How do I make a cold wallet securely?

[Phantom Investor]

Hello there. I know that with bitaddress.org you can make a private key and a bitcoin address...but I don’t know how safe it is. What are other alternatives?

Regards

[1714604201]

1714604201

[1714604201]

1714604201

[1714604201]

1714604201

[1714604201]

1714604201

[1714604201]

1714604201

[1714604201]

1714604201

[Caiapfas]

If you are talking about a real cold BTC wallet, then it's secure as it gets.

https://www.bitcoin.com/get-started/setting-up-your-own-cold-storage-bitcoin-wallet/

But you might want to think about keeping it at Coinbase.com with 2FA and related security so if you need to sell it fast...

[Charles-Tim]

You can make use of paper wallet by using bitaddress.org, it is save as long as it is offline, but only one private key is generated by such wallet with a single address. So, you can not use it for making transactions than to just hold coin on the wallet and let it remain offline.

For making transactions and for ease, the best you can do is to by hardware wallet like trezor or ledger nano. Or, if you have a device like a phone that you are not making use of again, you can set up an electrum cold wallet on it, while you will need another phone as watch-only wallet. To do this, you can follow the quote below:

Okay, here's the procedure to create a cold-storage mobile Electrum wallet:

• 1. Install Electrum on both devices, and create a standard wallet on the "cold storage" device, that will be your main wallet that contains all the keys and shouldn't be connected to the internet even once (a newly formatted device/new device is better).
  Make sure that the seed was saved in a physical backup like a piece of paper.
• 2. Click the wallet's name on top of the screen and click "Master Public key" twice to open the QR code.
• 3. On the online phone, create a new wallet using the option "Standard Wallet->Use a master key", then click the camera icon to scan the cold-storage wallet's QR code.
  This will create a watch-only wallet version of your cold-storage wallet.
• 4. Confirm if the address in the receive tab is the same.

Now to use those wallets:

• You just have to create a transaction using the online watch-only wallet using the send tab.
• Fill out the recipient, amount, etc. then, click pay (select if you want to opt-in RBF, yes) and click the QR code icon below.
• In the cold-storage wallet, go to send tab and click the camera icon on the right side and scan the other device's QR code.
• The transaction will be imported to the cold-storage wallet, now click option->sign (enter your pin) and it will be marked as "signed" above.
• Click the QR code icon, then scan this using your online watch-only wallet and the signed transaction will be imported and now you can use options->broadcast button to send it to the network.

If you're not familiar with Electrum's defaut bitcoin denomination, you can change it from mBTC to BTC in the settings->denomination.

But you might want to think about keeping it at Coinbase.com with 2FA and related security so if you need to sell it fast...

Coinbase.com is not a cold wallet, also not even a wallet that gives users private key. Not recommended in this case, adn it is worth knowing that not your key not your coin on blockchain.

[kano]

Using any device like a phone, a tablet, or a computer running windows or macos is a risky thing to do.
ANY online site is even worse.
They all have major security issues about your information and what you type into them.

An offline computer, running ubuntu, would be one way to securely generate a wallet:
Ensure the wallet is created with a pass phrase, dump the keys (and be sure you have the private keys all written down/printed correctly) then wipe the computer HDD.
(don't use an SSD, since most people don't understand how to properly wipe an SSD)

[BitMaxz]

If you want to make a cold wallet safe and secured you can use any device but you should never connect it to the internet.

Sample Electrum for Windows OS(Laptop or PC) you can download the wallet from electrum.org from another device that is connected to the internet and transfer the electrum installer to your offline PC/laptop. After you install Electrum you can now make your own wallet while offline.

Then to verify that the wallet you created is fine you can deposit one of the addresses from your wallet for the small amount and send them again to another wallet and make an unsigned transaction through coinb.in/#newTransaction
And transfer the raw/hex that you generated from coinb.in to your offline laptop/PC and load it to your Electrum wallet to sign the transaction and transfer the raw/hex through USB again back to the online device and paste the raw/hex to https://coinb.in/#broadcast

It's just like this image below.

[mk4]

If you think you don't have the knowledge to create a paper wallet through an air-gapped device running tails, please, save yourself the headaches and just purchase a hardware wallet like a Ledger[1] or a Trezor[2]. People mostly think that just because a paper wallet is offline that they're already safe, even though a lot of people mess up the process by leaking the private keys while generating the wallet.

[1] https://ledger.com/
[2] https://trezor.io/

[kano]

If you want to make a cold wallet safe and secured you can use any device but you should never connect it to the internet.
...

Alas most people end up putting their device back online at some point, so avoid devices that log everything you do and send it out to the internet.
That includes windows and macos.

Thus the reason as I said above, to wipe the computer HDD after you generate and print the information.

Of course there are more secure ways to do this, but alas that is beyond the cost or abilities of most people.

Hardware wallets depend upon the company who made them, or worse, their distributors, thus you have an obvious point of risk there.
This has already been used in the past to access people's bitcoins in hardware wallets.

[Phantom Investor]

Using any device like a phone, a tablet, or a computer running windows or macos is a risky thing to do.
ANY online site is even worse.
They all have major security issues about your information and what you type into them.

An offline computer, running ubuntu, would be one way to securely generate a wallet:
Ensure the wallet is created with a pass phrase, dump the keys (and be sure you have the private keys all written down/printed correctly) then wipe the computer HDD.
(don't use an SSD, since most people don't understand how to properly wipe an SSD)

Hello there. Could you please go into more depth on what I need to do with Ubuntu? Some steps would be most helpful...thanks.

Regards

[jseverson]

Using any device like a phone, a tablet, or a computer running windows or macos is a risky thing to do.
ANY online site is even worse.
They all have major security issues about your information and what you type into them.

An offline computer, running ubuntu, would be one way to securely generate a wallet:
Ensure the wallet is created with a pass phrase, dump the keys (and be sure you have the private keys all written down/printed correctly) then wipe the computer HDD.
(don't use an SSD, since most people don't understand how to properly wipe an SSD)

Hello there. Could you please go into more depth on what I need to do with Ubuntu? Some steps would be most helpful...thanks.

Regards

Not the person you replied to, but in a nutshell:

• Install Ubuntu in something that will never go online (Old PC, small partition, a persistent flash drive, etc.)
• Download the Appimage from electrum.org, put it on a flash drive
• Transfer the Appimage to your offline Ubuntu, run it, then create a wallet -- it's now effectively a cold wallet
• To find out how you can use your cold wallet, refer to Electrum's documentation

If you are able to make sure that your Electrum copy is clean, your Ubuntu device will never go online, and that your seeds are secure, you'd basically have an impenetrable wallet.

Edit: I realized kano wants you to delete the wallet altogether; it's a bit safer since you won't need to worry about your device being compromised physically, but also means you will need to restore your wallet to spend from it. If you decide to do this instead, simply format whichever device you chose to use after setting up a watching-only wallet from the link I shared above.

[ranochigo]

Edit: I realized kano wants you to delete the wallet altogether; it's a bit safer since you won't need to worry about your device being compromised physically, but also means you will need to restore your wallet to spend from it. If you decide to do this instead, simply format whichever device you chose to use after setting up a watching-only wallet from the link I shared above.

To simplify the process, you could use Tails. A benefit is that if you want to also wipe the wallet in the process, you can use their secure wipe which overwrites the partition so that it is irrecoverable. There's a guide within the Electrum's docs to document the process[1].



[1] https://github.com/spesmilo/electrum-docs/blob/master/tails.rst

My take is that, if you have some funds but don't want to splurge on a Hardware wallet yet. You could try getting a Raspberry Pi and setting it up as an airgapped wallet. While it can't offer comparable security to most hardware wallets, it does offer sufficient security for the price and the effort you take to set it up.

I've used mine on a Raspbian Image and it has been working pretty well so far.

[thecodebear]

For my long term Bitcoin I just use paper wallets. I've got a few different addresses and just wrote down the private keys and addresses, then encrypted them just using a basic pattern I came up with which simply exchanges certain characters for certain other characters, then wrote down the encrypted keys and addresses (I encrypt the address so that if someone someone physically got there hands on this piece of paper they wouldn't even be able to see how much bitcoin I have, let alone access any of it, sure its overkill but whatever), so that nobody that saw it would actually be able to access the bitcoin. I keep one of these papers with the encrypted keys and addresses, and I gave three copies to family members so I don't lose my entire net worth if I lose a piece of paper haha.

To me this way makes the most sense for storing crypto you don't plan on moving for a long time. I don't have to worry about software bugs and security flaws in hardware wallets, I don't have to worry about forgetting my keys, I don't have to worry about a hot wallet getting hacked, I don't even have to worry about the incredibly unlikely scenario of someone getting their hands on my physical paper wallet. Total security as long as you make copies and leave them with people you trust to not throw the piece of paper away.

[kano]

Aside - I always recommend the Core Wallet.
The code is not hidden in any way, verified by many, and you can download it directly from the link usually shown at the top of every web page here.

i.e. install ubuntu on to some computer with a HDD (not an SSD)
Download bitcoin core for linux from bitcoin.org to the desktop.
Disconnect it from the internet forever (or until you wipe the HDD)

Then you can install core from the download, create/setup a password protected wallet, and then generate as many addresses as you please.
Dump the private keys to whatever media you feel safe about.
Paper of course has the risk that anyone who can access it can read it, and encrypted USB drives have the risk of losing access to the USB due to losing it, breaking it, or forgetting the password.
Then (as already mentioned) either never connect it to any network ever again, or wipe the HDD after you are sure you've made a reliable copy of the private keys you want for cold storage.

There of course is always the risk that you lose those keys - but that's up to you how you store them and ensure you don't lose them.

[shane_gr]

Hello. You can find different types of hardware wallets with a few simple searches.
And about the security of these wallets, I must say that they are better than virtual wallets, and you should not say your information anywhere to have your wallet in complete security.

[hatshepsut93]

An offline computer, running ubuntu, would be one way to securely generate a wallet:
Ensure the wallet is created with a pass phrase, dump the keys (and be sure you have the private keys all written down/printed correctly) then wipe the computer HDD.
(don't use an SSD, since most people don't understand how to properly wipe an SSD)

It's simpler to just remove your hard drive and use a live OS, especially Tails, since Tails will automatically delete all session data. And I would never print a private key, who knows what sorts of backdoors and security vulnerabilities a printer might have?

People mostly think that just because a paper wallet is offline that they're already safe, even though a lot of people mess up the process by leaking the private keys while generating the wallet.

I'm amazed that after so many years, people still that paper wallet in the form of printed-out private key is the best way to store their coins.

If you are talking about a real cold BTC wallet, then it's secure as it gets.

https://www.bitcoin.com/get-started/setting-up-your-own-cold-storage-bitcoin-wallet/

But you might want to think about keeping it at Coinbase.com with 2FA and related security so if you need to sell it fast...

Don't promote this scam website.

[mk4]

People mostly think that just because a paper wallet is offline that they're already safe, even though a lot of people mess up the process by leaking the private keys while generating the wallet.

I'm amazed that after so many years, people still that paper wallet in the form of printed-out private key is the best way to store their coins.

As far as I know it's the "free" factor knowing that you don't really need a hardware wallet of some sort, knowing that all you need is a computer and a printer; and the somewhat false(or sort of misleading) sense of security a lot of guides and articles give their users. That just because paper wallets are offline(but not necessarily unleaked), it automatically means it's "secure".

[hatshepsut93]

As far as I know it's the "free" factor knowing that you don't really need a hardware wallet of some sort, knowing that all you need is a computer and a printer; and the somewhat false(or sort of misleading) sense of security a lot of guides and articles give their users. That just because paper wallets are offline(but not necessarily unleaked), it automatically means it's "secure".

I always find it strange that people call them "paper wallets", but don't say "USB stick wallets" or "Blu-ray wallets" or "SD card wallets". Putting accent on "paper" just shifts attention from the most important part - how the private keys are generated, and how they are used to make transactions. I feel like some people think that if they don't store their private keys on hard drive, they already have an offline wallet, and this is a really dangerous thing to think.

[kano]

An offline computer, running ubuntu, would be one way to securely generate a wallet:
Ensure the wallet is created with a pass phrase, dump the keys (and be sure you have the private keys all written down/printed correctly) then wipe the computer HDD.
(don't use an SSD, since most people don't understand how to properly wipe an SSD)

It's simpler to just remove your hard drive and use a live OS, especially Tails, since Tails will automatically delete all session data.

Live linux with no HDD has the obvious issue that you can NEVER reboot the computer or allow a power failure to happen, until you have fully verified you have the keys correctly on some other media.
Instead, as I suggested, having it temporarily on a HDD, in a password encrypted wallet, allows you to safely decide when you no longer need the computer wallet.

You should point that out if you are going to tell people to use that option.

And I would never print a private key, who knows what sorts of backdoors and security vulnerabilities a printer might have?

Who knows what backdoors and security vulnerabilities every motherboard in every computer might have?
So you shouldn't use any computer?

[ranochigo]

It's simpler to just remove your hard drive and use a live OS, especially Tails, since Tails will automatically delete all session data. And I would never print a private key, who knows what sorts of backdoors and security vulnerabilities a printer might have?

Perhaps just unnecessary paranoia but there is a way to mitigate this. Some pretty cheap printers has no capabilities to connect to the internet and would thus not be able to transmit any information other than through the cable. Printers do store cache so I imagine that'll be an issue. If you really are that paranoid, you can destroy the printer after use/use it exclusively for paper wallets.

[hatshepsut93]

Live linux with no HDD has the obvious issue that you can NEVER reboot the computer or allow a power failure to happen, until you have fully verified you have the keys correctly on some other media.
Instead, as I suggested, having it temporarily on a HDD, in a password encrypted wallet, allows you to safely decide when you no longer need the computer wallet.

Live OS can have persistent storage too, so it's not that different from a hard drive. Also, OP is talking about cold wallets, so there's some time between the creation of the wallet and the first incoming transaction, so sudden power failure is unlikely to cause big problems - the only risk here is some complete noob just forgets to backup the wallet.

Who knows what backdoors and security vulnerabilities every motherboard in every computer might have?
So you shouldn't use any computer?

Printers are connected to the Internet these days, and they are much less commonly audited than motherboards or CPUs.

Perhaps just unnecessary paranoia but there is a way to mitigate this. Some pretty cheap printers has no capabilities to connect to the internet and would thus not be able to transmit any information other than through the cable. Printers do store cache so I imagine that'll be an issue. If you really are that paranoid, you can destroy the printer after use/use it exclusively for paper wallets.

Or just use a mnemonic seed and write it down on paper, or use some of those steel plate solutions if you're really paranoid.

[kano]

...

Who knows what backdoors and security vulnerabilities every motherboard in every computer might have?
So you shouldn't use any computer?

Printers are connected to the Internet these days, and they are much less commonly audited than motherboards or CPUs.
...

So are computers connected to the Internet these days ... that was the point of not connecting it to any network, as I stated.
Connecting the printer to any network of course violates that idea also.