Bitcoin Forum

Care to share your knowledge?

You should not be using paper wallets anymore, there is too much risk that the paper the private keys are written on will get damaged or lost. Also when using paper wallets your security is at the mercy of the site or app you use to get the private keys. Some of these sites aren’t using enough randomness and could leak the keys.

You should be using a hardware wallet to store large sums of bitcoin. These don’t let people extract private keys, they can’t be used by thieves without knowing the PIN you set on them, and some hardware wallets self-destruct if you enter the PIN code incorrectly too many times.

0. decide whether you want to use private key or mnemonic in your paper wallet. (the later is better since it can create as many keys as you want)
1. choose a tool that can be trusted to create the key safely. any popular wallet that has an export option is excellent for this. this choice depends on step 0 since not all tools can create mnemonics, for example bitcoin core (only private keys) or Electrum (both private keys and mnemonic).
2. choose an encryption tool and learn how to use it correctly. this must be an open source tool that is capable of strong encryption using AES. if your step 0 choice is to use a single private key you can choose a tool that supports BIP38 encryption and skip this step.
3. build your step 1 choice from source or download the binaries and verify its signature.
4. download a Linux distribution and verify its signature.
5. burn the Linux OS on a DVD, disconnect your network and boot up that DVD.
6. run the result (the "tool") of step 3 in that live OS, create a new wallet export the key/mnemonic
7. encrypt the result of step 6 with the tool chosen in step 2
8. print the encrypted result. create backups and write down the password separately in another secure place.
9. laminate the paper or use a metal plate and engrave your encrypted result on it and store it in a safe place that is not exposed to things that can damage it.
10. (important step) reboot the same DVD and try to recover the key you just created using your password and see if you can get the same address (this makes sure you have written things down correctly). if step 0 choice was a mnemonic you can send some coins to the first address and spend it using an offline/online combination of master private key (on offline backup) and master public key (on the online machine) to also test spending.

don't be afraid to create more than one paper wallet this way for testing and send money to and from that wallet before you create one final one that you end up using.

I wouldn't recommend paper wallet unless you're expert and being very careful on every single steps you do to create and maintain paper wallet.


Some thought or alternative,
1,2. You can use tools which support BIP 38
4. Choosing live distro which offer offline mode or better security (such as Tails) might be useful
8. This part is vague, do you mean print from running OS on DVD? How about driver support?

1,2. it will only work if you choose single private key instead of mnemonic since BIP38 is defined for private keys only and we have no BIP for mnemonic encryption. a simple AES-256 encrytion of the string would work on anything though.
nonetheless i've updated my answer, thanks.
4. good idea.
8. it won't matter as much if it is encrypted using a strong password. worst case scenario you can print it on your online machine and then try wiping the memory. although i believe Linux distros such as Ubuntu already support a lot of printers without needing any driver installation but i may be wrong.

pooya87 already pretty much gave you a good list.
 
A little addition to step 8 (printing the paper wallet) would be, that you shouldn't use a modern printer which either 1) stores printed files in a cache or 2) is network-/internet connected.

Such printers pose a real risk. I remember reading a paper stating that roughly 50% (don't quote me on that number) of such printers can be manipulated by simply just visiting a malicious website (obviously javascript enabled, just like a regular user would browse).
You really want to use an old offline printer if you are going to print it out.

When you look at what is the only safe procedure, then this way of storing keys definitely is not for beginners. Of course, we should not forget that in addition to all the steps necessary to create a paper wallet, you need to know how to properly spend those same funds when the time comes. In case someone tries to spend part of the funds directly from such a wallet, without first paying attention to the change address, will be unpleasantly surprised.

WARNING: How I lost Bitcoins using a paper wallet (https://steemit.com/bitcoin/@michaelmatthews/warning-how-i-lost-bitcoins-using-a-paper-wallet)

When I created a paper wallet with (BIP38) on a live linux distro I always print the wallets and also safe the wallets to a PDF file.

I store this PDF on an USB drive and safe this in an external place. So if the paper wallet got broken/lost I always have a copy of it.

So what do you suggest as a 2nd best alternative to HW?

Don't listen to him.
You should never use any website to generate a paper wallet. And neither are you forced to only use paper as the medium of storage.

To answer your question, it depends.
Generally, a dedicated offline device is the best way to store private keys in a cold wallet.

If you don't transact very often and don't want to buy a HW wallet, a paper wallet would be one of the most secure ways.

1) How else does (should) one generate a paper wallet then?

2) Didn't get you about the not forced to use the paper as a medium to storage. Could you eleborate please?

3) Dedicated offline storage? Like a mobile that's never online? Or do you mean HW like Ledger?

Could you rank storage methods from most secure to least?

Just like pooya87 said. Use a good wallet on a live linux distro (everything offline + signatures verified). That's the easiest way.
Another option would be to use command line tools from linux which are built in. This won't give you a mnemonic code, but you'll be able to generate a private-/public keypair and address with nothing but core functionality from your operating system.




Well, you don't need to print it on a piece of paper (which can be vulnerable to water, fire, etc..).
You could for example engrave the private key into metal.




A mobile which never goes online and doesn't have any other network connection (preferably with the components being removed) would be an option, yes.
That's basically dedicated cold storage. Most people use an old PC or laptop. But a mobile is fine too.



This always depends on the user and environment.

Generally:
Dedicated Cold Storage > Paper Wallet > HW Wallet > Desktop-/Mobile Wallet > Browser-based Wallet > Web Wallet > Custodial Wallet


But you also have to know the pitfalls of each scheme. For example:

• If you for example use a website to create your paper wallet on an online device, it suddenly is roughly as secure as a web wallet.
• And if you create it perfectly, but at some point you need to spend from your paper wallet and use a software wallet being online, this whole setup suddenly is no longer more secure than a standard desktop wallet.

In the end, no storage method is perfect. There is no "most secure" option. It always depends on your adversary- / threat model.

Thanks! Beautiful explanation. So Linux live USB then? With persistence or without? Also how does that compare to tails in security?

Yes, a live linux distro is the way to go.

Persistence is just for storing data between different boots.
For creating a paper wallet, you don't actually need that if you are using the command line option.
When using the software wallet (a.k.a probably electrum) option, you might need it to store the electrum AppImage there prior booting the distro in offline mode.

And Tails basically just is a linux distro which is preconfigured for easier "privacy" mode, i.e. it is easier to boot it completely offline / with tor.
You can use tails, if you want to. Just as good as debian, manjaro, whatever. As long as it is a trusted distro and you verify the signature of the .iso prior installing it, you are fine.

Thank you Pooya. This is fantastic!

Could you clarify a few things if you don't mind?

Any recommendations if I want to go the mnemonics route? And what exactly is an "export option"?

And if I'm doing mnemonics....Recommendations? Also, what is an encryption tool?

OK, I'm going to need this in layman's terms..."build"? How? Download the binaries? I'm guessing this is not a download an app and install type of deal.

I do have a Xubuntu Live USB. How do I verify it's signature?

I'm guessing a USB would suffice, correct? Also, do I need persistance or not?

I'm afraid I'll need a little bit more detail on this part. I'm not sure what "run the result" means. As well as "create a new wallet export the key/mnemonic"

I'm guessung this tool encrypts the key? Is the result of step 6 the key?

So it's not the key?

Create a backup...of the paper? Like make a xerox copy?

Write down the password... So is it not encrypted? What did we encrypt then?

So persistence...necessary or not?

How is that done exactly?

Again, thank you for the help!

i'd go with Electrum but keep in mind that Electrum mnemonics are only usable in Electrum itself and one or two other wallets. it is not a big deal since the algorithm is known and pretty easy to duplicate but you should know that it is different from BIP39 (the mnemonic BIP).

it was mainly for the private key route not the mnemonic. some wallets only show you the addresses they generated and don't have an option to show you the private key of it. but most of them let you access the private key and export it. which is what you need if you want to create a paper wallet.

an encryption tool is a tool that lets you enter an arbitrary string plus a password and gives you the encrypted result. it has to be open source and popular. since i haven't used any i can't recommend any. maybe someone else can chip in. i pretty much wrote my own code using a KDF and .net System.Security.Cryptography.AES

trusted bitcoin wallets are always open source, which means you can download the source code and "build" it yourself and then use that instead. but since not everyone can do this, the developers of these wallets build it themselves and release the "binaries" which you can download. for example for Windows it is the .exe file that you download and install. for Linux it is usually a tarball (.tar.gz file).

Xubuntu is a flavor of Ubuntu (with a different desktop environment). you can follow the same steps here:
https://ubuntu.com/tutorials/how-to-verify-ubuntu

if you are creating a "paper wallet" then you don't need any kind of persistence at all. because you don't want anything to be left behind. and yes you can do it with a USB disk too.

there was a mistake in the step number (it should be 3). it means that for example if you chose Electrum, you unzip the tarball in the Linux you are running and run Electrum to create a new wallet.

it is your choice.
for example again using Electrum you can use the mnemonic that it created for you and encrypt that, or you can simply select one of the addresses and export its private key to create a paper wallet from that single key. then encrypt that.

you can print it 5 times so you have 5 copies of the encrypted result. let me give you an example:
lets say you created this menmonic
use a strong password
encrypt using AES-256-CBC

you don't need the mnemonic (slice citizen truth ...) anymore, you can throw it away. you have to print the encrypted result (7844bc....) which would be your paper wallet and you can create copies of this.
but also you have to write down the password you used because it is not possible to remember a strong password such as (%Vn4mDb2g0@Abv,3*q). but this has to be on a separate paper and kept separately otherwise the encryption would be pointless.

when you want to recover, you use the same encryption tool and enter the encrypted result (7844bc....) and your password (%Vn4mDb2g0@Abv,3*q) and it should give you the mnemonic (slice citizen truth...) which you can use in the same wallet software.

persistence will remember the changes you made. for example if you install and create the wallet it will remember the wallet and next time you boot the OS it will have it. you don't want this if you are creating a paper wallet.
that is why i suggested using a DVD since you can't add persistence to a DVD.

take a look here: https://electrum.readthedocs.io/en/latest/coldstorage.html

Appreciate it Pooya!


OK. I'm not getting much luck Googeling "private key vs mnemonic vs mneminics BIP39".

Could you please help me out? What's the difference between the three in the way they are and function in as layman's termish as possible?


Like Coinbase?


Sorry. I'm not sure I understand the core function of this tool in relation to Bitcoin. Is it a tool where you enter your btc key and it would convert it to a code and then you can use that code to retrieve your key? If so, then when does the password come into play?

Or does it also generate a password so now you'd have to enter the password AND the code to retrieve your key?

If it's the later, then what's the point of the code? Why not only a password to retrieve your key instead of (what basically seems to me as) two sets of passwords; the code and the actual password?
If it's for extra security then wouldn't you be able to create the same level of security with combining both the code and the password to make one password. What am I missing here?


In Electrum I see .tar.gz and Appimage. Which one to use?


1) What exactly is the benefit of mnemonic over private key?

2) What exactly is the benefit of mnemonic over private key when using an encryption tool?


Is there any risk of doing this on a public computer?

Mnemonics or mnemonic phrases are a series of words (usually 12 or 24) which can be used to recover your bitcoin wallet and all the addresses it contains. They are also known as seed phrases. (Indeed, "mnemonic" is a bit of a misnomer since these phrases are supposed to be backed up on paper, not memorized).

There are different ways that these phrases can be generated. Most wallets use a method known as BIP39, which is a standardized method. You can read more about it here: https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki (a little bit technical). Electrum, on the other hand, uses their own system which is not compatible with BIP39.

Private keys are numbers which relate to individual addresses. Each address in your wallet has a different private key which can be used to spend any coins on that address. All the private keys in your BIP39 or your Electrum wallet are derived from the mnemonic phrase. So to answer your other question further down your post, if you back up the mnemonic phrase, then you are effectively backing up every private key in your wallet and therefore your entire wallet. If you were to back up a single private key, then you are only backing up a single address.

To be clear, I never suggested to OP to use a website to make a paper wallet (I'm not so foolish to suggest such a thing to anyone). I said:


Only reason why I suggested to OP to use hardware wallets instead is that most people don't make their paper wallets safely.

Search google for paper wallet, grab any result, or an Ad is even better. Print it and put in your sock drawer. Put all your money on it before getting comfortable with spending (don't worry about change address, WTF are those anyway). Back up on dropbox, or post it here. 


In all seriousness, unless you are really advanced and/or a developer you are setting yourself up for failure with paper wallets. 


I love paper wallets personally, and I like building my own tools for key generation, storage and spending but for obvious reasons I can't recommend this approach to most users.

Coinbase is not a wallet, it is an account where you have zero control over your keys.

practically you only have your password and the encrypted result. the rest is the "under the hood details", and under the hood the password you give the application could be extended to make any brute forcing attempts even more impossible. if you want to know more about the details look at BIP-38 (https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki), what i explained above is very similar. there are some examples at the bottom under Test vectors too.

the first one.

with a mnemonic you can generate as many keys as you want, which makes reusing the paper wallet possible (eg. you use the first key of the wallet then move to next). you can't do it with a single private key paper wallet, you must throw it away after using it and send the remainder to a newly generated paper wallet which is a tedious task.
when encryption is involved there is a standard for encrypting private keys (BIP-38) but there aren't any for mnemonincs.

most probably yes.

OK thanks for that explanation.

Do i get a new mnemonics phrase for every address I create?

What would be the risk if I'm booting from a DVD?

it is called deterministic key generation. you have a single entropy (your mnemonic) that all your subsequent keys (and addresses) are derived from.

well for starters someone might be looking over your shoulder!

Haha I get that. I meant risks from within the computer itself. Let's say I borrowed laptop for instance.

In the extreme case, it might have malware installed in the BIOS, and that stuff can’t be deleted.

Wouldn't Appimage be better since it doesn't leave anything behind? https://itsfoss.com/use-appimage-linux (https://itsfoss.com/use-appimage-linux)


Can anyone post an example tool? I'm having a hard time finding one to get an idea what it is.

AppImage is just a compressed file that needs to be extracted to run the program and then is automatically deleted when the program is closed. In fact the link you posted says that. You could delete the folders extracted from a .tar.gz to erase the traces it leaves too.


Save whatever you’re trying to encrypt in a text file and then run in a terminal:


And then type a password for it and delete the original file. No PGP key required. --no-symkey-cache is necessary to prevent the password from being cached. It is only available in GPG >= 2.2.7 so you need to use Ubuntu 20.04 for your live distro. Older distros package an older version of GPG without this feature.

To decrypt:


And type the password you set.


Source: https://askubuntu.com/a/449647

No. The mnemonic phrase is unique to the wallet, but the wallet can contain a near endless number of addresses. Every single one of those addresses is ultimately derived from the same mnemonic phrase.

More technically, the phrase is hashed to produce what is called a "seed number", and that seed number is hashed again to create a "master private key". That master private key can create billions of child private keys, which can each create billions of their own child privates keys, which can each create billions of their own child private keys, and so on. Each one of those private keys can be turned in to a unique public key and therefore a unique address.

If you back up your one 12 or 24 word mnemonic phrase, then you have backed up every single one of those billions upon billions of unique addresses.

---

Instructions unclear, uploaded my socks to Dropbox.

Any beginners tutorial of this (preferably visual) so I can see what you're talking about and get a clearing understanding?

I'm a big fan of the book "Mastering Bitcoin" by Andreas Antonopoulos for explaining a whole bunch of technical bitcoin concepts in easy to understand ways. It also includes some nice diagrams. The book is available for free on GitHub here: https://github.com/bitcoinbook/bitcoinbook. Chapter 5 deals with the structure of wallets and seed phrases, but see particularly the following sections:

https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#hd-wallets-bip-32bip-44
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch05.asciidoc#mnemonic-code-words-bip-39

Another great resource is the site https://learnmeabitcoin.com/. Again, lots of easy to understand explanations, and even less technical than the Mastering Bitcoin book if you are finding that a difficult read. See particularly these pages:

https://learnmeabitcoin.com/technical/hd-wallets
https://learnmeabitcoin.com/technical/mnemonic

So why exactly are we choosing .tar.gz over appimage?

"We" aren't choosing one over the other.

In the end, it really doesn't matter which you choose and only comes down to your own preference.

Do you want to install the wallet properly without giving up more space than necessary? Go for .tar.gz
Do you want it to be just a single file you need to run and don't care that libraries are included you already got installed which take up a few more MB while guaranteeing better compatibility between all systems? Go for .AppImage


Security-wise it doesn't matter as long as you verify the signature.

What about getting a second hand laptop for something like fifty to one hundred dollars, with a cd/dvd burner drive, disconnect its wifi /bluetooth hardware (preferably get one without bluetooth for less work), keep it as a dedicated bitcoin cold wallet machine, and perhaps make burn a few dvds (get good quality blank dvds) each with copies of the encrypted wallet file (filling up nearly all the space on each dvd with lots of copies of the same wallet file since its purpose is a backup after all.)

Obviously, as you say, engraving on metal plates is going to be more durable than writing on paper, but metal plates can also be damaged by natural disasters. You should make sure you are choosing stainless steel, titanium, or a similarly durable metal, as metals like aluminum (which many of the marketed back up devices are made out of) are malleable, do not resist corrosion, and have low melting points. Even then, a stainless steel plate is not indestructible. And even if it were, what if you can no longer access it? What if there is fire or explosion, and you can't find it in among all the rubble? What if there is a flood or tornado and it gets carried a few kilometers away?

What matters more than whether you choose paper or metal is having multiple copies in separate physical locations. I use paper wallets (on actual paper) and I use paper for writing down seeds. I am not concerned about them being damaged or destroyed even though they are just everyday paper, because I have multiple back ups. If one is destroyed, then I'll use one of the others to replace it. It's all about redundancy and not having a single point of failure.

Wouldn't saving a file make copies of it at various places that could be recovered later, regardless of whether you encrypt the file or not because the encryption would be after the file was saved without encryption?
And deleting the original unencrypted file doesn't really permenantly delete it. How do you get around this?


Hand written or printed?

I can't speak for NotATether, but whenever I am dealing with sensitive information like this I am doing so on my permanently airgapped device which uses whole disk encryption. Anything left behind after I am finished is encrypted along with the rest of the contents of the hard drive.

Hand written. Using a printer just adds yet another attack vector, as almost all modern printers can be hacked, can run malware, have WiFi and Bluetooth capabilities, have internal memory which will store recently printed files, etc. The paper wallets I use are not "classical" paper wallets in the sense of a QR code and a single private key, but rather a full seed phrase - easier to work with, easier to write down, harder to make a mistake, reusable multiple times, no worries about change addresses.

You are correct, the only way to encrypt a file without leaving temporary copies behind is if it’s done in-memory and then the memory is overwritten with random data, and the sensitive info is read from some kind of text box used for passwords (how much privacy it provides depends on the text box implementation). Personally I like the text box GPG uses, it uses something called pinentry and it disables all of the editor shortcuts like Ctrl-C/V, and locks the input focus on the password dialogue.

Granted all of this requires you write your own encryption program, but because GPG is open source you can easily write a simple C program using libgcrypt and pinentry that somewhat replicates what GPG does except it reads from memory and not a file.

Are you using Windows or Linux, or Mac? So you're using mnemonic phrases? When using Electrum, don't you have to be connected to the internet when creating a wallet?

My airgapped device runs Linux. I use LUKS for whole disk encryption.
Yes, I predominantly use seed phrases rather than individual private keys, unless for very specific purposes.
No, you can create wallets offline with Electrum (or pretty much any good wallet or software). The wallet will not be able to update your balances without an internet connection or some other means of receiving blockchain data, but it is entirely possible to create a seed phrase and derive all the relevant private keys, public keys, and addresses without an internet connection.

---

Note that creating a wallet offline is exactly how cold storage is supposed to work. I can use Electrum on an airgapped device to create a new wallet from scratch. That wallet will contain all my private keys, but it will not show any balances. I then export the master public key from that airgapped wallet and move the master public key to an internet enabled device and import it in to a new Electrum wallet. This new wallet will only be able to generate the matching public keys and addresses only, and not the private keys. This is called a "watch only wallet" for that reason. It does not have the private keys, so it cannot sign any transactions (and therefore cannot be hacked), but it has an internet connection so can see incoming transactions and update balances.

When I want to make a transaction, I use the live watch only wallet to create the transaction. I then transfer it to the airgapped device which has the wallet containing the private keys (either via USB drive or scanning QR codes). The airgapped wallet can then sign the transaction, and I then transfer it back to the live watch only wallet, which can broadcast it to the network.

OK. There are a few fundamentals that I'm missing. On electrum, it can't be a permenantly airgaped computer because you'd need internet to download Electrum and it's dependacies. So I'm guessing disconnect/airgap after installing it, correct?

After the screen/step (https://bitzuma.com/images/posts/20140311/your-wallet-generation-seed.png) where you get your phrase and the next screen/step (https://bitzuma.com/images/posts/20140311/choose-a-password.png) to enter your password, and then to re-enter the password...there is this (https://bitzuma.com/images/posts/20140311/main-screen-first-launch.png) window which displays your key(?) and qrcode with a circle on the bottom right corner which turns green when you're online. Is this window/step not necessary?

The point of an airgapped wallet is that the system is completely offline before the keys are being generated.
You could go online with the device to download electrum, remove all connections, verify the signature and use it as an airgapped wallet. But you could also download the wallet from a different computer and move it there. Doesn't really matter that much as long as you verify the software.

The really important part is to not connect it to any network after generating the keys.




No, it's not.
You don't need to go online at any point.

Generating the mnemonic code on your offline device and backing it up is all you actually need to do to actually use it as an offline wallet.

I have only one computer and it's my daily driver. Do I really have to buy another computer for just this purpose. I thought doing it on a non-persistent live Linux disk served the same purpose.

Also, how do I verify that I've received the bitcoin that I sent to myself without going online? How is this part covered?

There is a difference between a paper wallet and an air-gapped wallet.
For an air-gapped wallet, you need a device which stays offline and won't go online anymore.

For a paper wallet, this isn't necessary. In this case a live linux distro is sufficient if done correctly.




With an air-gapped wallet? Usually by using a second device using either a watch-only wallet or a blockchain explorer.

OK. Let me explain...

I'm not really trying to create a HW. I'm creating a paper wallet, for the main purpose of storing bitcoin. Of course, I might also need to use them for spending, but for now, the intention is a "savings account".

Following the method suggested here by Pooya and others, I'm going to use a Linux non-persistent live disk and Electrum (segwit) to create the wallet. The following are the steps I'll follow...

1) Create a Linux live USB (non-persistent).

2) Download Electrum.

3) Disable wifi.

4) Verify Electrum signature.

5) Create the wallet using segwit.

6) "Write down" the phrase.

7) ??

Step 6 is as far as i went. I'd like to know what I should do next. Namely...

1) How do I sent bitcoin to my paperwallet, let's say from Coin base? Is it to go to the receive tab like shown here (https://imgur.com/lTXFW8e) and copy the address like shown here (https://imgur.com/vTEM1wn) (mind you, I don't see the QR on my Electrum. Is that because I'm not online?) and paste the address on coin base to send? If so...

2) How exactly (in complete newbie terms) do I verify that I received the coins considering all the above (that I'm creating a secure paper wallet and that I'm not supposed to connect to the internet etc)?

3) Are there any steps above which need improvement / correction?

Thank you so much for the help! And yeah, of course, anyone can chime in!

receive tab shows you the first address in your wallet that has not yet received any coins (or in other words is unused). your addresses tab contains all your addresses and you can manually select any address from that list that you like. which could be useful when you have a cold storage which is not connected to the internet to sync so the "receive tab" doesn't know which address is unused and will always show you the first address.
the QR code is shown right there at the right side if the screen in your receive tab. in your addresses tab you can right click each address and select their Details option, there is a QR button in that new window.

read this for more details about how to receive coins, see you have received them and spend them later: https://electrum.readthedocs.io/en/latest/coldstorage.html
i also strongly suggest trying things using the testnet.

Ahh OK. So this (https://imgur.com/8kFEcg5) then. Clicking on "details", I see   "address" and "public key" (https://imgur.com/DMYat00), what's the difference in their usage?

In context of creating watching-only wallet, you only can use "address" and "master public key". But you better use "master public key" since you don't need to worry about newly generated address or importing "address" one by one.

Two possibilities. The easiest way is to simply look up the address you have sent to in a block explorer such as blockchair.com. The better way is to export your master public key from your Electrum wallet after writing down your seed, and then later install Electrum on your main OS with Internet access and create a new wallet using your master public key. This new wallet will show all the addresses which are stored in your paper wallet, but won't be able to spend from any of them.

Make sure that all connectivity, not just WiFi, is disabled (ethernet cables, Bluetooth, etc.) I also like to physically disconnect the relevant hardware and the hard drive if possible.

I like you' explanations o_e_l_e_o!

I'm not quite getting how to use "public key vs address vs private key". Can you help me understand their usage?

Private keys let you sign transactions. As the name suggests, they must be kept private. If anyone else accesses your private keys, then they can move your coins.

Public keys are derived from private keys through a process called elliptic curve multiplication. Every private key will generate one public key in normal use. Public keys let you look at the coins stored on them, but not move them.

Addresses are derived from public keys through a process of hashes and calculating checksums. Every public key can create multiple addresses - a legacy, a nested segwit, and a native segwit. Addresses are generally how we interact with bitcoin - we send them to addresses, and we receive them to addresses. In fact, it is entirely possible to send and receive bitcoin without ever seeing a private key or a public key - your wallet handles all this automatically in the background. You just need to know which addresses of yours have bitcoin at them, and which addresses you want to send bitcoin to.

Generally a wallet will contain one type of address (legacy, nested segwit, or native segwit). It will contain a list of private keys derived from the seed phrase, each private key will derive one public key, and each public key will derive one address.

Other terms I've used are master private key and master public key.

Your master private key (or xprv) is a key which can derive all your other private keys, and therefore all your public keys and addresses too, in that wallet.

Your master public key (or xpub) is a key which can derive all your other public keys and addresses in that wallet, but importantly, not your private keys.

Hope that helps. There is more good info here: https://learnmeabitcoin.com/beginners/keys_addresses

Thank you so much! It helps a lot. So signing transactions...when do I need to do that?

signing a transaction is what you do when you want to spend your bitcoins.
you can create the transaction elsewhere (in this case online) without the signature part, then transfer it to the offline/cold storage and sign it there where your private keys are kept then bring the signed result to the online machine and broadcast.
when both are online (like a hot wallet) you just enter the destination address and amount then click send. the wallet creates the transaction, signs it and broadcast the result.

Aaaaand off to Google, again. Ugh

Signing a transaction simply proves to the network that you own the private keys of the addresses you are trying to spend from.

I could create a transaction which says to move all your bitcoin to an address I own. However, because I do not have access to your private keys, I could not sign the transaction and therefore it would be invalid and would be rejected by the network and not transmitted nor mined.

You could take the same transaction and sign it. What that does is it combines the transaction with the private keys related to the addresses you are trying to spend from and some other random data, performs some mathematical processes, and generates a digital signature. Your wallet then combines that digital signature with the transaction before broadcasting, which makes your transaction valid and therefore will be transmitted through the network.

For convenience, you might really want to use the master public key to create a watch-only wallet on your network-connected PC.
You'll see incoming transactions and will be able to check the balance of your paper wallet.

Basically, you can do everything you could do with a "normal" wallet except for signing transactions (sending BTC).

That way, you'll be able to verify that you received coins to your paper wallet by simply looking at your watch-only wallet. Further, you'll be able to create new addresses (which are all part of your paper wallet) without the risk of compromising your private keys.