This is a guide of how to generate (relative) secure paper wallets Everyone is invited to suggest improvements, make it easier, more robust, provide alternativers, comment on what they like or not, and also critizice it.
Also, this is a disclaimer: I'm new to all of this. First, I didn't buy a hardware wallet because they are not produce in my country and I couldnt' trust they are not tampered. So the other way was to generate it myself. (Not your keys not your money) I've instructed myself several weeks reading various ways of generating wallets (including Glacier). As of now, I think this is THE BEST METHOD for a non-technical person which is high security and low cost and not that much lenghty.
FAQs:Why I didn't use Coleman's BIP 39 mnemonic method? Basically, I dont know how to audit the code. As a downside, we will have to really write down accurately our keys having in mind that a mistype is fatal. Also, we should keep in mind that destruction of the key is fatal as well. The user has to secure the key from losing the keys, theft and destruction.
Lets startYou'll need:
- an old computer without hard drive that will never touch the internet again.
- a USB stick of 8gb or more or CD (never use this USB again for other purposes or connect it to an online computer)
- a Dice (for using coins you will need to flip it 256 times and convert Binary to HEX)
Notes: We will be following
https://www.swansontec.com/bitcoin-dice.html guidelines. We will be creating our own random key instead of downloading BitAddress javascript for safety reasons. Following this guideline lets you audit the code that will create the public address and bitcoin address. Its simple, short and you can always test the code by inputting a known private keys to tell if the bitcoin address generated is legit or not. This process is done offline, so your private key never touches the internet.
Steps1. Download the
bitcoin-bash-tools and
dice2key scripts from Github, latest
Ubuntu distribution, and
LiLi, A software to install Ubuntu on our flash drive (easier than what is proposed on Swansontec)
2. Install the live environment in a CD or USB, and paste the tools we are going to use inside of it (they are going to be located in file://cdrom)
<li>Open up LiLi and insert your flash drive.</li>
<li>Make sure you’ve selected the correct drive (click refresh if drive isn’t showing).</li>
<li>Choose “ISO/IMG/ZIP” and select the Ubuntu ISO file you’ve downloaded in the previous step.</li>
<li>Make sure only “Format the key in FAT32” is selected.</li>
<li>Click the lightning bolt to start the format and installation process</li>
https://99bitcoins.com/bitcoin-wallet/paper/ Open the Ubuntu environment in a offline computer that will never touch the internet again (there is some malware that infect the BIOS so doing it in your regular computer is not safe to my understanding)
Restart your computer. Clicking F12 or F1 during the boot-up process will allow you to choose to run your operating system from your flash drive or CD. After the Ubuntu operating system loads you will choose the “try Ubuntu” option.
4. Roll the dice 100 times and convert into a 32-byte hexadecimal number by using
dice2keyTo generate a Bitcoin private key using normal, run the following command to convert the dice rolls into a 32-byte hexadecimal number:
source dice2key (100 six-sided dice rolls)
5. Run
newBitcoinKey 0x + your private key and it will give you your: public address, bitcoin address and WIF.
Save the Private Key and Bitcoin Address.
Check several times that you handwritten it correctly. You can check by re entering the code in the console from your paper. (I recommend writing down the Private Key which is in HEX and not the WIF since this one is key sensitive and you can lose it, or write it wrong. Also, out of the private key you can get the WIF which will let you transfer your funds). If you lose your key, you lose your funds. Be careful.
If auditing the code for this is not enough for you, you can also test the code by inputting a known private keys to tell if the bitcoin address generated is legit or not.
I recommend you generate several keys and addresses as this process is not super easy to do. Remember that you should
never reuse your paper wallets (meaning that you should empty all of the funds from this one adress if you are making a payment). As such, a couple of addresses come handy.
At this point, there should be no way for information to leak out of the live CD environment. The live CD doesn't store anything on the hard disk, and there is no network connection. Everything that happens from now on will be lost when the computer is rebooted.
Now, start the "Terminal" program, and type the following command:
source ~/bitcoin.sh
This will load the address-calculation script. Now, use the script to find the Bitcoin address for your private key:
newBitcoinKey 0x(your dice digits)
Replace the part that says "(your dice digits)" with 64 digits found by rolling your pair of hexadecimal dice 32 times. Be sure there is no space between the "0x" and your digits. When all is said and done, your terminal window should look like this:
ubuntu@ubuntu:~$ source ~/bitcoin.sh
ubuntu@ubuntu:~$ newBitcoinKey 0x8010b1bb119ad37d4b65a1022a314897b1b3614b345974332cb1b9582cf03536
---
secret exponent: 0x8010B1BB119AD37D4B65A1022A314897B1B3614B345974332CB1B9582CF03536
public key:
X: 09BA8621AEFD3B6BA4CA6D11A4746E8DF8D35D9B51B383338F627BA7FC732731
Y: 8C3A6EC6ACD33C36328B8FB4349B31671BCD3A192316EA4F6236EE1AE4A7D8C9
compressed:
WIF: L1WepftUBemj6H4XQovkiW1ARVjxMqaw4oj2kmkYqdG1xTnBcHfC
bitcoin address: 1HV3WWx56qD6U5yWYZoLc7WbJPV3zAL6Hi
uncompressed:
WIF: 5JngqQmHagNTknnCshzVUysLMWAjT23FWs1TgNU5wyFH5SB3hrP
bitcoin address: 113Pfw4sFqN1T5kXUnKbqZHMJHN9oyjtgD
ubuntu@ubuntu:~$
The script produces two public addresses from the same private key. The "compressed" address format produces smaller transaction sizes (which means lower transaction fees), but it's newer and not as well-supported as the original "uncompressed" format. Choose which format you like, and write down the "WIF" and "bitcoin address" on a piece of paper. The "WIF" is just the private key, converted to a slightly shorter format that Bitcoin wallet apps prefer.
Double-check your paper, and reboot your computer. Aside from the copy on the piece of paper, the reboot should destroy all traces of the private key. Since the paper now holds the only copy of the private key, do not lose it, or you will lose the ability to spend any funds sent to the address!
ConclusionWith this method you are creating an airgapped environment that will never touch the internet. Also, we are checking that the code we use its not tampered. If this is followed strictly I see
virtually no chances of your keys being hacked.
How to spend your funds from a securely generated paper wallet.Almost all tutorials seen online, will let you import or sweep you private keys into the desktop wallet or mobile wallet which are hot wallets. In the meantime, you are exposed and all of your work to secure the cold storage is being thrown away. This method will let you sign the transaction offline (you will not expose your private key in an online system).
You'll need:
- your phone (android) or another computer
- your computer
The source of this method is taken from CryptoGuide from Youtube
https://www.youtube.com/watch?v=-9kf9LMnJpI&t=86s . Basically you can follow his video as it is foolproof. Please check that Electrum distribution is signed.
The summarized
steps are:
Download Electrum on both devices and check its signed for safey.
Disconnect your phone from the internet (flight mode= All connections off) and input your private key in Electrum
Generate the transaction in your desktop and export it via QR (never leave unspent BTC or you will lose them)
In your phone, open Electrum > Send > QR (this will import the transaction) and scan the desktop exported transaction
Sign the transaction in your phone.
Export the signed transaction in QR
Load the signed transaction in the desktop Electrum and broadcast it to the network.
Wait until 3 confirmations to connect your phone to the internet again.
Ideas for improvement:- It would be a good idea to install (I dont know how) a QR generator in Ubuntu to scan the WIF with our airgapped phone and make it easier to import the key.
- Multisig can be a really good option to implement.
- Im not sure if Electrum is 100% safe. I've used it and it has worked for me but I read several people recommending using Bitcoin's platform directly.
So thats it. I hope someone can find this helpful or help in creating a better method. If you like, you can
donate at 1Che7FG93vDsbes6NPBhYuz29wQoW7qFUH
