Scalable paper wallet

[bitcoiner180]

Hi, I would like to create a paper wallet, that is, I would like to create a usable private key and save it where and how I prefer.

The forum and the internet are full of guides that indicate how to do it with the most disparate methodologies but I haven't found one that places the emphasis where I would like.

I want to have the guarantee that my private key will always be usable, even in a long time when I eventually decide to spend the Bitcoins. I absolutely want to avoid discovering one day that the private key I saved is no longer supported by software wallets or even by the Bitcoin protocol.

I list the methods I have found so far and my doubts.

Hardware wallet: The hardware wallet seed phrase can only be used to recover my funds if I have a dongle from the same manufacturer as the hardware wallet. The flash drive purchased, being an electronic product, could over time degrade and break without warning, or it could fall into obsolescence (will my computer of the future support the USB standard?) and the manufacturer of the flash drive could go out of business. I would end up with a seed phrase that I wouldn't know how to use. I don't want to depend on a private company.

BIP32 + BIP39: it seems like the most practical and interesting solution but I don't really understand if the BIP39 standard has been officially recognized by Bitcoin protocol/Bitcoin Core and therefore I don't understand if I have a guarantee that in the future Bitcoin wallets will support the import of a wallet with a BIP39 seed. Furthermore, Electrum, for example, advises against the use of the standard, stating that there is no guarantee that the wallets of the future will be able to support the derivation method that I use today to create the key.

Seed phrase Electrum: I don't want to depend on Electrum, its developers and the future of that software. I only want to trust the Bitcoin protocol.

WIF: it is the solution that convinces me the most: I write and/or save the private key directly in the format recognized by the Bitcoin protocol and therefore at least by Bitcoin Core (and I hope that it will always be recognized in the future also by other lighter wallets such as Electrum) . I find it to be the most primitive way to save the private key, among other things the one once suggested by the bitcoin.org website, and therefore the most scalable in the future. However, things are more complex than they seem, reading from Reddit, I see that Bitcoin Core supports 2 wallet formats: Legacy and Descriptor. It seems that the Legacy format will no longer be supported in the future, in fact, soon! Are the various sites and applications that still allow you to generate legacy private keys (one private key -> one public address) providing keys that will no longer be supported?

Are there other solutions I haven't considered? What do you think is the best solution for creating a private key that will certainly be usable even in the distant future?

[1714224529]

1714224529

[1714224529]

1714224529

[1714224529]

1714224529

[1714224529]

1714224529

[pooya87]

I want to have the guarantee that my private key will always be usable, even in a long time when I eventually decide to spend the Bitcoins. I absolutely want to avoid discovering one day that the private key I saved is no longer supported by software wallets or even by the Bitcoin protocol.

The only viable solution to this is to stay up to date with Bitcoin development and major changes made to the protocol since something like that requires a hard fork (changing ECC used) which is a significant change and is unlikely to happen. Otherwise there is no backup solution that could solve this issue for you.

Hardware wallet: The hardware wallet seed phrase ~I would end up with a seed phrase that I wouldn't know how to use. I don't want to depend on a private company.

Usually the seed phrase hardware wallets use is a commonly used protocol like BIP39 not something specific to their product that is unknown (closed source). In other words you can use that seed phrase in any other software to recover the same keys.
Although when we say "hardware wallets" we are talking about a lot of different products, so you may need to investigate this on a case by case basis.

BIP32 + BIP39: it seems like the most practical and interesting solution but I don't really understand if the BIP39 standard has been officially recognized by Bitcoin protocol/Bitcoin Core and therefore I don't understand if I have a guarantee that in the future Bitcoin wallets will support the import of a wallet with a BIP39 seed.

It is not part of the Bitcoin protocol, however BIP-39 is a very common algorithm used by a lot of wallets and also is open source (ie. we know how it works) so at any time in the future, it is trivial to find out how it works and find a script that could help you recover your keys even if your favorite wallet weren't supporting it.

Furthermore, Electrum, for example, advises against the use of the standard, stating that there is no guarantee that the wallets of the future will be able to support the derivation method that I use today to create the key.

It is not exactly advising against BIP39, it is just pointing out its shortcomings as a justification for the different algorithm that Electrum itself uses.

Seed phrase Electrum: I don't want to depend on Electrum, its developers and the future of that software.

That algorithm is also open source and well know so it can too be reproduced.

WIF: it is the solution that convinces me the most: I write and/or save the private key directly in the format recognized by the Bitcoin protocol and therefore at least by Bitcoin Core

WIF or Base58 encoded private keys is also not part of the Bitcoin protocol. It is however the most common algorithm to encode a 256-bit Bitcoin private key.

Are there other solutions I haven't considered? What do you think is the best solution for creating a private key that will certainly be usable even in the distant future?

As far as algorithms go any of the above 3 you mentioned (hardware wallets use BIP39) are viable options because as I said they are all popular and at any time in the future you can easily find a software that supports them.

Your decision making should be based on what each of these algorithms offer you and their limitations.
For example WIF is only a single private key. If you generate a paper wallet (for your long term storage) and if you decide to spend a fraction of it, you'll have to either reuse the same key for the change or go through the steps to create another paper wallet.
However if you use a seed phrase algorithm, you can generate as many keys as you like and won't have the limitation of a single WIF.
As for BIP39 versus Electrum algorithm, if you are an Electrum user then stick with Electrum seed phrase otherwise BIP39 is the way to go.

Read some of the disadvantages of paper wallets (single WIF on paper) here: https://en.bitcoin.it/wiki/Paper_wallet

[Knight Hider]

Private keys are just that: keys. If the Bitcoin protocol stops supporting them, there is no Bitcoin anymore.
If you think your seed can't be used in the future, keep a copy of the software that converts seed to private key. Or write down the private keys with the seed.

[odolvlobo]

I want to have the guarantee that my private key will always be usable, even in a long time when I eventually decide to spend the Bitcoins.

There is no guarantee, but it is very likely that your private key will always be usable even if the software dealing with private keys becomes obsolete.

First:

• A seed phrase is not a private key. A seed phrase is used to generate private keys.
• A private key is not a wallet. A wallet manages private keys and typically uses a seed phrase to generate them.

If those two points aren't obvious to you, then read this: Important terms that are frequently confused.

Hardware wallet: The hardware wallet seed phrase can only be used to recover my funds if I have a dongle from the same manufacturer as the hardware wallet.

That is not true. If the seed phrase is BIP-39 compatible, then any wallet that supports BIP-39 will be able to use it. And if BIP-39 becomes obsolete, then there would be nothing stopping you from making your own software to support it.

HardBIP32 + BIP39: it seems like the most practical and interesting solution but I don't really understand if the BIP39 standard has been officially recognized by Bitcoin protocol/Bitcoin Core.

BIP-32 and BIP-39 are not part of the Bitcoin protocol or consensus rules. They don't have to be "officially recognized" because nothing about Bitcoin is "official". FYI, Bitcoin Core does not use BIP-39.

Seed phrase Electrum: I don't want to depend on Electrum, its developers and the future of that software. I only want to trust the Bitcoin protocol.

Like BIP-39, the Electrum seed phrase protocol is not part of the Bitcoin protocol. However, it is not widely used so if you are worried about it being supported in the future, then you probably shouldn't use it.

WIF: ...

WIF is just an encoding format. There are many ways to encode a private key, and converting a key from one encoding to another is pretty trivial. So, if you consider this to be a solution, then perhaps there is no problem to solve.

[Cricktor]

A paper wallet is from my understanding basically a private key and it's derived public address. With the public address you can easily check the amount of coins, with the private key (usually as WIF and QR code and hidden "inside" some folded paper scheme) you can spend the coins of this paper wallet.

A private key is just an ideally random 256bit number, what representation of it you use (WIF or something else) doesn't matter. Usually it's something that some wallet has to understand to be able to import it to spend or sweep the paper wallet.

As long as Bitcoin exists in its form, a private key will be usable. I don't see a reason to worry about that.

What you should worry more about is how you can create your private key and paper wallet in the most secure way. This includes a secure computer system which is ideally offline and stays offline or is disposed afterwards (a Live Linux that only runs in RAM is sufficient for this). Your printer needs to be safe for this purpose that it doesn't store a print job internally or shares it online by any means (printer manifacturer, some online cloud, whatever). All software tools used need to be safe and time-tested.

If you want secure paper wallets, you have to strictly avoid leaving digital traces of data of your paper wallet on any device that may go online later at some point of time and thus may get compromised for whatever reason. And you have to think about secure storage of your paper wallet (some redundancy might be good, too).


Rough steps that I would go if I had to create paper wallets (all done in a secure air-gapped environment):

• generate entropy, 128bit is secure enough (throw coins or quality dice, use a proven software or hardware wallet)
• derive mnemonic recovery words from this entropy: this serves as a well established backup procedure (BIP39); use verified iancoleman script for that (download from its Github and verify it thoroughly)
• optional: you can use a mnemonic passphrase in addition the the mnemonic recovery words to secure the "wallet"; optional mnemonic passphrase needs to be stored safely and separatly from mnemonic recovery words
• choose your address format and use a common derivation path for it; I'd go with native segwit public addresses for my paper wallet
• with iancoleman script you now have a hierachical deterministic wallet and you can create 2³²-1 paper wallets from a single well established and common derivation path; that's more than enough one ever needs; the script will give you as many private keys as you need for your amount of paper wallets
  
• to create prints I'd probably use a verified copy of bitaddress.org script downloaded from its Github; problem here is that to my knowledge bitadress.org doesn't understand bech32 addresses -- you could still print a paper wallet for its private key but you can't have the native segwit public address on the print -- some other reliable tool will be needed for this
• I have a dumb printer that doesn't know about network connectivity

I liked the printouts from Canton Becker's original paper wallet generator. But beware, Canton sold his website bitcoinpaperwallet(dot)com and the new owner(s) turned this website and paper wallet generator into a scam. It is provably a malicious paper wallet generator that creates paper wallets that are known to the site owner even when you create them offline. There are threads for this malicious issues in this forum already and Canton Becker's original Github mentions it, too (source: https://github.com/cantonbecker/bitcoinpaperwallet).
Attention: you will loose your coins with this malicious website (not with Canton Becker's original code)!

[BlackHatCoiner]

I absolutely want to avoid discovering one day that the private key I saved is no longer supported by software wallets or even by the Bitcoin protocol.

Then protect your private key, because it is far more probable than you will screw things up with the paper wallet, than the entire Bitcoin network with itself.

Seed phrase Electrum: I don't want to depend on Electrum, its developers and the future of that software. I only want to trust the Bitcoin protocol.

WIF: it is the solution that convinces me the most: I write and/or save the private key directly in the format recognized by the Bitcoin protocol and therefore at least by Bitcoin Core (and I hope that it will always be recognized in the future also by other lighter wallets such as Electrum) .

For the sake of the potential confusion: Bitcoin Core is an implementation of Bitcoin. It is not Bitcoin itself. I don't understand why you're concerned about Electrum going extinct, but not about Bitcoin Core. Both are equally reputable and maintained for more than a decade. And both are parts of the Bitcoin network.

And I strongly recommend you to create an Electrum wallet instead, as it's more user-friendly and contains less complex terminology.

[Cricktor]

Then protect your private key, because it is far more probable than you will screw things up with the paper wallet, than the entire Bitcoin network with itself.

THIS!

In my previous post I didn't say anything against paper wallets as this was not what the OP was asking for. But I feel the need to add here that I consider paper wallets obsolete and prone to errors and security issues. We have good and secure hardware wallets (I don't speak of Ledger crap) which provide better security and safety for your coins if used properly.

Do not bother to mess with paper wallets. It's too easy to create them unsafely or do something wrong and they usually provide no security if they come into wrong hands. Redundant backups are not feasible unless you use BIP38 private key encryption (if you loose the encryption passphrase for this, your coins are likely gone forever).

[BlackHatCoiner]

But I feel the need to add here that I consider paper wallets obsolete and prone to errors and security issues.

Paper wallets in their traditional form are far from recommended. They limit your entire wallet to just one private key, which besides bad for your privacy, is easy to mistype when writing it down. Plus, it is evidently insecure to use javascript for generating private keys. I'm mentioning this, because often times, it is an abandoned project like bitaddress.org which offers the option for paper wallet.

[bitcoiner180]

In my previous post I didn't say anything against paper wallets as this was not what the OP was asking for. But I feel the need to add here that I consider paper wallets obsolete and prone to errors and security issues. We have good and secure hardware wallets (I don't speak of Ledger crap) which provide better security and safety for your coins if used properly.

I would like to discuss this with you. I do not think so.

If you think about it, even the paper (steel, aluminum, rock, etc.) wallet could be called a "hardware wallet". The only difference between the paper wallet and the USB wallet is the format in which the key is written: in the paper wallet the key is written in a human readable format, in the USB wallet it is written inside a delicate electronic chip readable only from a compatible device. So speaking of security in saving the key, it is decidedly safer to write the key in the simplest format, i.e. the one that can be read directly by a human being instead of adding unnecessary electronic complexity.

It's too easy to create them unsafely or do something wrong and they usually provide no security if they come into wrong hands. Redundant backups are not feasible unless you use BIP38 private key encryption (if you loose the encryption passphrase for this, your coins are likely gone forever).

It doesn't seem that difficult to me. I just need to generate the private key and public address with an open source script, write the private key somewhere rechecking several times and with different methods of having written the key correctly, test that Electrum recognizes my private key and generates the same public address from it. I can also decide to write the private key with copy and paste onto a USB stick that I formatted myself. I can also encrypt my private key with aes256 (for example) and store it in my backup system.

They limit your entire wallet to just one private key, which besides bad for your privacy, is easy to mistype when writing it down.

The issue of privacy is important but not extremely necessary to hold bitcoins safely. Perhaps, if I am an expert bitcoin user, using an HD wallet in the right way, I can hide from you the exact amount of bitcoin I own but it will always be very difficult to hide from you the fact that I own bitcoin and my economic capacity which is recognizable not only from the bitcoins I own but also from my job, my bank account and the physical objects I own (house, car, clothes, etc...). It's not so easy to mistype when writing down the key if I check it several times and also verify that the key is read correctly by Electrum generating the same public address.

Plus, it is evidently insecure to use javascript for generating private keys. I'm mentioning this, because often times, it is an abandoned project like bitaddress.org which offers the option for paper wallet.

Can these bugs really be used by someone to one day discover my own key? Are these bugs so serious that they even force me to trust and pay (hundreds of dollars) a closed source key generator centrally developed by a private company and shipped by Amazon or some other unknown forwarder? It's not just bitaddress.org, there are also other sites and GitHub projects that allow you to generate paper wallets for all bitcoin address formats (P2PKH, P2SH, P2WPKH, etc...).

For the sake of the potential confusion: Bitcoin Core is an implementation of Bitcoin. It is not Bitcoin itself. I don't understand why you're concerned about Electrum going extinct, but not about Bitcoin Core.

How owns the Bitcoin protocol? Who decides that a block is valid or not? Who decides for example that a taproot address is valid or not? Who decide that from today you can use a P2SH address? Electrum ask it to Bitcoin nodes but it's Bitcoin Core and its forks that really decide whether something in blockchain is valid or not.

[apogio]

How owns the Bitcoin protocol? Who decides that a block is valid or not? Who decides for example that a taproot address is valid or not? Who decide that from today you can use a P2SH address? Electrum ask it to Bitcoin nodes but it's Bitcoin Core and its forks that really decide whether something in blockchain is valid or not.

Bitcoin is a software. Here are some bitcoin implementations:

0. https://github.com/bitcoin/bitcoin (Bitcoin Core - written in C++)
1. https://github.com/block-core/blockcore (BlockCore written in C#)
2. https://github.com/btcsuite/btcd (BTCD written in Go)
3. https://github.com/Davidson-Souza/Floresta (Floresta written in Rust)

The list is not limited to these implementations, there are many more.

For me, the best is Bitcoin Core.

The most used is Bitcoin Core.

But if Bitcoin Core stops existing, Bitcoin will survive. Believe me,  in the past I have made the same assumption that Bitcoin Core is the only full node implementation. I was wrong! We are here to learn!

[Cricktor]

I would like to discuss this with you. I do not think so.

If you think about it, even the paper (steel, aluminum, rock, etc.) wallet could be called a "hardware wallet". The only difference between the paper wallet and the USB wallet is the format in which the key is written: in the paper wallet the key is written in a human readable format, in the USB wallet it is written inside a delicate electronic chip readable only from a compatible device. So speaking of security in saving the key, it is decidedly safer to write the key in the simplest format, i.e. the one that can be read directly by a human being instead of adding unnecessary electronic complexity.

There are different aspects to look at and I strongly believe that one has to look at the broader picture.

Ease of reading for a human of a key written onto paper or engraved into metal also means little to no security should such a paper/steel wallet fall into wrong hands. You shouldn't really ignore this fact.

An electronic hardware wallet offers some protection, usually in the form of an access PIN or passphrase. Of course you should have an analog backup of your mnemonic recovery words. Those are of course also literally unprotected, you'd need to hide them properly. (Obviously you can also hide your paper wallet. No real bonus here for any side.)
An electronic hardware wallet is just more versatile than a bunch of paper wallets.

It doesn't seem that difficult to me. I just need to generate the private key and public address with an open source script, write the private key somewhere rechecking several times and with different methods of having written the key correctly, test that Electrum recognizes my private key and generates the same public address from it. I can also decide to write the private key with copy and paste onto a USB stick that I formatted myself. I can also encrypt my private key with aes256 (for example) and store it in my backup system.

Sounds like a lot of hassle to me to make sure you make no error in writing keys down or by what means you copy/transfer them to your paper wallets. Every step for a human with things that are not made for human handling is potentially error prone. To avoid errors you have to check and re-check and jump through some more hoops. I'm not convinced it's worth the hassle.

[apogio]

It doesn't seem that difficult to me. I just need to generate the private key and public address with an open source script, write the private key somewhere rechecking several times and with different methods of having written the key correctly, test that Electrum recognizes my private key and generates the same public address from it. I can also decide to write the private key with copy and paste onto a USB stick that I formatted myself. I can also encrypt my private key with aes256 (for example) and store it in my backup system.

This is a bad idea, let me explain the issues that can potentially arise.

1. You have to be sure that the software you use generates entropy based on a secure algorithm. To this extent, any JavaScript wallet generator is excluded. If you find one, let me know, for educational purposes only.

2. The backup is harder. I think we all realise that saving 12 english words is easier than saving 52 characters. The reason is obvious. Let's say one of the words is "ability" and you miss some characters from the word. I think it is trivial to find them. But if you miss some random characters from the WIF key, then you have no rational explanation of what the character is.

3. "test that Electrum recognizes my private key and generates the same public address from it" -> This must be done offline, just like any wallet generation must be done offline. The key must never see the internet.

4. All your funds will go to a specific address. So you gotta be careful for privacy reasons.

5. Now the most important question? How do you plan to spend the funds using the key? You must import it to a software that connects to the Bitcoin network, so you can broadcast a transaction. So, you are still obliged to use the wallets that you don't want to use (for some reason). You must spend the full amount to make sure the key doesn't become a "hot wallet". Of course you could technically sign a transaction offline and then use the software in order to broadcast the transaction. But then how will you sign offline? You will still need to use a wallet software. I think it's overcomplicated.

Personally, I don't think paper wallets are insecure. But because of the reasons above, I have decided to simply use electrum on an airgaped device and generate 12 words + passphrase that I store safely in different locations.

[ABCbits]

In my previous post I didn't say anything against paper wallets as this was not what the OP was asking for. But I feel the need to add here that I consider paper wallets obsolete and prone to errors and security issues. We have good and secure hardware wallets (I don't speak of Ledger crap) which provide better security and safety for your coins if used properly.

I would like to discuss this with you. I do not think so.

If you think about it, even the paper (steel, aluminum, rock, etc.) wallet could be called a "hardware wallet". The only difference between the paper wallet and the USB wallet is the format in which the key is written: in the paper wallet the key is written in a human readable format, in the USB wallet it is written inside a delicate electronic chip readable only from a compatible device. So speaking of security in saving the key, it is decidedly safer to write the key in the simplest format, i.e. the one that can be read directly by a human being instead of adding unnecessary electronic complexity.

You mistook security with simplicity. Some hardware wallet have ability to limit brute-force (either with time delay or erasure after several failure), while paper wallet doesn't.

Plus, it is evidently insecure to use javascript for generating private keys. I'm mentioning this, because often times, it is an abandoned project like bitaddress.org which offers the option for paper wallet.

Can these bugs really be used by someone to one day discover my own key? Are these bugs so serious that they even force me to trust and pay (hundreds of dollars) a closed source key generator centrally developed by a private company and shipped by Amazon or some other unknown forwarder? It's not just bitaddress.org, there are also other sites and GitHub projects that allow you to generate paper wallets for all bitcoin address formats (P2PKH, P2SH, P2WPKH, etc...).

It heavily depends on the bug itself. Here's an example, https://davidgerard.co.uk/blockchain/2018/04/11/javascript-securerandom-isnt-securely-random-most-web-wallets-affected-and-the-bug-was-warned-of-five-years-ago/. But you don't have to use hardware wallet when you could use /dev/urandom instead.

3. https://github.com/Davidson-Souza/Floresta (Floresta written in Rust)

This is first time i heard this software. Have you tried it in past?

[apogio]

This is first time i heard this software. Have you tried it in past?

No. In fact I have only used Bitcoin Core. I am competent in C++ & Java. I can also understand C. But I don't have the time to experiment with Rust to be honest. Even with electrs that I use as my main Electrum Server, I haven't dived into the implementation itself.

[BlackHatCoiner]

The issue of privacy is important but not extremely necessary to hold bitcoins safely.

But why limiting yourself like that when it easier to just write down a phrase instead, and have infinite addresses?

It's not so easy to mistype when writing down the key if I check it several times and also verify that the key is read correctly by Electrum generating the same public address.

Maybe nothing happens. But, maybe in 10 years from now, the paper is a little tampered. "1" with "i", "5" with "S", "W" with "w" or "vv", etc., seem indistinguishable. Again, why choosing to go with the difficult way when it is easier process to just generate and write down a phrase that is human readable?

Can these bugs really be used by someone to one day discover my own key?

We don't know. What we know is that cryptography experts have evidence and concerns of javascript being less secure. That is more than enough of a reason to avoid it.

Are these bugs so serious that they even force me to trust and pay (hundreds of dollars) a closed source key generator centrally developed by a private company and shipped by Amazon or some other unknown forwarder?

For God's sake, no. Use reputable, peer-reviewed, open-source software like Electrum and avoid everything that is closed-source.

It's not just bitaddress.org, there are also other sites and GitHub projects that allow you to generate paper wallets for all bitcoin address formats (P2PKH, P2SH, P2WPKH, etc...).

As I already said, avoid browser-based wallet software. Especially, paper wallet software.

How owns the Bitcoin protocol?

Nobody. See protocol rules and consensus. (That's a good link too!)

[Cricktor]

You must spend the full amount to make sure the key doesn't become a "hot wallet".

Any UTXO has to be fully spent or the unspent part will add to the transaction fees. But usually the wallet software used to spend your paper wallet should take care of it. The common rule "Don't trust, verify!" is still applicable and knowing how the UTXO transaction model of Bitcoin works, helps a lot.

As you have to use a software wallet anyway to spend your paper wallet, I don't see much of a point to mess with paper wallets at all. You raise your chances to screw things up.