Secalot Review 2022
- 1 First Impression
- 2 Setting up the Secalot hardware wallet
- 3 Secalot handling
- 4 Supported Devices and Currencies
- 5 Documentation and Support
- 6 Safety aspects
Secalot says it is an all-in-one digital security companion because it combines many functions. Among them is also the possibility to use the stick as a hardware wallet. For this reason, I took a closer look at a copy that was kindly provided to me free of charge.
Buy Secalot Online
Secalot can be purchased most easily and safely from the official webshop directly from the developer. There, the small stick currently costs 50,00 $ (click here to check the current price), whereby shipping costs are calculated additionally. In addition to Bitcoin, credit cards and PayPal are also accepted as payment methods.
There are no official resellers in Germany yet, but Secalot’s hardware wallet is also sold on amazon.
Hardware Wallets should preferably be ordered directly from the manufacturer or official resellers if possible. Dubious stores or private sellers on platforms like ebay or amazon could manipulate the devices for their own purposes or trick the buyer. This way, the thieves can steal all the coins from your hardware wallet at a later time. Unfortunately, there have already been such cases in the past.
Contents of the Package
Shipping to Germany went smoothly and took only three days. Depending on the selected shipping method, it is also possible to track his shipment. Then in the shipping envelope there is a small plastite bag with the hardware wallet Secalot. A label on the bag gives information about the version number and the date of manufacture.
The Secalot hardware wallet
The Secalot stick looks exactly like a conventional USB stick: it has a size of 60x15x10mm, weighs only a few grams and a cap protects the USB-A port.
There is no imprint, but two silver stripes on the front. behind which the two touch buttons are hidden. At the end of the hardware wallet is an eyelet to wear the stick on a keychain or around the neck.
First Impression: Conclusion
Shipping when ordering from Secalot Shop is fast.
The scope of delivery is simple. A seal or other security measures that could make possible manipulations visible are not found here. Accessories such as a quick start guide or a note for the recovery seed are also not included.
Secalot itself looks like a simple USB stick. However, this is not necessarily a bad thing, since this sensitive security device is not immediately recognizable as such for everyone.
Setting up the Secalot hardware wallet
Never use a hardware wallet that is already set up. You must choose your own PIN code or password and do the backup yourself. This is not given by anyone!
Depending on which feature you want to use, different steps are required to set it up. In this review, the focus is of course on the use of cryptocurrencies.
Set up Bitcoin Wallet
Bitcoin can only be used via a modified version of the Electrum software wallet. This can be downloaded from the Secalot download area. The initialization is started via the menu File > New Wallet.
Here you first choose a name to distinguish Secalot Bitcoin Wallet from other wallets. In the next window, select the type of wallet. Normally, a standard wallet is sufficient, but it is also conceivable to set up a multisignature wallet, for example. Then you would need several wallets to sign a transaction, for example a TREZOR in addition to the Secalot hardware wallet let.
In the following window, you then select that the seed should be generated via a hardware wallet. Electrum then recognizes all connected hardware wallet, including Secalot.
This is followed by the actual setup of the Secalot Bitcoin Wallet. You enter a PIN and Secalot generates a seed on the device. A backup of this seed is output in the form of 24 words.
Your Recovery Seed is the backup key to all your cryptocurrencies and apps. The Recovery Seed (backup) can only be viewed once. Never make a digital copy of the Recovery Seed and never upload it online. Keep the Recovery Seed in a safe place, ideally also safe from fire and water. Special backup products, for example Cryptosteel Capsule or Billfodl are suitable for this.
No one but yourself can be held liable for any financial losses caused by improper handling of sensitive data.
After that, experienced users can still change the derivation path, for example, to use Secalot as a SegWit wallet. In this case, the path would have to be changed from “m/44’/1’/0′” to “m/49’/1’/0”. The Bitcoin wallet is now ready for use.
Set up Ethereum Wallet
If one also wants to use Ethereum with the Secalot hardware wallet, this is not possible via Electrum. For this purpose, the web wallet MyEtherWallet.com is used, whereby the wallet must be set up via the “Secalot Control Panel GUI”. These can also be downloaded from the Secalot download area.
On Windows, the application starts without installation and the Ethereum tab is opened directly. Here, in addition to a new wallet, an old one can also be restored. Then, just like Bitcoin, a PIN is chosen and then the recovery seed is noted. Secalot is now prepared for use via MyEtherWallet.com.
There, in the list of available hardware wallet, you can also find Secalot. If you select this, you will be prompted to enter the pin. Then, as with Bitcoin, you can choose the derivation path, after which the wallet opens.
Secalot completely forgoes its own software wallet and instead relies exclusively on third-party software such as Electrum or MyEtherWallet. As a result, there is no uniform and clear setup process as known from TREZOR or Ledger, for example. This could make it difficult for beginners and eventually lead to generating multiple seeds.
However, using the widely used and proven wallet Electrum and MyEtherWallet also has its advantages, as it gives you a wide range of features directly without depending on the hardware wallet developer. I find it a pity that Secalot support is not integrated in the official version of Electrum, but a modified version of the developer has to be used.
Managecryptocurrencies with Secalot
After the setup, Bitcoin as well as Ethereum and ERC-20 tokens can be managed via the software Electrum and MyEtherWallet. To do this, you use the corresponding software as usual. The only difference is that a transaction must be confirmed via the touch button.
All cryptographic keys are stored in the device and cannot be read. When a transaction is performed, the necessary information is passed to the device, Secalot signs the transaction and returns the signature.
Other Secalot security features
Secalot sees itself as a comprehensive security companion and therefore offers other features besides cryptocurrencies management.
Universal second factor (U2F)
With Secalot, it is possible to register one’s device with various services as a second secure factor, which must then be connected when logging into that service. So, for future logins, in addition to the normal login information, you still have to click the U2F touch button on the top of the device when prompted. Secalot supports simultaneous registration with an unlimited number of websites. Currently, for example, the following services support this standard: Google, Facebook, Dropbox, GitHub, GitLab, Bitbucket or also Nextcloud.
OpenPGP Smart Card
Secalot also behaves like a native smart card, allowing many different cryptographic actions to be performed. This opens up the possibility for a Secalot owner to integrate his device with a variety of existing software that uses GnuPG or a PKCS#11 interface. The following scenarios are thus conceivable:
- Email encryption and signing
- Computer login under Linux
- Hard disk encryption with the help of TrueCrypt
- File encryption and signing
- Establish VPN and SSH connections with the help of Secalot
Detailed instructions on how to set up the smart card can be found in the documentation: OpenPGP Smart Card.
One-Time-Password Generator (OTP)
OTPs can be used to securely log in to websites and applications such as password managers, and like U2F, act as a second factor. This type of generation is probably familiar to many from the Google Authenticator app. Instead of the app, you could now use a Secalot stick. By pressing both keys the one-time password is generated and typed directly into the field, because Secalot behaves like a keyboard in this case.
New services can be added via the “Secalot Control Panel GUI”. Since some OTPs require the current date, it is necessary to have a service running in the background.
The handling of this hardware wallet is very convenient in everyday life. No other accessories are needed to use the stick: Simply carry it on your keychain and plug it into a free USB port when needed. Once everything is configured accordingly, the stick can now be used for secure communication and login, but also as a hardware wallet.
Supported Devices and Currencies
Secalot can be used on the following platforms:
The following cryptocurrencies are supported so far:
- ERC-20 Tokens
But Secalot is not just a simple hardware wallet. With many other functions, the stick is a real security all-rounder for everyday use. Because the following additional services are supported:
- SSH Agent
- Password Generator
Documentation and Support
Secalot is still a relatively new one-man project. Nevertheless, there is an English documentation section that explains and describes all functions in detail. You can reach it via the official homepage: Secalot Documentation.
Support requests can only be made via a contact form.
We are used to other hardware walletputting a lot of emphasis on protecting the device from tampering attempts. For example, the devices are shipped with seals or the firmware is programmed to detect tampering and issue a warning. Secalot does not seem to have such provisions so far.
Also, signing transactions with Secalot is a bit more risky than with other hardware wallet. Because most of the others rely on their own display or at least have the option of pairing a smartphone. Thus, the information that is signed by pressing the touch button can also be displayed again beforehand. Otherwise, you could sign false data that has been manipulated during transmission. The recovery seed is also displayed here so that it cannot be read by viruses on the computer.
On the positive side, Secalot’s cryptocurrencies wallets are also protected from unauthorized use by a PIN. However, the entry here is made via the PC’s keyboard, which makes it possible to read out the PIN.
As befits a decent hardware wallet, the whole project is open source. Both hardware and software can be inspected for possible backdoors.
FAQ 6Ask your own question
That is not a problem. You can restore your accounts to a new hardware wallet using the recovery key you wrote down when you set it up.
Most wallets support more than just one cryptocurrency, but only generate one backup. Nevertheless, this one backup is sufficient to restore all cryptocurrencies as all private keys of the different wallets result from the seed that is backed up as a backup during setup.
Hardware Wallets such as the Ledger Nano X, TREZOR Model T, BitBox02 or KeepKey all work according to the same principle. They are a special form of a so-called wallet, which is used to manage cryptocurrencies. A hardware wallet is a physical device that securely and inisolationly generates the private keys to the cryptocurrencies. Due to the extra hardware, they have some advantages over software wallets:
- Private keys are often stored in a protected area of a microcontroller and cannot be transferred out of the device in clear text.
- Hardware wallets are immune to computer viruses that steal from software wallets.
- They can be used securely and interactively, private keys never need to come into contact with potentially vulnerable software.
- The software is in most cases open source, so that the user or professionals can validate the entire operation of the device.
However, it is important to understand that hardware wallets are an attractive target for attackers and depend on several assumptions to maintain security. They are not a miracle weapon, and there are several realistic ways to hack a hardware wallet Especially if someone has physical access to the device.
A new cryptocurrency is rarely supported directly by a hardware wallet at the beginning. However, most providers such as Ledger or TREZOR are constantly working to support new cryptocurrencies. Therefore, it is often worth waiting until the desired currency is supported by your hardware wallet.
Are my cryptocurrencies stored in the hardware wallet, or where exactly are they? This is a very good question because the answer defines what your wallet actually needs to protect.
Cryptocurrencies are so named because they are secured by cryptography. For this you need a set of digital keys, for example your (very secret) private key. With this key you can encrypt and digitally sign things.
Let’s take Bitcoin as an example (other cryptocurrencies work in a similar way). The entire Bitcoin network is kept up to date by a common data structure called the blockchain. It contains records of all transactions ever made and is publicly accessible online, so anyone can read it. When you receive some bitcoins, say 0.1 BTC, you see them in your bitcoin wallet, listed under a bitcoin address.
At the same time, the bitcoins are not actually stored in the wallet, they are just an entry in the public blockchain. What the wallet stores is your secret private key that belongs to that address. Since you control that private key, you can spend those Bitcoins again: that’s how “Bitcoin ownership” is defined. Anyone can see these bitcoins, but only you can spend it, so they are yours. But that also means that *anyone* with the right private key can spend those bitcoins. Therefore, it is very important to keep this key secret.
What stops the manufacturer of your hardware from using a backdoor and simply stealing your cryptocurrencies? How much do you have to trust hardware wallet manufacturers?
While a completely “trustless” solution is probably not possible, manufacturers are doing everything they can to minimize the need to trust them.
Most of the software code of many hardware wallet manufacturers is open source, i.e. publicly available. Anyone can check how the device works and how secrets are handled. Of course, not everyone has the ability to review code: that’s why independent researchers are often encouraged to analyze, and are often rewarded by bug bounty programs when they find something. This does not limit their ability to publish a full independent report without permission.
The essentials to go: A wallet manages your secret private keys and requires full access to them. You can and should demand full transparency about how a wallet works and ensure that independent public audits are encouraged.
Ask your question about the product. The question will be published here together with the answer after a few days. You will be notified by e-mail.
|Compatibility||Electrum, MyEtherWallet, FIDO/U2F, SSH Agent, OpenPGP, OTP, Password Generator|
|Cryptocurrencies||Bitcoin, Ethereum, ERC-20 Tokens|
|Input Options||Touch buttons|
|Platform||Windows, Linux, Mac|
|FIDO U2F Authenticator|
User Reviews 0
No reviews yet