GUIDE: Securely storing large amounts of bitcoin (brain wallet/paper wallet)

[100x]

I wrote most of this guide a while back, and decided to finally finish it. The main goal here is to have a relatively simple way of creating a secure offline wallet entirely in your control. The methodology below avoids having to install additional software or download the whole blockchain to a dedicated offline computer (which is required with some offline storage methods). After practicing a few times, the steps below can be executed from scratch in 15-30 minutes.

Please let me know if you have feedback on how to make it better! Also, I highly recommend trying the whole process several times with small amounts until you are comfortable with it and understand all of the steps.

Creating a secure offline bitcoin wallet

• Step 0:
  This is step is for brain wallets only.
  
  Spend some time thinking of a secure, memorable passphrase.
  The passphrase MUST BE something unique to you with at least 8 words. DO NOT USE something from a book, movie, poem, etc.
  Basically, if the passphrase can be found in (or easily generated from) any existing media, your funds will be at risk.
  
  An example of a decent passphrase formula:
  [your mother's birthday multiplied by your favorite number] +
  [every other word of some obscure phrase that holds special meaning to you] +
  [your home phone number when you were a kid] +
  [the first 5 words of your best freshman year english paper, ASSUMING IT ISN'T SEARCHABLE ONLINE]
  
  You should save clues to this passphrase that are only helpful to you in several safe places.
  Also practice regenerating the private key using the passphrase on a regular basis (every month or so), just to make sure the phrase stays fresh in your mind.
  
  
• Step 1:
  Buy two USB sticks.
  
  
• Step 2:
  Download ubuntu desktop ISO (12.04 is current Long-term supported version, at the time of this writing)
  http://www.ubuntu.com/download/desktop
  
  
• Step 3:
  Download a USB linux installer.
  http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/
  
  
• Step 4:
  Plug in brand new USB, and run the USB linux installer program (from step 3) to install a fresh copy of linux OS on the USB drive.
  Select the linux version matching the iso you downloaded, press create (see pendrivelinux.com instructions).
  
  
• Step 5:
  Save the bitaddress.org webpage to the second USB (or to your desktop).
  
  
• Step 6:
  THIS IS VERY IMPORTANT: Make sure networking/internet is completely off/disconnected.
  Turn off PC, and then re-boot from linux OS on your USB.
  To do this, I had to press the f2 during system load screen (specific key may differ by manufacturer).
  
  
• Step 7:
  Locate your offline copy of bitaddress.org (from second USB or harddrive).
  
  If creating a brainwallet, then go to the brainwallet tab, and input your secure passphrase to generate your new private/public key.
  Quadruple check for typos and correctness. Record the public key(s) and save them in a few places.
  You can start by copying the new public addresses to a text file on your second USB.
  You do not need to keep the public keys private, unless you don't want people knowing what address has your coins.
  
  If creating a paper wallet, then navigate to the paper wallet tab. Print out as many paper wallets as you need.
  I recommend make a few copies of each and storing them safe places (locked, fireproof safe in your closet, parent's house, bank deposit box, etc).
  
  NOTE: you may wish to repeat this step several times, so that when accessing/redeeming a savings wallet only part of yovery,avings are at hand, and you do not have to repeat the offline wallet creation process.
  In a perfect world, you shouldn't re-use a long term savings address that has been spent from.
  
  
• Step 8:
  Fully wipe the USB stick. This isn't 100% necessary, but if you are feeling extra paranoid, it won't hurt. The main drawback to doing this is that you then must re-install linux onto the USB (step 4).
  
  

Securely spending your offline funds

• Step 1:
  See steps 1-4 above.
  
  
• Step 2:
  In addition to bitaddress.org, save a local copy of brainwallet.org to your second USB or hard drive.
  
  
• Step 3:
  Save to your extra USB (or hard drive) the receiving address that you wish to send your saved funds to.
  
  
• Step 4:
  Retreive transaction history for your savings address by replacing [YOUR_ADDRESS] in the following URL with your actual public key:
  http://blockexplorer.com/q/mytransactions/[YOUR_ADDRESS]
  Copy the transaction history (text on the page from above URL) to a text file and save to your extra USB.
  
  
• Step 5:
  THIS IS VERY IMPORTANT: Make sure networking/internet is completely off/disconnected.
  Turn off PC, and then re-boot from linux OS on your USB.
  To do this, I had to press the f2 during system load screen (specific key may differ by manufacturer).
  
  
• Step 6:
  Open offline copy of bitaddress.org
  Type in your memorized passphrase on the brainwallet tab to retrieve your private key.
  Copy this and close the page.
  Paper wallets can skip this step, simply type in the private key from your paper wallet.
  
  
• Step 7:
  Open offline copy of brainwallet.org, and navigate to transaction tab.
  Paste your private key into the correct field (labeled private key).
  Paste the receiving address (public key) you wish to send funds to into the destination address field.
  Open the text file containing the transaction history for your savings address that you are spending from.
  On the brainwallet.org page, click "edit input" and paste in the transaction history.
  Right above, it should say "Use history from" and give two options. Choose "Bitocin block explorer".
  The page should use the transaction history to figure out how much BTC you have available in your savings address.
  Double check this value. Then, input how much you want to send to the receiving address.
  Click the + button to add an additional receiving address.
  Take the left over coins (the "change"), subract a small fee and send that amount to a brand new savings address you have created.
  If you want, you can send the leftover amount back to the original address, but this is a tiny bit less secure (and reduces privacy).
  Input the small fee into the fee field. Triple check everything.
  If it looks good, click "re-sign" transaction and copy all the text in "raw transaction" field into a text file, and save this to your second USB.
  It is ok if someone sees this raw transaction data, they cannot steal your private key from it.
  
  
• Step 8:
  Turn off computer, remove the USB that has linux on it. Reboot to your normal OS, and reconnect to the net.
  Open the website https://blockchain.info/pushtx.
  Copy the "raw transaction" data from previous step into the big text field, and hit "submit transaction".
  Your funds are now on their way! You can track them by exploring your address with blockchain.info search.
  
  

Notes

• I very, very strongly recommend doing both processes listed above at least 2 or 3 times with SMALL amounts of bitcoin that you are comfortable losing. Do this until it all makes sense, and you understand what is going on.
  Then feel free to make you actual savings wallet! =)
  

[1714045990]

1714045990

[1714045990]

1714045990

[samaney]

Hi -

First of all, thanks a lot for such an informative post on paper wallets. That was something I was looking for.

Now, as a newbie - Foremost thing I would like to ask is - would it be a wise idea to create these paper copies without knowing how official Bitcoin clients - or - Electrum, Armory etc. work - or can I jump right on this issue directly?

I have some questions on this topic:

1. How can we know "bitaddress.org" and "brainwallet.org" are not compromised just as we were creating the Bitcoin addresses? If we do something wrong just in the beginning, then everything is gone alreadt, how much ever secure we are afterwards. Any way to make things much more secure? You know - just recently (yesterday?) bitcointalk was even under attack? More sensitive sites like "bitaddress" and "brainwallet" should attract attackers extremely more, although they should be more secure.

2. I understand that these "public adresses" are just like login names, and "private keys" are like passwords - am I getting it correct? So - after we create the public key and the private key - is there any way to verify the combination is correct? We can send the new addresses Bitcoins - but how can we understand we really have access to them, testing these offline, without sending our "public key" and "private key" online? Is there any way to check the correctness of the combination offline and is it really trustable? I mean - we can create the "public key" and the "private key" - then after creating it, can we verify if they are correct and is there any risk after years that something gone wrong and the funds are hold? (Whatever the "hold" means, it is "lost" actually, no one owns it. Or - should we verify them online? I plan to put these in envelope (many of same copies in one envelope) after cutting into two, putting them in 2 different bank vaults. I even plan to use 4 bank vault, 2 of them being backups. As if one of the parts is lost - the person getting it can not access them - but I too will lose the access. 2 backups are important.

3. We can always check the balances online, without the "public key" and "private key" for the peace of mind (as some of us will put them in vault and will not even ourselves look). Is that correct? How?

4. From your explanation:


"Paste your private key into the correct field (labeled private key).
Paste the receiving address (public key) you wish to send funds to into the destination address field."

You mean above by "private key", the private key of the sending public address? Then what I do not understand is, if we do not put the public address, how can we some sort or make some operation without entering the "public address" but just "private key"? Isn't it just like doing something with only our password without the login name in the general sense?

5. I will divide my Bitcoins into 40 accounts and send Bitcoins to all these addresses - I will create these all addresses at once carefully and after creating all of them, I will send the Bitcoins one by one to each account. Does this sound wise? Or is it better to create one public key, sending Bitcoins, creating another, and sending to it and another.... And goes on.? Which one is better?

I know - I have to increase my literature about all these Bitcoin issues - but right now I feel the urge to transfer the funds to my own bitcoin addresses other than having them remain in the local market maker. But while trying to make a smart move I would be worse off by losing all my funds doing something wrong and not having access to my bitcoins!!!

I should not be alone here - there would be lots of newbies after the recent price spikes becoming more familiar with Bitcoin with all these current publicity going around and getting into this !....

[Barek]

The methodology below avoids having to download the whole blockchain to a dedicated offline computer (which is required with Armory).

That's wrong. The offline Armory does not use the blockchain or bitcoin-qt. Very low system requirements.

Your steps look good, but probably are too complicated for the majority of users. Also it forces you to reuse one address.

If you plan to do frequent transactions and have enough space for block chain and Armory database, you should check out Armory.

[XBBlade]

I think this is a useful post anyways. Thanks I'll save it. When it's optimised with feedback from the crowd I would like to 'copy' it and mention you a author of this article on my blog. Would you approve this? Thanks in advance, and again, nice useful post. Thanks! 

[100x]

The methodology below avoids having to download the whole blockchain to a dedicated offline computer (which is required with Armory).

That's wrong. The offline Armory does not use the blockchain or bitcoin-qt. Very low system requirements.

Your steps look good, but probably are too complicated for the majority of users. Also it forces you to reuse one address.

If you plan to do frequent transactions and have enough space for block chain and Armory database, you should check out Armory.

Oh I didnt realize. I'll update the main post. I mainly chose this method because it doesnt involve additional software or hardware, simply a USB with linux on it.

In regards to the number of addresses, you just generate as many as needed. I personally don't spend any of my cold storage coins very often, so generating 5-10 addresses lasts me quite a while. For those who are wondering why this matters: when spending from your savings, it is good practice to send any change/leftover amount you aren't spending to a fresh offline address (this gives increased security and privacy).

I think this is a useful post anyways. Thanks I'll save it. When it's optimised with feedback from the crowd I would like to 'copy' it and mention you a author of this article on my blog. Would you approve this? Thanks in advance, and again, nice useful post. Thanks! 

Glad you found it useful! And sure go for it


@Samaney - I will answer your questions in full when I have a little more time. It is good you are taking the time to do your research!

[puck2]

Thanks! The only reason I've never created paper wallets is that I'm scared of sending them through my printer. I've heard that newer printers keep data or could have bugs... What is the best way to print securely?

[justusranvier]

The only reason I've never created paper wallets is that I'm scared of sending them through my printer. I've heard that newer printers keep data or could have bugs... What is the best way to print securely?

Forget about the printer - you should be worried about the security implications of exactly what is needed to spend your paper wallet.

[Dr Bloggood]

FUCKING AWESOME! OP, thanks so much, this was exactly what I was looking for!

Why has the USB stick to be brand new - can't I just erase everything and use the empty one?

The only reason I've never created paper wallets is that I'm scared of sending them through my printer. I've heard that newer printers keep data or could have bugs... What is the best way to print securely?

Forget about the printer - you should be worried about the security implications of exactly what is needed to spend your paper wallet.

How would you recommend spending your funds from a paper wallet?

Where are the risks in above process?

[justusranvier]

Spending a paper wallet means bringing the entire balance online. The right way to do cold storage is with offline signing.

[Dr Bloggood]

Spending a paper wallet means bringing the entire balance online. The right way to do cold storage is with offline signing.

What's offline signing?

[Abdussamad]

Brainwallets with human generated passphrases are a bad idea. Doesn't matter if it's offline or online they are just a bad idea period.

[BombaUcigasa]

Spending a paper wallet means bringing the entire balance online. The right way to do cold storage is with offline signing.

What's offline signing?

Generating transactions offline (without loading the keys in a connected wallet). You basically sign the transaction you want (send X amount to destination, the rest to yourself) with the private key (yourself) and public key (destination).

You then copy-pasta this transaction string (it's a long hex-encoded string like 3045022100c769e22e360f1bea319deab8cab482aeec6174da1dae206875f73245d579c8da02202 551c09708cad964e57b1f3068e96121870604d77cb46252dcb0d6f97ea1b61501 04dd7aac2e04d643e4a95d1a0ad0df3ab6eea1aeff0284aaad2f4eec6540922e640e717f1ac2d1f 2bf1664bb08b35d19f5eee909412621802c2669d77ced6a7703 ) onto a connected bitcoin client, and broadcast it to the network.

At this point, the transaction is checked and relayed by your peers. Please note that the offline client can't have the latest blockchain and tx pool from the live network and it won't validate your transaction. After you transaction is approved online, any inputs used in it on the offline client will be useless for new transactions.

The best way to do this is to connect a live client to the internet and update the blockchain, take a snapshot or clone the OS, take instance offline, load private keys or wallet, generate the transaction, save transaction, new private keys and new wallet, destroy instance, broadcast transaction.

Note that if you don't send paper wallet change to yourself or you don't save wallets correctly, you could lose the remainder of the bitcoins that you send to yourself.

[Joerii]

Brainwallets with human generated passphrases are a bad idea. Doesn't matter if it's offline or online they are just a bad idea period.

Why ?

[bitpop]

Step 0b. Now take that passphrase and sha512 it 100 times!

[Stevets]

The only reason I've never created paper wallets is that I'm scared of sending them through my printer. I've heard that newer printers keep data or could have bugs... What is the best way to print securely?

Forget about the printer - you should be worried about the security implications of exactly what is needed to spend your paper wallet.

I'm late to this thread because I'm new to bitcoin. But to answer your question, immediately after printing a paper wallet, follow these steps exactly. http://youtu.be/PywI0BOxJpI

[bitpop]

The only reason I've never created paper wallets is that I'm scared of sending them through my printer. I've heard that newer printers keep data or could have bugs... What is the best way to print securely?

Forget about the printer - you should be worried about the security implications of exactly what is needed to spend your paper wallet.

I'm late to this thread because I'm new to bitcoin. But to answer your question, immediately after printing a paper wallet, follow these steps exactly. http://youtu.be/PywI0BOxJpI

An erection with no affection

[kellrobinson]

Brainwallets with human generated passphrases are a bad idea. Doesn't matter if it's offline or online they are just a bad idea period.

Why ?

Rainbow tables, among other things.
Passphrases have a vulnerability many orders of magnitude greater than the ordinary passwords you are accustomed to using for your email accounts, online banking and such.  I won't go into the reasons here.
Passphrase strength is a function of entropy.  The concept of entropy can hardly even be applied to a passphrase generated by the human thought process.  Entropy applies to symbols (words, in this case) selected at random from a pool of such elements.
Taking diceware as an example, you have a pool of words (I think it's 7776) and select words from it randomly using dice throws.  There's some simple math you can use to calculate the number of bits of entropy you get by selecting x number of words from a pool of a certain size.  If you are serious at all about wanting to educate yourself, protect yourself and your money, then research this.  The information is all there, starting with a google search.
Using a random word selection process as described, you will know exactly how strong your passphrase is.  It is a function of the number of words in the pool, and the number of words in your passphrase.  Math doesn't lie, and it doesn't deceive you.
You can, however, deceive yourself if you imagine that selecting a passphrase through some flabby cognitive process has any rigor, strength or protective value.

[birr]

Revisiting this thread just to say I made a small test transaction.  It works as advertised.  The instructions are well written.  Just follow them meticulously, and your transactions should go through.
Just a couple of minor points I would like to mention.  In step 4 of the second section on how to spend, OP states
"Retreive transaction history for your savings address by replacing [YOUR_ADDRESS] in the following URL with your actual public key"
You don't need to paste the public key.  Just the address.  (If it matters to you, the address is a hash of the public key; you never really need to use the public key.)
Step 6 says type in the private key from your paper wallet.  Not to worry, if you make a typo it won't cause a problem.   The keys are generated with checksums, so changing a character or two is supposed result in an invalid key, and the transaction should not execute.  I'm not sure if there is some small possibility of a mistyped key actually turning out to be valid out of sheer chance.  But if it did, you wouldn't lose any coin, you would merely be subject to the inconvenience of redoing the transaction with the correct key.
BEWARE
The real danger is that you might make a mistake with the "change."  Be super-duper careful about the amounts sent to the destination address(es) and sent as fees.  If you don't understand how this works, don't attempt to use raw transactions.

[birr]

5. I will divide my Bitcoins into 40 accounts and send Bitcoins to all these addresses - I will create these all addresses at once carefully and after creating all of them, I will send the Bitcoins one by one to each account. Does this sound wise? Or is it better to create one public key, sending Bitcoins, creating another, and sending to it and another.... And goes on.? Which one is better?

You want to minimize the number of transactions per address.  For one thing, the transaction fee is a function of the number of bytes in a transaction.  So keep it simple.  
This principle applies to funding the cold storage addresses you create in your brain wallet or paper wallet, and even more so to the spending of it -- because you don't want to make a mistake with the change.
For savings (long term cold storage) make as many addresses as you want, but fund each address only once.  And when you spend, the best policy is to spend the entire amount in the address so you avoid problems with change going astray.
Put simply, for each address:  fund once, spend once.

[birr]

note, instead of using brainwallet.html, you can use this much smaller file, don't remember where I found it but I have used it to make a successful transaction.
Paste into a text editor and save it as an .html file, for example you could name it offlineTransaction.html
Clicking on the file will make it open in a browser (as stated, have wifi turned off etc. when you do this), and you can generate the transaction offline.  Then go back online, paste into blockchain.info/pushtx, and send your tx on its way.

<html>
<head>
<title>Untitled</title>
<script type="text/javascript" src="lib/events/eventemitter.js"></script>
<script type="text/javascript" src="lib/jsbn/ec.js"></script>
<script type="text/javascript" src="lib/jsbn/prng4.js"></script>
<script type="text/javascript" src="lib/jsbn/rng.js"></script>
<script type="text/javascript" src="lib/jsbn/sec.js"></script>
<script type="text/javascript" src="lib/jsbn/jsbn.js"></script>
<script type="text/javascript" src="lib/jsbn/jsbn2.js"></script>
<!--<script type="text/javascript" src="lib/crypto-js/crypto-min.js"></script>-->
<script type="text/javascript" src="lib/crypto-js/crypto.js"></script>
<script type="text/javascript" src="lib/crypto-js/ripemd160.js"></script>
<!--<script type="text/javascript" src="lib/crypto-js/sha256-min.js"></script>-->
<script type="text/javascript" src="lib/crypto-js/sha256.js"></script>
<script type="text/javascript" src="lib/bitcoin.js"></script>
<script type="text/javascript" src="lib/ecdsa.js"></script>
<script type="text/javascript" src="lib/eckey.js"></script>
<script type="text/javascript" src="lib/opcode.js"></script>
<script type="text/javascript" src="lib/paillier.js"></script>
<script type="text/javascript" src="lib/script.js"></script>
<script type="text/javascript" src="lib/transaction.js"></script>
<script type="text/javascript" src="lib/txdb.js"></script>
<script type="text/javascript" src="lib/util.js"></script>
<script type="text/javascript" src="lib/wallet.js"></script>
<script type="text/javascript" src="lib/address.js"></script>
<script type="text/javascript" src="lib/base58.js"></script>
<!--<script type="text/javascript" src="lib/exit/client.js"></script>-->

<script type="text/javascript" src="offlineTransaction.js"></script>
</head>

<body>

<form name="inputForm" method="get">
<strong>Transaction history:</strong><br>
<textarea name="transactions" cols="80" rows="20">
</textarea><br>
<strong>Private key in base 58:</strong><br>
<input name="privkey" type="text" size="80" Value=""><br>
<input type="button" name="button" Value="Parse" onClick="parseFormData(this.form)">
</form>
<strong>Address:</strong>
<div id="Address">(unknown)</div>
<strong>Balance:</strong>
<div id="Balance">(unknown)</div>
<br>
<form name="transactionForm" method="get">
<strong>Target address:</strong><br>
<input name="target" type="text" size="80" Value=""><br>
<strong>Amount:</strong><br>
<input name="amount" type="text" size="80" Value=""><br>
<strong>Fee:</strong><br>
<input name="fee" type="text" size="80" Value="0"><br>
<input type="button" name="button" Value="Generate" onClick="createTransaction(this.form)">
</form>
<strong>Transaction:</strong>
<form name="resultForm"><input name="Transaction" type="text" size="240" Value=""><br></form>



</body>
</html>