I am considering only a single key, seeds are not an option for my application. My wallet generates them and allows me to export private keys as a text string. I then want copy-paste these into a QR code generator to make QR codes and print the codes + text strings as public/private key pairs. Is this simply too compromised? What can I do to improve this short of abandoning this approach entirely?
unless the tool you are using already offers QR code generation, using third party tools to generate that QR code requires extra care. and again you should be doing all of this offline. for example you could download
https://github.com/pointbiz/bitaddress.org and run it offline, after generating the key you can store the QR image it generates. other wallets usually support QR codes too. for instance Electrum lets you see your private keys as QR (but not seed)
The generator of my keys is a wallet, so while it can be temporarily physically disconnected, it cannot be permanently so to broadcast tx's to the world. Ideally internet-facing elements have only public read-only keys and private keys are kept back in paper wallets (the purpose of this thread). Since my goal is to input keys into this wallet via QR codes, including private keys, there will have to be a camera which is a source of compromise at some point. Should the wallet be air gapped completely and the tx text be transmitted somehow to a node for broadcast? This is where it gets tricky for me.
paper wallet is meant for long term storage not for what you are trying to do. what you want is called "cold storage" and you don't need to enter your private keys. you just need 2 pairs of wallets. one called watch only wallet containing your "addresses" and the other the cold storage containing your "private keys".
here is the process (you need 2 machines, offline and online):
1. offline: create the wallet. back up the seed/key,... and copy the public key (or extended public key if it is HD). this wallets acts as a holder of your keys responsible for signing.
2. online: transfer the public key to this wallet. this wallets acts as communicator that receives transaction history and creates unsigned transactions and broadcasts signed ones.
3. online: sync! create a transaction, copy it.
4. offline: transfer the unsigned tx here and sign it
5. online: transfer the signed tx here and broadcast it
this way your private keys don't exit the cold storage (offline computer) and remain safe. your online computer only has your public keys which don't reveal anything sensitive.
https://docs.electrum.org/en/latest/coldstorage.htmlAs I said, seeds are out, full stop. I fully appreciate the value of seeds, but not this time. I see walletgenerator.net allows BIP38 and ASC256 encryption of keys but I don't see any means to decrypt them later. Again I am using keys generated from my wallet and not walletgenerator.net or elsewhere. I am trying to secure these keys beyond them just sitting on a HD pretty much in the clear.
i haven't used walletgenerator ever so i don't know. bitaddress however has a BIP38 encrypt, decrypt option. for example you can open the website and check this as a test (i created a random key for testing, don't use it for anything else)
encrypted key:
6PYUDooqhmWv2ckea8VpiE1L3QPxLJkccL9zwvzR5xokoSX22erzTxvxDj
go to wallet details tab and enter the key in first box and click wallet detail and enter the password in second box:
you'll see the decrypted key
L3rpBTskKNtZHf9UHV4v1MSAfbZYNyRr75wKFnia4nZn5sigqe9p
encryption is the same, enter the key (L3rp...) check the passphrase checkbox and enter a strong password (123 here for testing only) the encrypted key is going to be at the bottom.