Cold storage best practices

[hatshepsut93]

I believe that time has proven that keeping saving wallets on an online machine is a ticking bomb, and in the Bitcoin-stealing malware becomes more and more sophisticated, because it's very lucrative for criminals to steal Bitcoin (and other cryptocurrencies). Most people seem to choose hardware wallets for their offline storage, but some prefer using dedicated always-offline machines for this purpose, so let's discuss here what OS is the best for cold storage and how to use this setup properly.

My list of OS's:

Code:

Tails

Qubes

BitKey

My list of best practices:

1. When you are creating a new wallet on your offline machine which runs from live USB, it might be wise to wait a few minutes after boot so your /dev/urandom is properly seeded.

2. From my research, the best way to transfer unsigned/signed transactions is via reading their QR codes with digital cameras - this guarantees that no other data is transferred (correct me if I'm wrong).

3. If you are using USB or other drives to transfer unsigned transactions, it's important to do it BEFORE opening your wallet - this way infected USB can't steal your private keys by reading them from memory, because there's no keys in the memory yet.

4. Light wallets like Electrum, while very convenient for cold storage setup (nice GUI and watch-only wallets), are bad for privacy, because their servers know your IP and all your addresses/transactions.

[1714723183]

1714723183

[1714723183]

1714723183

[1714723183]

1714723183

[pebwindkraft]

all steps to start thinking/implementing a cold storage system are the right way to do it. You take ownership of your funds.
In my opinion security is always a trade-off. How much are you willing to invest, to protect assets?

My two cents in this discussion: think about the value to protect, and maybe take some analogies of real world:
small values are in my purse (wallet), with several bills and coins
monthly values are at my bank, cause I trust them, and they have high walls around "my money" to protect it from being stolen
large/huge values (e.g. pension funds): I (might) trust a government, which has an army, to protect against neighbours coming in...

So the higher the value, the more needs to be invested into security.
Cold storage (any system, even hardware wallets) is the best way in getting started, and then based on the level of comfort and willingness many options come into the game. Operating system (you provided a good set, I'd like to add a BSD type OS), transfer methods (USB, Camera, sound ?), and finally wallets on top... maybe the next layer is how to protect your room or building against electro-magnetic fields. All a question of personal paranoia 

[hatshepsut93]

My two cents in this discussion: think about the value to protect, and maybe take some analogies of real world:
small values are in my purse (wallet), with several bills and coins
monthly values are at my bank, cause I trust them, and they have high walls around "my money" to protect it from being stolen
large/huge values (e.g. pension funds): I (might) trust a government, which has an army, to protect against neighbours coming in...

With cold storage you can have one accessible setup for monthly values, like a USB drive with Tails that you run off your home machine and use to receive your salary and fund your hot wallet, and for your savings you can make a very deep cold storage by splitting your wallet seed into shards with Shamir's Secret Sharing and storing them in multiple safe places.

...maybe the next layer is how to protect your room or building against electro-magnetic fields. All a question of personal paranoia 

Home users probably shouldn't worry about side-channel attacks, but big services certainly should, otherwise even their cold wallets might get hacked.

[RGBKey]

Cold storage isn't really a set of rules to follow, but more a range on a "security slider". I'd say it's cold storage as long as it's on an offline machine used only for signing, but you can get more paranoid from there too. Is the key stored on the computer, or is it stored on a metal plate or something?

[hatshepsut93]

Cold storage isn't really a set of rules to follow, but more a range on a "security slider". I'd say it's cold storage as long as it's on an offline machine used only for signing, but you can get more paranoid from there too. Is the key stored on the computer, or is it stored on a metal plate or something?

Well, I'm not saying here that this is the only correct way to use cold storage, I'm simply gathering here all the practices that can make cold storage even more secure, and I hope more people will contribute here with their suggestions.

As for how to store keys, I think everyone should have multiple independent encrypted backups, preferably stored in different places. You can store your cold wallet file on the same USB you use to run your live OS off (Tails is very convenient for this, since it allows to create persistent encrypted storage without any need for manual partitioning), you can encrypt your physical backups (piece of paper with the seed) with Vigenere cipher or one-time pad entirely by hand, and you can also memorize your seed to always keep it with you (but never rely on memory as your only backup method!).

There's also an interesting method called steganography, which allows you to hide information in some files like pictures or audio, so you can hide your encrypted wallet in some other files and store it on your online machine or on the cloud, but this is for advanced users who know what they are doing.

[jtipt]

Cold storage isn't really a set of rules to follow, but more a range on a "security slider". I'd say it's cold storage as long as it's on an offline machine used only for signing, but you can get more paranoid from there too. Is the key stored on the computer, or is it stored on a metal plate or something?

There's also an interesting method called steganography, which allows you to hide information in some files like pictures or audio, so you can hide your encrypted wallet in some other files and store it on your online machine or on the cloud, but this is for advanced users who know what they are doing.

This is something that I have researched about this in past, but I don't think it's very efficient way, other that that you will still he paranoid because even if the key is encrypted and hidden its still on a computer or in cloud.

[tokexchain]

One thing to mention is that you should never take screenshots on your mobile device of wallet seeds or mnemonic keys, there are certain  malware are side intrusions of popular software that will transfer these files for the wallet and coin ownership and then lose your coins.This is occurring so be wary.