Bitcoin Forum

There are three ways that I can think off to store your private keys safely (offline)

1) Having a hardware wallet (Trezor, Ledger, and so on). The problem: Having to trust their custom RNG, their while hardware, that there will be no surprises (see trezord.exe phoning home)

2) Having a paper wallet (encrypted with BIP38). The problem: You can easily lose a piece of paper. The paper can also degrade over time. You would be also stuck with a single public key to get payments, so you would need one piece of paper per address... not good if you need to create new addresses constantly to relieve payments. Controlling coin inputs and outputs it's also harder without software involved.

3) Having an offline airgapped computer with Linux: This looks like the safest option to me. The problem: You need to pre-sign the transactions and Bitcoin Core does not have good support to do this so you are stuck with making raw transactions by hand which is a bit of a mess, then you need to pass this raw transaction into your online node. Armory has a nice GUI to do this but I wouldn't trust it too much. Electrum.. wouldn't trust my main stack to be held by an Electrum wallet (too paranoid about the seed being derived somehow)

So how do you personally manage your private keys in cold storage in order to make your transactions?

You don't have to do this. You can create your own seed offline and insert it in the machine. They'll recognise anything that's valid. Beyond that I do wonder how many other horrors will be uncovered in the years to come with hardware wallets. The spoils would be humongous.

I used to be all paper. Now I'm all hardware.

The third option sounds cool but far too much ball ache. If I'm to spend at the moment I'll get rid of one of my numerous forks, stick the proceeds in a phone wallet and go retail crazy.

I just can't trust hardware wallets. I think airgapped linux laptop is the way to go, but im still unsure how to go about signing offline transactions... I tried to practice with testnet coin. Got a testnet node synced and set another testned core wallet on the offline machine, then I put the public keys on the online node to see my funds in watch-only mode, but crating the transactions is too complicated if you need to pick specific inputs. I mean, it's like trying to do the "Coin Control" part of the GUI but manually... a pain in the ass indeed.

What's wrong with Electrum? I think you are very flexible with Electrum. You could use Electrum with 2 of 2 multisig (one seed on an online computer and another seed on an offline computer). You use the online wallet to watch your balance and to generate the transactions (including the first signature) then the offline wallet for the second signature and then again the online wallet to broadcast the transaction. You can do this very easily with Electrum. Or you could use 2 of 2 multisig with Electrum and a hardware wallet (one seed from Electrum and one seed from the hardware wallet). Or even 3 of 3 multisig with one Electrum online seed, one electrum offline seed and one hardware wallet seed.

Besides, Electrum is the first and currently only wallet that supports native segwit (bech32 addresses that start with bc1...).

I thought it is possible to assemble a tx completely on live net, with the watch-only address.
Then you’d bring the unsigned tx to the cold storage machine, and sign it. Then bring it back to the online machine, and send it... this would remove the burden of manually playing with the in and outs.

I have trouble remembering places "I can’t write my private key on a paper"So that I use technology.
1.1password (https://1password.com/): password manager for all my private keys and words. watch this https://www.youtube.com/watch?v=mcly2-b1W20 (https://www.youtube.com/watch?v=mcly2-b1W20)
2. Hardware wallets: i use this cryptosteel (https://cryptosteel.com/) "Cryptosteel comes with more than 250 stainless steel letter tiles engraved on each side. Codes and passwords are assembled manually from the supplied part-randomized set of tiles. Users are able to store up to 96 characters worth of confidential information in minutes, guaranteeing safety of the data with no need for specialized tools or third-party involvement.[Source and read full (https://cryptosteel.com)]"

Well, you could also make multiple copies of that piece of paper. Unlike cash, your bitcoins can be in multiple places at once, after all. Imagine losing your wallet on the subway, with all your cash in it, but wait! You have a backup at home! And a potential thief who finds the wallet can't access your cash without a password anyways.

i have most of my coins stored in cold storage, both paper wallets and encrypted .dat files on thumb drives and CDs. moving my real cold storage (and restoring it to new cold wallets) is inconvenient and difficult by design. an air-gapped electrum wallet is definitely necessary for my day-to-day transactions. there's no way around that for me.

i only keep < 10% of my coins in air-gapped spending wallets.......but i'm still at a loss for how core's HD wallet seed is so much more secure than electrum's. my paranoia (which is pretty high level as it is!) is more about malware that makes its way onto the thumb drive i use to transfer/broadcast transactions.

You can make a backup by encrypting a renamed text (notmyprvkey.txt) into a jpg (notmyprvkey.jpg) file containing the private key by compressing it using any 7zip tool together with a couple of real images.
Renaming the compressed file as "photos" or "porn" might deceive black hats.
This is better than just storing your backup in a hidden folder.

YES, I get those same exact fears in the back of my mind. One thing I want to try is to transfer data over an airgap via just a dumb QR code reader. Show QR on one screen, offline computer photographs it (with an offline camera peripheral) and decodes it, and then we could send information back to the online computer in the same way.

It is really simple:
-Create an offline wallet with Bitcoin Core and encrypt it (I recommend using PGP on top of the original encryption for privacy reasons)
-Backup this encrypted wallet.dat file anywhere you want. You can put it on several harddisks, usb sticks. You can send it attached to several email addresses.

On Core vs Electrum for airgap machine - IMO there's more risk that you screw up while dealing with raw transaction and accidently set the wrong amount/wrong fee/ wrong address then that Electrum has some serious vulnerability in its seed. But you can also have two cold wallets - one big Core wallet where you store your long-term savings that you are not going to touch for years, and a smaller Electrum cold wallet that you use to sign transactions more frequently, like every few months.

Yeah this would be it. I remember reading someone claiming this was possible in the past but I don't know how the steps would look like.

So let's say I have a node online and synced with all my addresses added as watch-only, then the offline wallet in the airgapped computer (both are Bitcoin Core).

How do I make the transaction in the online node's wallet on the GUI as usual then pass it read on the offline machine to sign it with the offline private keys then back to the online node?

If I do the transaction as usual with the watch-only addresses with the ideal fee and all the inputs I want selected in "Coin Control", I can then do "dumprawtransaction" and then make a QR code of this, read it in the offline wallet, then what do I do with this?

I just want to know step by step to not fuck it up in the process.

I keep most of my coins on encrypted wallet.dat, but it's not possible to do day-to-day spending this way. I just use them for coins I don't expect to move for months or years.


I wasn't aware that Armory had a GUI for offline signing. Any opinions here on Armory vs. Electrum? I use the latter, but I'd feel a lot more secure if I could do this with Core. Also, is it true that Electrum's seed might be easier to derive? What's the difference among the different HD wallets regarding seed security?

Paper wallets are not that big a deal for me. I use a air-gapped computer & printer to print multiple paper wallets and I store duplicates in 3 different locations. I also split my stash into small chuncks, to reduce the risk of having to restore everything, every time I want to claim fork coins or when I want to use some.

The hardware wallets are used for small amounts on a daily basis. ^smile^

I don't think, that a 'day-to-day-wallet' needs to be secured in an offline wallet in most of the cases.

Im just not sure about the whole deterministic approach thing. I remember reading that it reduced overall entropy. Your seed could also be derived from a number of signatures.. I don't see how it's a good idea to have all these relationships between things and not just have private keys separated from each other like the old wallet.dat format?? at least for cold storage. Achow I think said that the HD format for Core is not bip32 and it's safer than Electrum but im not sure.

I don't know about Armory details but you can see a video in action here (offline transactions in Armory):

https://www.youtube.com/watch?v=ZGjL4BllFtM

And here how to do offline transactions in Electrum:

https://www.youtube.com/watch?v=DQumISxkJsQ

And here how to do offline transactions in Bitcoin Core:

https://www.youtube.com/watch?v=jWKuqP-zTFk


As you see it's harder with Core, but, if you can do it in the online node with the GUI, then pass the transaction into the offline node, sign it, then pass it back to the node, it could be done easier (with that extra step but it's worth the peace of mind of getting an ideal fee and getting things done in the GUI where it's harder to fuck it up than with crafting raw transactions)

I have a paper wallet for my savings in Ethereum and some ERC20 tokens I've in there. Then I have an address that I use with Metamask for some transactions I do weekly, not the best but it's ok for me.

All my Bitcoins are in a paper wallet with two copies carefully stored in secret and safe places. I won't sell or use them in any way for a long time, so that way is ok for me. Maybe in a while I create some new wallets and send all the Bitcoin there, in order to avoid problems with the paper. As I don't send bitcoins don't need hardware wallets or any kind of way to manage private keys to send transactions offline.

But paper wallets, similarly to hardware wallets, are very recognizable objects (and it will be increasingly recognizable overtime), so a thieft will save it just in case, because he knows there's bitcoins in there, he can also force you reveal a password.

With a wallet.dat file you can put it in a generic usb, hide it well, and nobody would know you own BTC. You don't want some thieft to break into your house at night and then he finds out you have a ledger of a paperwallet, because he will beat you up until you say your password. If all they find is some USB it's harder for them to know it's bitcoin related.

I'm actually quite interested to learn more about the rationale behind making a particular choice in terms of offline storage, as far as I see in the end it boils down to what your comfortable with if anyone could correct this view if I'm wrong I'm open to hearing more?

Not necessarily. Look at how small they can be, such as the paper discs inside casascius coins. If it fits on that, can't you write it on the page of a book on your shelf? Books aren't immediately recognizable as money. What about a curtain rod? There's nothing stopping me from turning that into a wallet. Just stick some numbers in there where they can't be seen.

A lot of people make their paper wallets look like money because that's fun to do. It doesn't have to be that way.

Good point. You could just put your paper wallet in the middle of a big fat book and it would be hidden pretty well. Im not sure about anything else tho. Any hardware wallets are still a problem and could be recognized during scans on airports.

If eventually the governments become extremely paranoid about Bitcoin, they may start looking for these on every border, so have that in mind. A generic USB or any other generic storage device is always better than a HW in this sense. The paper wallet hidden inside a book idea is also good (unless they start checking books too...)

All things considered, hardware wallets suck unless you are sure that nobody is going to find it, and nothing can guarantee that, which is why I advise against them, among other things such as having to trust that they are legit.

Remember also that private keys can be encoded in many creative ways. For example, you can write some notes on the side of a page in a textbook, and then use that text as a private key. Chinese customs looks at the notes, and sees scholarly etchings, not a bitcoin key. When in reality you could have your savings stored in those notes.

True, but if you are a Bitcoin Core user and you have all of your private keys on a wallet.dat file, you can't do that. You are going to need a device to store your wallet.dat file, so an USB seems like the best way to go. You could also encrypt your entire laptop, but beware, if you lose the password, it's game over. I lost a password for some encrypted drives with veracrypt, and I can't no longer access them.

You could just send your wallet.dat file to yourself in an email temporarily while you cross borders, just encrypt it and hide it well, it should be ok as a temporary measure.

I just don't trust BIP38 enough to have all of my BTC on there, so I need ways to keep wallet.dat safe.

- I have seen Veracrypt being unable to restore encrypted files several times (of course using the correct password). I wouldn't trust it with my money. I never had problems with GPG, so its my first choice.
- I use email as an additional backup for my double encrypted wallet.dat files. Crossing borders without a hassle is a nice side effect.

Another Idea to further protect your online wallet would be using P2HS addresses and store your funds on those. This way your funds won't be protected just with your private key but also by some logic that is executed on the blockchain. Simplest thing that came's to mind is to use some not-so obvious function of transaction inputs as a password that have to be added to spend funds. This way even if your key is leaked - your funds will most likely to be safe if you only leak private keys somehow.

You can add a custom password aka seed extension. If its entropy source is something like dice rolls and it's 128-bits of entropy strong or stronger, even with a bad RNG on the Trezor, your funds are secure.

I had spent some time with Bitcoin Core 0.16 in offline mode, and didn't get to succeed for different reasons. When looking into cold storage and Bitcoin Core, majority seems to talk about keys being offline. So far so good. When it comes to signing a transaction, that seems to be another issue. I stepped over this thread with a remarkable comment from Pieter:

https://bitcoin.stackexchange.com/questions/50924/new-bitcoin-core-0-13-2-as-cold-storage-wallet

I have meanwhile tried to creat a tx on an online system, transfer it to the cold storage system, and get it signed. I started easy, with a simple P2PKH transaction. When I brought this to the cold storage to sign with bitcoin 0.16.1, the bitcoin-cli signrawtransaction command would reply with missing link to previous transaction:


when I tried to provide it additional info, I had the same result:


I was wondering, how the system would check the details. As I am no C/C++ dev, I am not too eager to look into the code... But obviously the client verifies contents, to make sure only "valid" transactions go to the network. This is good user protection, and probably very positive.

I also did some tests with (non-multisig) P2SH and redeemscripts. I created a funding transaction on the live system, and wanted to spend the P2SH. So I had to sign on the cold storage system. Results are also unsuccessful. I tried:


This INVALID OP_IF error happened to several versions of the created raw transactions and redeemscripts. It seems that bitcoind doesn't have enough info to add the signatures. This doesn't necessarily mean, the tx is invalid (one could manually add the sigs from a different program  ;)). As shown here, I can make a P2SH successful going through (just a hash comparison, without signatures):

https://bitcoin.stackexchange.com/questions/74753/htlc-hash-time-lock-contract-using-bitcoin-qt/74953#74953

From my experience, signing transactions offline with Bitcoin Core is not best way to go. And by this I don't mean to blame the core dev - au contraire! The design seems to go into user protection, and not fulfill dev's ("my") requirements.