Topic: Most Secure Method To Sweep Paper Wallet (Read 257 times)

Absolutely I agree with you both. I just posted the video link to illustrate the general process as it was all I could locate online. I'd never use a mobile phone with downloaded app.

Thanks.

Since you're looking for the safest way to do it, I agree with @o_e_l_e_o's answer above. You only get closer to the highest safety/security possible when you eliminate all the potential risks and flaws out of your method. And so far, the only remaining potential security threats is someone physically tampering with your airgapped device which is imo a quite low probability unless you're being watched by intelligence agencies or have some bad actor around. That is unless you somehow mess up yourself and accidentally enter the airgapped device's seed into the online PC, which I believe is something that has a low chance of happening as well.

I would not use a phone because it has just too many backdoors and unknown/non-removable components. A PC is quite modular and you can easily remove or add anything you might or might not need. For me, privacy & security are not only interests but also a fascinating hobby (and now addiction, I guess). Even if you aren't followed by 3-letter agencies, I would still recommend to follow the best security practices as it's more than worth it over the long term. And since it's both fun and safer, why not?

It's pretty much the same process as described earlier in this thread, except instead of using a second computer as your airgapped device, he is using a phone.

This is certainly better than just sweeping your private key in to a hot wallet, but it is not as good as using an airgapped computer for a couple of reasons. A phone in flight mode is not truly airgapped, and studies have shown it still pings for cell towers, it can still send location data, it can still leak via WiFi and Bluetooth, and so on. A phone is not truly airgapped unless you open it up and start ripping out the antennas and WiFi modules. You also are not starting on a clean device, and your phone could have any type of malware on it already. Even if you factory reset your phone, you aren't starting from scratch, but rather starting from whatever bloatware and spyware your carrier/manufacturer has pre-installed, and with their (usually) closed source OS.

An airgapped phone is an OK middle ground, but it is not as good as using a fully airgapped computer with a clean install of an open source OS.

This guy talks through the general process:

https://www.youtube.com/watch?v=-9kf9LMnJpI&t=3s

Why wasting valuable satoshis (at least 547 sats + transaction fee) on this when you can use the testnet! The testnet is deducated for such purposes and Electrum suupports it.
All you have to do is to run Electrum on the testnet mode and claim few test coins for free from any online faucet.
Just, don't forget to send the testcoins back to the faucet's address.

I would agree. Since you are sending it to a Ledger hardware wallet, then your coins will be pretty much just as secure there as they were on the paper wallet, and it will make your life much more straightforward in the future when you want to spend them again. If you do want to put some of them back on to a paper wallet, then you should create a brand new paper wallet from scratch (which is a whole other complicated multi-step process, but also involving many of the same steps regarding airgapped computers as above).

Thanks. Everyone is a great help on here.

 Yes this offline method definitely is the way to go for me now.

Yes it's a private key. What I'll most likely do is transfer the complete ammount then to play it safe. 👍

Normally, sweeping means to move the whole funds from wallets like paper wallet by proving the private key. Assuming, you have paper wallet, and you want to sweep to Wallet A. First of all, wallet A will have the sweeping feature, and it will request for private key of the paper wallet. Once you input the private key, the whole funds will be moved to the new wallet (wallet A). But, this is just a way you will have to just get your bitcoin to be handled by private key that will be online.

But what is explained above, you can send any amount of bitcoin you want (you can send half, you can send all, you can send less than half, or any amount), and yet your paper wallet private key is still offline, and yet the private key of the wallet you send it to is also offline. Nothing about your private key touch online. That is why I will strongly recommend the method.

The issue with this is you must enter your private key in to a live website (and a very sketchy one at that). I definitely wouldn't recommend doing this, especially with a significant amount of coins.

A smart idea.

It depends. Is your paper wallet an individual private key, or is it a seed phrase?

If it is an individual private key, then it is generally good practice to sweep the entire amount. An individual private key will only generate a single address, so if you do not sweep it all one of two things will happen. What should happen is that your change is returned to the same address, which means you still have your coins but it is bad for your privacy. What has happened to some users in the past is that their wallet has generated a new address to send the change back to without them realizing, which they haven't backed up and have then lost access to their change.

If your paper wallet is a seed phrase, then you do not need to sweep the entire amount. The wallet will automatically send the change to a brand new change address generated from your seed phrase, which you can then recover again at a later date.

Thanks my friend. I do not plan to do this for sometime yet but really just wanting to get my head around the process. I have sweeped wallets using Blockchain.info previously but never used this method before. I will likely test this method on on a small amount of satoshis first. Does this method also mean that I do not have to sweep the total balance of bitcoins out the paper wallet? In essence I can just transfer whatever amount I wish? Sweeping wallets on Blockchain.info swept the total amount.

Lots of ways, unfortunately. It can be quite a complex process if you have never done it before.

Provided your private key never touches your online device, and you don't sign a transaction without double checking it is correct (and therefore making sure it has not been altered or tampered with by any malware on your online device), then it is incredibly unlikely that any mistakes you make would result in loss of your coins. With that in mind, the most important thing to remember, as I said above, is to ensure you only ever enter you private key or seed phrase on to your airgapped computer, and you only enter an address or public key on to your online computer.

If something goes wrong or doesn't seem to work as you expect, then simply stop, look for the mistake, ask on here if needed, or even start from scratch. Just take your time with each step.

Thanks everyone. Great help.

Is there any way to accidentally screw this process up?

Correct.

In to the watch-only wallet you need to import either an individual address or the master public key from your airgapped wallet. If you have the address written down/printed as part of the paper wallet, then you can enter it directly from the paper wallet in to your watch only wallet. If your paper wallet only contains a private key or a seed phrase, then you will first need to import that in to your airgapped wallet, and then transfer either the individual address (in the case of an individual private key) or your master public key (in the case of a seed phrase) across to your watch only wallet, via either typing it manually, a QR code, a USB drive, a CD, etc.

The most important thing is to ensure that your private key and/or seed phrase never touches your online computer.

Yes, the online PC is watch only. The signing PC (cold storage) stays always offline.
Maybe one more source makes it clearer?
https://electrum.readthedocs.io/en/latest/coldstorage.html

Step 1. You have to work on your airgapped PC to import the private key or seed into Electrum.
       Step 1a. From your airgapped PC, if you have a paper wallet containing a private key:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Import Bitcoin addresses or private keys"
                     2. Insert your private key in the textbox. Move on to Step 2.

       Step 1b. From your airgapped PC, if you have a paper wallet containing a seed:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Standard wallet"
                     2. Continue by checking the "I already have a seed" option and input your seed into the textbox.
                     3. After importing your seed, go to Wallet > Information and look for the Master Public Key. It should look something like this:
Code:
zpub6nXwKjUbuUY8BE2ETiErVgkSJZv5F5Ekz76dDFVzsmhNi26sm2WSkgNX4hmLE1c22q3prLJCcgC rkHyijEXsRb5SfNX5HAezmLVdinX1mTh
                     4. Scan the code using a barcode scanner or, the traditional way I like, write it down on a piece of paper Smiley Move on to Step 2.

Step 2. You have to work on your online PC to import the private key public address or the seed's Master Public Key into Electrum.
       Step 2a. From your online PC, if you just imported a private key into your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Import Bitcoin addresses or private keys".
                     2. If you have a paper wallet, chances are you have a public address on it. So, depending on this:
                          2a. If you have the public address, insert it into the textbox.
                          2b. If you do not have the public address, go back to your airgapped PC's Electrum and click the Receive tab. On the right side of your window, the public address is shown. Write it down somewhere or scan the QR Code (click the QR Code tab for this) and insert the address into the online PC's Electrum textbox. Move on to Step 3.

       Step 2b. From your online PC, if you just exported your Master Public Key from your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Standard wallet" followed by "Use a master key".
                     2. Insert the Master Public Key into the textbox. Move on to Step 3.

Step 3. Still working on the online PC, you have to create the sweeping transaction and export it:
                     1. Now you should see your balance in your online Electrum. Go to the Send tab, insert the address you want to send your BTC to and push the "Max" button. Do NOT leave it unchecked or you risk losing part of your funds! Press "Pay...", change the fee rate if you will and then press "Send".
                     2. In the bottom-left corner of the Transaction window, you have an "Export" button. Click Export > Export to file. After exporting it, either:
                           - Write the file onto a CD and insert the CD into your now-airgapped computer;
                           - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
                           - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

Step 4. From your airgapped PC, you have to import the transaction and sign it:
                     1. In Electrum, go to Tools > Load transaction > From file and select the transaction you just copied.
                     2. Press "Sign" and export the transaction to File again (Export > Export to file..). Copy the file back to your online PC safely. Move to Step 5.

Step 5. Moving back to the online PC, you need to import the signed transaction and finally broadcast it:
                     1. In Electrum, go to Tools > Load transaction > From file and import the signed transaction file.
                     2. Press "Broadcast".

I mean, it can be used, but it is still far from ideal and I still wouldn't recommend it. Running bitaddress on an airgapped computer will protect your private key during the process of converting it from hex to WIF. However, if you are then going to take that WIF private key over to your online computer and import it in to Electrum, then you are still exposing it to an internet connected environment. It's not quite as bad as entering it directly in to a live website, but it is still far less secure than working in a completely airgapped environment as discussed above.

Nice write up. There are a couple of things I would clarify here.

When installing a clean Linux distro on it, don't be tempted to dual boot or something similar. Format your hard drive first so that your clean Linux distro is the only thing installed.
If you are only going to be using this to sweep your paper wallet, then I would go down the route of a live OS. Unplug your hard drive in addition to your wireless components before doing this.
If you are going to be using this as a long term cold storage wallet, then obviously you should install the OS, but I would say that full disk encryption in this case is a must. LUKS is ideal for this.

The security of your chosen method depends on your habits. Most people have bad habits and generally practice bad security and based on my experience, the more critical your thinking is and the more paranoid you are, the higher the security you'll be looking for.

I'll leave here what I would personally do, since I really think you should always keep a good security practice. The more you don't, the higher your risks of messing up are.

---

If you want to sweep a paper wallet, the most secure way to do it is on an offline, airgapped PC. For the setup, you basically need three things: two computers (one as the cold, airgapped wallet and one as the online wallet to broadcast your sweeping transaction) and an address to which you want to sweep your BTC.

Take an older PC of yours, remove any wireless modules from it and install a clean Linux distro on it. I'd personally recommend Debian or Ubuntu. If you don't want to install it, then you could use it as a Live CD instead (Live CD means everything you do is wiped upon shutdown/reboot). For Live CDs, I'd recommend Parrot OS which comes with Electrum preinstalled (or Tails). (bonus: I also recommend encrypting your HDD; bonus x2: if your future airgapped PC is old or you want it to run a lightweight distro, install Debian with XFCE). Make sure you verify your install file upon downloading it (Ubuntu verification tutorial; Debian verification depends on the type of download you prefer.

After installing Linux on this offline PC, it's time to download Electrum. Download it from here and verify it.

Installing Electrum
Now you have to install Electrum on both of your PCs (cold and online). If you want extra security, after verifying the file, you can (in descending order based on security as I see it):
 - Write the file (and signature, if it has one) onto a CD from your online PC and plug the CD into your now-airgapped computer;
 - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it (and signature, if it has one), unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
 - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file (and signature, if it has one) on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

As soon as you have Electrum installed on both PCs, this is what you have to do next:

Step 1. You have to work on your airgapped PC to import the private key or seed into Electrum.
       Step 1a. From your airgapped PC, if you have a paper wallet containing a private key:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Import Bitcoin addresses or private keys"
                     2. Insert your private key in the textbox. Move on to Step 2.

       Step 1b. From your airgapped PC, if you have a paper wallet containing a seed:
                     1. Open up Electrum and, as soon as you're asked what kind of wallet you want to create, check "Standard wallet"
                     2. Continue by checking the "I already have a seed" option and input your seed into the textbox.
                     3. After importing your seed, go to Wallet > Information and look for the Master Public Key. It should look something like this:
                     4. Scan the code using a barcode scanner or, the traditional way I like, write it down on a piece of paper Move on to Step 2.

Step 2. You have to work on your online PC to import the private key public address or the seed's Master Public Key into Electrum.
       Step 2a. From your online PC, if you just imported a private key into your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Import Bitcoin addresses or private keys".
                     2. If you have a paper wallet, chances are you have a public address on it. So, depending on this:
                          2a. If you have the public address, insert it into the textbox.
                          2b. If you do not have the public address, go back to your airgapped PC's Electrum and click the Receive tab. On the right side of your window, the public address is shown. Write it down somewhere or scan the QR Code (click the QR Code tab for this) and insert the address into the online PC's Electrum textbox. Move on to Step 3.

       Step 2b. From your online PC, if you just exported your Master Public Key from your airgapped computer:
                     1. Open up Electrum. During the Install Wizard, select "Standard wallet" followed by "Use a master key".
                     2. Insert the Master Public Key into the textbox. Move on to Step 3.

Step 3. Still working on the online PC, you have to create the sweeping transaction and export it:
                     1. Now you should see your balance in your online Electrum. Go to the Send tab, insert the address you want to send your BTC to and push the "Max" button. Do NOT leave it unchecked or you risk losing part of your funds! Press "Pay...", change the fee rate if you will and then press "Send".
                     2. In the bottom-left corner of the Transaction window, you have an "Export" button. Click Export > Export to file. After exporting it, either:
                           - Write the file onto a CD and insert the CD into your now-airgapped computer;
                           - Plug an SDHC/SDXC card (or a microSD with a SDHC/SDXC adapter if you have one around) into your online PC, put the file on it unplug it and flip the read-only switch so that your file/card never gets modified. Now plug it into your airgapped PC and copy the file there;
                           - Plug an USB stick into your online PC (preferably a stick with a read-only switch), put the file on it, unplug it, flip the read-only switch and put the file onto your now-airgapped PC.

Step 4. From your airgapped PC, you have to import the transaction and sign it:
                     1. In Electrum, go to Tools > Load transaction > From file and select the transaction you just copied.
                     2. Press "Sign" and export the transaction to File again (Export > Export to file..). Copy the file back to your online PC safely. Move to Step 5.

Step 5. Moving back to the online PC, you need to import the signed transaction and finally broadcast it:
                     1. In Electrum, go to Tools > Load transaction > From file and import the signed transaction file.
                     2. Press "Broadcast".

---

There you go. Quite complicated for a newbie, but it's the safest way you can go. From here on, you could safely use the airgapped PC as a cold wallet. Practice good security. It's worth it in the long run.

I noticed one things about this method. The user can be able to make a transaction using the watch-only wallet and use the airgapped device to sign the transaction. The transaction can be any amount of bitcoin of choice owned, and yet the private key remains offline before and after the whole process.

Follow o_e_l_e_o post above.

But, in case the user is done using the paper wallet and wants to transfer the whole funds, can my method above be used if bitaddress.org is run offline? Normally, the private key will still be exposed online on electrum, but the user will send the total bitcoin amount to an address on his hardware wallet, and not using the paper wallet again.

Your are bang on correct. It's a very old paper wallet and I am not able to import it into any new hardware wallet. But I want to learn the most secure way to move said paper wallet into a Ledger.

Sweeping is nothing else but sending the whole balance to a new wallet. The wallet which will sweep the private key has to be online to sign and broadcast the transaction, which is not recommended.
Instead, you can create a watch-only wallet using your paper wallet's public key, create a transaction which sends the whole balance to a new address (your new wallet), sign it offline, then broadcast  the signed transaction using any online broadcaster.
(was typing and didn't notice o_e_l_e_o's reply, sorry!)

Perhaps he wants to move the funds to a hardware wallet or a HD wallet where he cannot import a private key. Or perhaps he wants to send some of them to another person, or split them up between multiple wallets. There are plenty of reasons to sweep an address rather than import a private key.

Except if you do this, you will have exposed your private key to the internet and instantly put your funds at risk.

You need to use an offline computer, preferably a permanently airgapped one with a clean OS, import your private key there and sign a transaction on this airgapped computer, and then move the transaction to an online computer to be broadcast. There's a good post from LoyceV about this here, which I'll just link to rather than re-hashing all the information - https://bitcointalksearch.org/topic/m.56389821. Make sure to verify your Linux and Electrum downloads before installing/using them.

Hi there,

Does anyone have a detailed guide to the most secure method to sweep a paper wallet?

Thanks in advance.

RMC.