A best practice to store BTC and altcoins with open-source hardware wallets?

[lyw123]

     I am a newbie, and I want be safer.

     I'm not confident in closed-source hardware wallets like Ledger. There is no security without supervision. Open source hardware wallets can be found here. (

Open Source Hardware Wallets,

https://bitcointalk.org/index.php?topic=5288971.0)

      I plan to use a 2-of-2 multi-signature wallet (Ledger + Trezor) through electrum software to manage Bitcoin on a offline computer, and two single-signature wallets (Trezor and Keystone) with passphrases through metamask software to manage Ethereum and BNB tokens.
      
      Here are my views, open to discussion:

(1) Simplicity helps reduce the chances of errors, and the current solution is not too complex.

(2) All the wallets and software involved are fully open-source, except for Ledger. This ensures sufficient community oversight and scrutiny, preventing the company from engaging in unethical practices.

     As for the Keystone hardware wallet, it is my first time purchasing it, and it might be the only open-source hardware wallet that supports both altcoins and QR codes. What do you think about the security of this wallet compared to Trezor?
[/list]

[vv181]

(1) If I set a passphrase with at least 15 characters (0-9, a-z, A-Z), then Trezor or bitbox will never know it and cannot crack it? This can prevent hidden backdoors in the mnemonic seed, which is very difficult to verify.

If there is a backdoor why would you think a passphrase would solve it?

(2) If I wait a few months (>2 months) to update the firmware after it was released. Then this can against malicious firmware from Trezor or bitbox company. (see “How to prevent if The Trezor release new firmware update to steal Bitcoin”, https://bitcointalk.org/index.php?topic=5386771.0).

If there is high-risk vulnerability being fixed you should not wait to update. So it depends on what is being updated or fixed.

Are there any other possible risks from the hardware wallet companies?

Supply chain attack on the shipping process and their mitigation to prevent that. Data leaks.

Is it really necessary to buy a bitbox for spread risk? Of course, I will not use ledger for altcoins. Half in trezor, and half in bitbox.

Spreading your funds into separate HW surely mitigates the risk by any means, but the question is can you stand with the complexities? I rather think you add unnecessary burden, noting you already have 6 HW.

Is it necessary to buy a new computer (~100 $), which is only used for send cryptocurrency?

I don't think so. HW should prevent attacks from the computer itself. Furthermore, you might want to consider about cold storage option if eventually you want to buy a new computer, so you are not relying on HW.

[lyw123]

If there is a backdoor why would you think a passphrase would solve it?

I lack the ability to judge, and it's just speculation. If the code related to the passphrase is verified by community experts and if strong passphrase passwords have not been tampered with and changed to weak passwords, then passwords of 15 characters or more cannot be cracked.

Supply chain attack on the shipping process and their mitigation to prevent that. Data leaks.

Using genuine firmware and using only Trezor Suite, whether or not can significantly mitigate the risk of supply chain attacks? If not, then I die.

Spreading your funds into separate HW surely mitigates the risk by any means, but the question is can you stand with the complexities? I rather think you add unnecessary burden, noting you already have 6 HW.

Yes, you are right. More than 3 mnemonic phrase will lead to burden.

I don't think so. HW should prevent attacks from the computer itself. Furthermore, you might want to consider about cold storage option if eventually you want to buy a new computer, so you are not relying on HW.

Lacking the ability to personally audit open-source airgapped wallets like Airgap Vault and MEW Offline, I dare not forgo using hardware wallets.

[Ifemini]

    I am a newbie, and I want be safer. 

As a newbie, you have not chosen a safer option instead, you have chosen complicated wallet options that could limit your potentials and have you confused in the long run instead, what can you do?

Get yourself a metamask wallet; store and secure your altcoins there and don't just connect your wallet in random places or websites you are unsure of. Then you can set up your trezor wallet and store your USDT there only.

As you increase your knowledge and learn more about using hardware wallets and some other perks; you can gradually move all your altcoins to the hardware wallet; as a newbie, always choose simplicity.

[lyw123]

As a newbie, you have not chosen a safer option instead, you have chosen complicated wallet options that could limit your potentials and have you confused in the long run instead, what can you do?

Get yourself a metamask wallet; store and secure your altcoins there and don't just connect your wallet in random places or websites you are unsure of. Then you can set up your trezor wallet and store your USDT there only.

As you increase your knowledge and learn more about using hardware wallets and some other perks; you can gradually move all your altcoins to the hardware wallet; as a newbie, always choose simplicity.

Yes, it is a good suggestion. The simpler, the less likely to make mistakes.
I only plan to invest in Bitcoin because it can utilize multi-signature technology, which is highly secure. If the price of Bitcoin becomes too high one day, I intend to sell it. I will convert 1/3 of the asset into USDC and store it on the Ethereum network using a Trezor hardware wallet with two passphrases (two wallets). I will convert the remaining 2/3 into Chinese Yuan. Since cryptocurrency trading is illegal in China, then transfer it to 20 bank accounts through Binance's C2C platform, in order to diversify the risk. I believe this approach is simple, feasible, and carries minimal risk for me.

[vv181]

If there is a backdoor why would you think a passphrase would solve it?

I lack the ability to judge, and it's just speculation. If the code related to the passphrase is verified by community experts and if strong passphrase passwords have not been tampered with and changed to weak passwords, then passwords of 15 characters or more cannot be cracked.

A passphrase is meaningless if the device and the firmware itself are backdoored in the first place. So you are worrying about the wrong thing here. The most important part of a hardware wallet is the seed phrase generation process and how the device keeps your key offline. The passphrase is not the essential thing that manages your seed phrase. Mostly it just a way to open/accees the device.

Supply chain attack on the shipping process and their mitigation to prevent that. Data leaks.

Using genuine firmware and using only Trezor Suite, whether or not can significantly mitigate the risk of supply chain attacks? If not, then I die.

Indeed Trezor recommend buying the devices from legitimate sources. Moreover,  Do checks of the firmware of the device, Tamper-evident seals, and device casing. For further information take a look at their blog post: Stay safe shopping for hardware wallets.