Secalot can be used on the following platforms:
The following crypto currencies are currently supported:
- ERC-20 Tokens
Here at Inivty you can see all Bitcoin and Altcoin prices from many exchanges in real time, compare rates and buy instantly. You can then easily send the purchased cryptocurrencies to your hardware wallet: compare prices here.
But Secalot is not just a simple hardware wallet. With many other functions, the stick is a real safety all-rounder for everyday use. The following additional services are also supported:
- SSH Agent
- Password Generator
Documentation and support
Secalot is still a relatively new one-man project. Nevertheless, there is an English documentation area that explains and describes all functions in detail. You can reach it via the official homepage: Secalot documentation.
Support requests can only be made via a contact form.
Other hardware wallets are used to protect the device from tampering attempts. The devices are sent with seals or the firmware is programmed in such a way that manipulations are detected and a warning is issued. Secalot does not seem to have such precautions in place so far.
In addition, signing transactions with Secalot is slightly more risky than with other hardware wallets. Most others rely on their own display or at least have the option of pairing a smartphone. In this way, the information that is signed by pressing the touch button can also be displayed again beforehand. Otherwise you could sign incorrect data that was manipulated during transmission. The recovery seed is also displayed so that it cannot be read by viruses on the computer.
On the positive side, Secalot’s wallet crypto currencies are also protected against unauthorised use by a PIN. However, the entry here is made via the keyboard of the PC, which makes it possible to read out the PIN.
As befits a reasonable hardware wallet, the whole project is open source. Both hardware and software can thus be inspected for possible back doors.
FAQ 7Ask your own question
That is not a problem. You can restore your accounts to a new hardware wallet using the recovery key you wrote down when you set it up.
Most wallets support more than just one cryptocurrency, but only generate one backup. Nevertheless, this one backup is sufficient to restore all cryptocurrencies as all private keys of the different wallets result from the seed that is backed up as a backup during setup.
Hardware Wallets such as the Ledger Nano X, TREZOR Model T, BitBox02 or KeepKey all work according to the same principle. They are a special form of a so-called wallet, which is used to manage cryptocurrencies. A hardware wallet is a physical device that securely and inisolationly generates the private keys to the cryptocurrencies. Due to the extra hardware, they have some advantages over software wallets:
- Private keys are often stored in a protected area of a microcontroller and cannot be transferred out of the device in clear text.
- Hardware wallets are immune to computer viruses that steal from software wallets.
- They can be used securely and interactively, private keys never need to come into contact with potentially vulnerable software.
- The software is in most cases open source, so that the user or professionals can validate the entire operation of the device.
However, it is important to understand that hardware wallets are an attractive target for attackers and depend on several assumptions to maintain security. They are not a miracle weapon, and there are several realistic ways to hack a hardware wallet Especially if someone has physical access to the device.
A new cryptocurrency is rarely supported directly by a hardware wallet at the beginning. However, most providers such as Ledger or TREZOR are constantly working to support new cryptocurrencies. Therefore, it is often worth waiting until the desired currency is supported by your hardware wallet.
I would like to give a hardware wallet as a birth gift. Do I need this every time I want to deposit coins or is there another way?
No, you don’t need the hardware wallet every time you want to make a deposit. It is only necessary to set up the hardware wallet and generate an address of the corresponding cryptocurrency.
Cryptocurrency can now be sent to this address on the desired cycle on a regular basis without the need for the hardware wallet. The address does not expire.
Are my cryptocurrencies stored in the hardware wallet, or where exactly are they? This is a very good question because the answer defines what your wallet actually needs to protect.
Cryptocurrencies are so named because they are secured by cryptography. For this you need a set of digital keys, for example your (very secret) private key. With this key you can encrypt and digitally sign things.
Let’s take Bitcoin as an example (other cryptocurrencies work in a similar way). The entire Bitcoin network is kept up to date by a common data structure called the blockchain. It contains records of all transactions ever made and is publicly accessible online, so anyone can read it. When you receive some bitcoins, say 0.1 BTC, you see them in your bitcoin wallet, listed under a bitcoin address.
At the same time, the bitcoins are not actually stored in the wallet, they are just an entry in the public blockchain. What the wallet stores is your secret private key that belongs to that address. Since you control that private key, you can spend those Bitcoins again: that’s how “Bitcoin ownership” is defined. Anyone can see these bitcoins, but only you can spend it, so they are yours. But that also means that *anyone* with the right private key can spend those bitcoins. Therefore, it is very important to keep this key secret.
What stops the manufacturer of your hardware from using a backdoor and simply stealing your cryptocurrencies? How much do you have to trust hardware wallet manufacturers?
While a completely “trustless” solution is probably not possible, manufacturers are doing everything they can to minimize the need to trust them.
Most of the software code of many hardware waller manufacturers is open source, i.e. publicly available. Anyone can check how the device works and how secrets are handled. Of course, not everyone has the ability to review code: that’s why independent researchers are often encouraged to analyze, and are often rewarded by bug bounty programs when they find something. This does not limit their ability to publish a full independent report without permission.
The essentials to go: A wallet manages your secret private keys and requires full access to them. You can and should demand full transparency about how a wallet works and ensure that independent public audits are encouraged.
Ask your question about the product. The question will be published here together with the answer after a few days. You will be notified by e-mail.
|Compatibility||Electrum, MyEtherWallet, FIDO/U2F, SSH Agent, OpenPGP, OTP, Password Generator|
|Cryptocurrencies||Bitcoin, Ethereum, ERC-20 Tokens|
|Platform||Windows, Linux, Mac|
|FIDO U2F Authenticator|
User Reviews 0
No reviews yet