Topic: best way to keep cold storage wallet, but connect it to internet rarely to send. (Read 266 times)

If wiNd0ws is installed by default your computer will probably try to connect to internet first time you turn it on, so you need to disable wifi, bluetooth and detach any wired connection.
Best thing would be to install fresh new linux operating system with encrypted hard drive to make it much more safer.

Cold storage means that you never get direct internet connection, and you can communicate with other devices for signing transaction using QR codes.
Moment you connect laptop to internet it is not considered cold storage any more.
One option you could still use this laptop with internet connection in combination with Tails OS, but you are booting with usb stick that had Tails image installed.

I think we need to take a step back here and re-read everything through the eyes of a semi-newbie like OP. He's asking some simple questions about how to safely set up a cold wallet, and instead we are confusing him with talks of gap limits and hardware wallets, which are completely irrelevant to his first post.

Here is the question OP asked:
Charles-Tim has given you the correct answer in the first reply. You do this via what is known as a watch only wallet. This means your main wallet which you create on your offline laptop stays permanently offline and never connects to the internet. Then you take the addresses or public keys from that wallet, via a QR code or a USB drive, over to your internet connected device and create a watch only wallet using these addresses or public keys. The watch only wallet does exactly what the name suggests - it lets you only watch the addresses for incoming funds, but you cannot spend anything from the watch only wallet. To spend the coins, you must use the full wallet on your offline laptop which contains the private keys necessary for spending.

Almost. Instead of putting the full wallet on your USB, you just put the addresses or the master public key and use that to create a watch only wallet on your internet connected PC. This lets you view all your addresses and transactions, without risking the private keys every being exposed to the internet.

The process of spending coins from this set up is a little convoluted, but is the process required to maintain the security of the wallet. From the watch only Electrum wallet, you first create a transaction as you normally would. Instead of signing that transaction (which you can't, since the watch only wallet does not contain the private keys necessary for signing), you instead save the unsigned transaction to file, and then move that file via a USB drive over to your cold wallet. Open the unsigned transaction in your cold wallet, sign it, save the now signed transaction in a new file, and then move that file back across to your internet connected PC to be broadcast to the network.

To create a seed phrase on a cold wallet and back up the funded address private key? I understand that is what you meant.

It is good and it going to work fine. It will also help in private spending because many addresses would not be connected together.

Even the change address can be another address you manually selected from the addresses on the cold storage.

In Bitcoin, the data that can spend your coins isn't the address but its "private key" which usually in the care of the user.

An Exchange and Electrum work differently.
In Exchanges, the private keys of the users addresses are in the Exchange's custody.
In Electrum, the private keys are stored locally in the wallet so the data that you need to spend is exclusively in that wallet even if it's offline.
By creating a watching-only Electrum wallet, you're basically only copying the addresses to the online PC; it can't spend, only "watch".

Take note that the above is an oversimplification for you to understand,
technically, there's a "master key" stored in each of those wallets which can reproduce all of those two wallet's addresses.
A "master private key" in the cold-storage and "master public key" in the watching-only wallet.

Send a few satoshi to the watching-only wallet and successfully spend it by following the tutorial in the first reply, that's the assurance that you need.
If you want, you can click 'save' right after signing the transaction in the cold-storage to update the displayed balance but that wont improve anything.

In addition to testing your actual cold storage/wallet you can also always try things for free using TestNet.
Just run your Electrum using --testnet command line parameter or make a copy of the shortcut on your Windows desktop and change the target like this.
Then all you have to do is to claim some free TestNet coins from a faucet and since those coins have no value you can easily test anything you like without worrying about losing actual money. Here is a faucet list:
https://bitcoinfaucet.uo1.net/
https://coinfaucet.eu/en/btc-testnet/
https://testnet-faucet.com/btc-testnet/
https://testnet-faucet.mempool.co/

I use electrum because I know from this forum. Very helpful and light.
maybe you can also see your initial forum page embedded using bitcoin core. Of the 2 wallets, they are quite familiar to me. Maybe there are other wallets according to the chain or partners, as I have discussed in other threads or have reviewed. if you want simple choose one. I agree with other friends that electrum is quite pleasing to the eye and the mobile version is also available, a complete bitcoin network for users. and easy

It's being paranoid thinking about your security if you're using an old device for the fully air-gapped wallet.  You'll never know how secure your device is for storing your Bitcoin.  Not unless IMO, purchasing a brand new hardware wallet from the official website reseller, (for Trezor and for Ledger hardware wallet).

There are too many possibilities that could cause a leak if you'll use old computers for the airgap wallet.
Why not a hardware wallet that has built-in security features?

If by air-gapped device you mean a hardware wallet then the best thing to do to avoid being scammed is to never buy used devices an only buy from the official website of the company or from one of their authorized resellers.
But if you mean a pc or phone then you can't say it's air-gapped unless you format it by yourself and install a fresh and clean OS on it. You never know if the old owner has used it to access the internet before or not.

Right. In this way, other private keys stay offline. But I don't like the idea. If your online computer is infected with a malware, your fund can be stolen once you import the private key.
For security, you should sign the transaction offline, so your private keys and your seed phrase don't connect to the internet at all.


You need internet connection for broadcasting the transaction, but you don't need internet for signing the transaction.
So, you can make a bitcoin transaction without your private key being connected to the internet.


Both 20 and 21 are incorrect.
As I said in my previous post, there are numerous addresses generated from a single seed phrase.

I think for a newbie without action you will never know what you are doing it seems you don't understand everything about cold storage wallet.

Based on what I understand of your topic title you want a cold storage wallet but are rarely connected to the internet. Actually, once the PC/laptop that you currently use is connected to the internet where your cold wallet is installed then it shouldn't call it a cold storage.
A cold storage should be remain offline forever and never connect it to the internet.

A cold storage wallet has a master public key that thing is what you need to create a watch-only wallet where you can monitor your wallet balance, create unsigned hex transactions and broadcast a signed transaction.
If you want to test your wallet on the first offline wallet generation you should start by depositing a small amount of BTC and test everything like sending it to another wallet before you deposit a big amount.

I mean, there are 21 addresses generated every time you create a new wallet on electrum. You can import the private key from one of those addresses if you want to spend bitcoin ^{[for example you have bitcoin at 2 different addresses]} while you don't touch bitcoin at other addresses. I don't think this makes all addresses of the wallet connected to the internet but only 1 address while the other 20 remain offline.

Did I misinterpret something in your question, or do I not know what you are trying to say?

But your wallet is not connected to the internet?
I think you still need to be connected to the internet to send bitcoin or test your wallet is working or not ^{[or I missed something].} But for every wallet you make from electrum then I think it will work as it should even if you are not connected to the Internet. You only need to have the private key or seed to access the wallet as your bitcoin are not stored on electrum but are stored on the blockchain.


Sorry, I calculated manually beforehand so it must have been an error on my part.

If all you need to do for now is verify that your wallet works and you can send Bitcoin out of it, then the first reply you got is your first option. Extra bonus cause you can send out of it without connecting your private keys (seed phrase) to the internet.
Taking things slow helps prevent information overload and allows you focus on a task at a time.

Multiple addresses do not really matter when using your creating a address using a seed phrase, it's more of a privacy feature which you can figure all about with time.

Your seed phrase generates numerous addresses.
Electrum shows only 20 addresses, because the gap limit has been set to 20 by default. That doesn't mean you have limited number of addresses.


You have numerous addresses all generated from a single seed phrase.
For each of those addresses, you have a private key.
Each of private keys allow you to spend the fund from a single address.
Your seed phrase allow you to spend the fund from all generated addresses and that's all you need.


If you have the seed phrase in a safe place and you are sure that that's the correct seed phrase, there's nothing to worry about.
To make sure everything works as expected, create a new wallet. Select "I already have a seed" this time and enter your seed phrase.
Go to "Addresses" tab and check if you see the same addresses. (If "Addresses" tab is not available, click on "View" at top of the window and select "Show addresses".)

You can also create a watch-only wallet on an online computer to see your balance.
For creating a watch-only wallet, you need to import your master public key into a new wallet.
In the watch-only wallet, you can see your balance and all your transactions. But it's not possible to spend fund from it.
Note that in the watch-only wallet, you should see the same addresses as your cold storage wallet.

I'm a little confused here.

With those multiple addresses that you use to spend bitcoin. Would any of those allow you to spend all of your bitcoin in that wallet?

The thing here is that I need to verify that my wallet works, and I can send bitcoin out of it in a test before I put my bitcoin into it.

Could you explain how the multiple address will help me here? Thanks

It made me remember that someone has done this and posted it also in the forum years ago. If that's the plan, you can do that since you're aware of what you'll do.

But why not just avail an hardware wallet and just keep on a place where you're about to hide it and just save the bitcoin address for you to check how it does from time to time on the blockchain?

Having the hardware wallet saves you more space and you can easily keep it in your house wherever you want to store or wherever you want to go and bring it with the seeds.

I have an electrum wallet on my phone which is not connected to the Internet, but I can also use any of the addresses which have bitcoin to spend at any time because I have the private key. You have several different addresses every time you create a new wallet ^{[21 addresses for a seed set],} so if you don't want all of them connected to the internet then just use one of them while the other stays offline. You only need to store the seed and private key of your wallet address securely, it's mandatory.

Have any of you ever done this way?

Good thought, here's the thing: If both the firmware and the software are open-source, there isn't room for funds' loss, unless the source code isn't reviewed enough or if there's a backdoor. Besides, if you don't trust the bitcoin company you're buying it (which is little to no trust, again they can't rip you off if done properly) then just buy the hardware devices yourself. That's what I did. I bought a Raspberry Pi 4, not a Trezor. That's better for your privacy as well.

The issue I have with buying an air-gapped device is I remember reading where people purchased these things and they came to them pre-hacked already and they lost their bitcoins.

Since people know that people will be using these for bitcoin, what they do is they compromise these things before sending them to the buyer.

I would just feel more secure with a laptop that is still brand new, many years old, that I will use just for this. I don't know, I could be wrong with all of this.

Note that a laptop can be an air-gapped device, but it's an entire, useful computer. If you don't want to spend it like that, and do have a need of a portable computer, I suggest you to buy yourself a signing device that does exactly what you want; that is, air-gapped custody.

I strongly recommend SeedSigner; it doesn't cost a lot, can be bought anonymously (with RPi) and can work better than a laptop. That being said, only if you consider yourself a "techie". If you slightly doubt, don't even think about it twice, use the laptop.

You do not have to connect the cold wallet online, it can remain offline and you will still be able to spend your coins, all you need is to setup a watch-only wallet with it.

The watch-only wallet will be for tracking your transactions (instead of depending on third party, blockchain explorer), and to make unsigned transactions which you can transfer to the cold wallet through QR code (preferably) or USB stick.

Once the unsigned transaction is transferred to the cold wallet, you will be able to sign it and transfer it back to the watch-only wallet to broadcast it.

To set it up, follow this guide:
https://electrum.readthedocs.io/en/latest/coldstorage.html

Make sure the device is perfectly airgapped, with the removal of Bluetooth and WiFi card.