Secalot
Review and Comments 2023

Secalot Review 2023

Secalot says it is an all-in-one digital security companion because it combines many functions. Among them is also the possibility to use the stick as a hardware wallet. For this reason, I took a closer look at a copy that was kindly provided to me free of charge.

First Impression

Buy Secalot Online

Secalot can be purchased most easily and safely from the official webshop directly from the developer. There, the small stick currently costs (ERROR - no price), whereby shipping costs are calculated additionally. In addition to Bitcoin, credit cards and PayPal are also accepted as payment methods.

There are no official resellers in Germany yet, but Secalot’s hardware wallet is also sold on amazon.

Contents of the Package

Shipping to Germany went smoothly and took only three days. Depending on the selected shipping method, it is also possible to track his shipment. Then in the shipping envelope there is a small plastite bag with the hardware wallet Secalot. A label on the bag gives information about the version number and the date of manufacture.

The Secalot hardware wallet

The Secalot stick looks exactly like a conventional USB stick: it has a size of 60x15x10mm, weighs only a few grams and a cap protects the USB-A port.

front

back

Cap protects the connector

There is no imprint, but two silver stripes on the front. behind which the two touch buttons are hidden. At the end of the hardware wallet is an eyelet to wear the stick on a keychain or around the neck.

First Impression: Conclusion

Shipping when ordering from Secalot Shop is fast.

The scope of delivery is simple. A seal or other security measures that could make possible manipulations visible are not found here. Accessories such as a quick start guide or a note for the recovery seed are also not included.

Secalot itself looks like a simple USB stick. However, this is not necessarily a bad thing, since this sensitive security device is not immediately recognizable as such for everyone.

Setting up the Secalot hardware wallet

Depending on which feature you want to use, different steps are required to set it up. In this review, the focus is of course on the use of cryptocurrencies.

Set up Bitcoin Wallet

Bitcoin can only be used via a modified version of the Electrum software wallet. This can be downloaded from the Secalot download area. The initialization is started via the menu File > New Wallet.

Set the name of the wallet

Choose wallet type

Select keystore

Choosehardware wallet

Here you first choose a name to distinguish Secalot Bitcoin Wallet from other wallets. In the next window, select the type of wallet. Normally, a standard wallet is sufficient, but it is also conceivable to set up a multisignature wallet, for example. Then you would need several wallets to sign a transaction, for example a TREZOR in addition to the Secalot hardware wallet let.

In the following window, you then select that the seed should be generated via a hardware wallet. Electrum then recognizes all connected hardware wallet, including Secalot.

Create new wallet with PIN

Show Recovery Seed

Specify derivation path

This is followed by the actual setup of the Secalot Bitcoin Wallet. You enter a PIN and Secalot generates a seed on the device. A backup of this seed is output in the form of 24 words.

After that, experienced users can still change the derivation path, for example, to use Secalot as a SegWit wallet. In this case, the path would have to be changed from “m/44’/1’/0′” to “m/49’/1’/0”. The Bitcoin wallet is now ready for use.

Set up Ethereum Wallet

If one also wants to use Ethereum with the Secalot hardware wallet, this is not possible via Electrum. For this purpose, the web wallet MyEtherWallet.com is used, whereby the wallet must be set up via the “Secalot Control Panel GUI”. These can also be downloaded from the Secalot download area.

Create new wallet

Set PIN

Recovery Seed note

On Windows, the application starts without installation and the Ethereum tab is opened directly. Here, in addition to a new wallet, an old one can also be restored. Then, just like Bitcoin, a PIN is chosen and then the recovery seed is noted. Secalot is now prepared for use via MyEtherWallet.com.

Secalot is supported by MyEtherWallet.com

There, in the list of available hardware wallet, you can also find Secalot. If you select this, you will be prompted to enter the pin. Then, as with Bitcoin, you can choose the derivation path, after which the wallet opens.

Setup: Conclusion

Secalot completely forgoes its own software wallet and instead relies exclusively on third-party software such as Electrum or MyEtherWallet. As a result, there is no uniform and clear setup process as known from TREZOR or Ledger, for example. This could make it difficult for beginners and eventually lead to generating multiple seeds.

However, using the widely used and proven wallet Electrum and MyEtherWallet also has its advantages, as it gives you a wide range of features directly without depending on the hardware wallet developer. I find it a pity that Secalot support is not integrated in the official version of Electrum, but a modified version of the developer has to be used.

Secalot handling

Managecryptocurrencies with Secalot

After the setup, Bitcoin as well as Ethereum and ERC-20 tokens can be managed via the software Electrum and MyEtherWallet. To do this, you use the corresponding software as usual. The only difference is that a transaction must be confirmed via the touch button.

Secalot Bitcoin Transaction

Secalot Ethereum transaction

All cryptographic keys are stored in the device and cannot be read. When a transaction is performed, the necessary information is passed to the device, Secalot signs the transaction and returns the signature.

Other Secalot security features

Screenshot from the Secalot website

Secalot sees itself as a comprehensive security companion and therefore offers other features besides cryptocurrencies management.

Universal second factor (U2F)

With Secalot, it is possible to register one’s device with various services as a second secure factor, which must then be connected when logging into that service. So, for future logins, in addition to the normal login information, you still have to click the U2F touch button on the top of the device when prompted. Secalot supports simultaneous registration with an unlimited number of websites. Currently, for example, the following services support this standard: Google, Facebook, Dropbox, GitHub, GitLab, Bitbucket or also Nextcloud.

OpenPGP Smart Card

Secalot also behaves like a native smart card, allowing many different cryptographic actions to be performed. This opens up the possibility for a Secalot owner to integrate his device with a variety of existing software that uses GnuPG or a PKCS#11 interface. The following scenarios are thus conceivable:

• Email encryption and signing
• Computer login under Linux
• Hard disk encryption with the help of TrueCrypt
• File encryption and signing
• Establish VPN and SSH connections with the help of Secalot

Detailed instructions on how to set up the smart card can be found in the documentation: OpenPGP Smart Card.

One-Time-Password Generator (OTP)

OTPs can be used to securely log in to websites and applications such as password managers, and like U2F, act as a second factor. This type of generation is probably familiar to many from the Google Authenticator app. Instead of the app, you could now use a Secalot stick. By pressing both keys the one-time password is generated and typed directly into the field, because Secalot behaves like a keyboard in this case.

New services can be added via the “Secalot Control Panel GUI”. Since some OTPs require the current date, it is necessary to have a service running in the background.

Handling: Conclusion

The handling of this hardware wallet is very convenient in everyday life. No other accessories are needed to use the stick: Simply carry it on your keychain and plug it into a free USB port when needed. Once everything is configured accordingly, the stick can now be used for secure communication and login, but also as a hardware wallet.

Supported Devices and Currencies

Secalot can be used on the following platforms:

• Windows
• Linux
• Mac

The following cryptocurrencies are supported so far:

• Bitcoin
• Ethereum
• ERC-20 Tokens

But Secalot is not just a simple hardware wallet. With many other functions, the stick is a real security all-rounder for everyday use. Because the following additional services are supported:

• Electrum
• MyEtherWallet
• FIDO/U2F
• SSH Agent
• OpenPGP
• OTP
• Password Generator

Documentation and Support

Secalot is still a relatively new one-man project. Nevertheless, there is an English documentation section that explains and describes all functions in detail. You can reach it via the official homepage: Secalot Documentation.

Support requests can only be made via a contact form.

Safety aspects

We are used to other hardware walletputting a lot of emphasis on protecting the device from tampering attempts. For example, the devices are shipped with seals or the firmware is programmed to detect tampering and issue a warning. Secalot does not seem to have such provisions so far.

Also, signing transactions with Secalot is a bit more risky than with other hardware wallet. Because most of the others rely on their own display or at least have the option of pairing a smartphone. Thus, the information that is signed by pressing the touch button can also be displayed again beforehand. Otherwise, you could sign false data that has been manipulated during transmission. The recovery seed is also displayed here so that it cannot be read by viruses on the computer.

On the positive side, Secalot’s cryptocurrencies wallets are also protected from unauthorized use by a PIN. However, the entry here is made via the PC’s keyboard, which makes it possible to read out the PIN.

As befits a decent hardware wallet, the whole project is open source. Both hardware and software can be inspected for possible backdoors.