Topic: Paper wallets best practices (Read 416 times)

I've heard of people saving a copy of  their paper wallet in their bank's vault. Maybe a hidden tattoo is a legit idea?

There are various raspi like devices without wifi, even x86. I like those from PC-Engines, where you get to pick and choose wifi radio if you want it (or none). Put linux, openbsd, whatever you trust in them and manage your wallets, offline or online, with absolute control.

Of course you could do that with any old fashioned PC without connectivity of any kind as well.

I guess this is a good practice since USB is one of the most portable devices that we can have. Then we can also duplicate those copies on multiple USBs. We just need to store it in the safest place that we can remember. If we forgot it and if anyone can steal it then it is not safe anymore. There are safe that are double-locked, digital or manual, as long as it serves its purpose to keep the wallets safe.

Generate your wallet in Electrum on an air gap computer. Save your public key to a usb to transfer to online computer to monitor your balances.

Etch or stamp your seed words on military style dog tag (Amazon.com) and put it in a safe place. (Now, the hardest thing you have to do is determine the safe place.)

Make sure you keep the private key hidden and discreet. You can also get your paper wallet laminated so it won’t fade or tear. Keep it inside a safe or a location that no one can have access to. You can even use a tool like Cryptosteel to make it disaster proof.

Hey

Let me just start by saying this :-

*What infact is money made of ?*

It's not a fire resistance, water resistant material , it's infact paper , extremely vulnerable to everything .

Now what would you do if you had like 1 billion dollars in cash ?

You would probably keep it safe in bank or even in accounts, that's the best thing there is , the same is with a paper wallet , consider it a paper Currency.

How you usually handle your money is how you should handle it.

Most hardware storage drives are often made a bit poorly sometimes.
Essentially, the good data companies went out of business because they did to we and people stopped buying from them because usb sticks lasted so long... I'd suggest usb sticks are probably best but you can get sd cards in bulk more easily (go with Kingston or Toshiba unless you know of a better company, don't look for the cheapest)...

---

If you have a phone from many years ago that dosnt even have a GPS antenna then it probably doesnt have anything that can be used to communicate with it... Its hard to work this out though. If you're still particularly worried, you could get something like a raspberry pi and a monitor that will stay offline (the models 1 and 2 don't even have inbuilt WiFi chips).

---

Yeah as soon as you import a paper wallet, by design it should be considered as compromised if the computer is online.

And yes that's how paper wallet storage should be done. I'd suggest printing a qr code too and printing a couple of copies. The computer it is generated on and the printer it is printed out one shouldn't touch the internet again though...

An SD card can still be compromised when you plug it in, unless to an air-gap. Same with USB drive. Are SD cards' memory more reliable than USBs? I am trying to think of something better than just encrypting a text file with the key pairs and sticking that on a memory card or stick of some kind.


IF you have to go the paper wallet route (remember, HD seeds are not supported and all the paper wallet websites don't support my coin) what is the best way to go about it? As far as I can tell it is:

1. Generate and text strings/QR codes on air-gapped machine.

2. Print paper wallets from this machine.

3. Properly secure the resulting paper wallets from natural hazards (fire, water etc.) and prying eyes.

4. Encrypt private key before printing via BIP38 ASC256 or something else.

Problem I see is as soon as you scan private key QR from paper wallet into internet-connected machine to spend that coin, it must now be considered in the wild (same is true of memory cards/stick though). The way around this is to use the air-gapped machine to sign txs instead of generating private keys, using QR's to shuttle info back and forth between connected and air-gapped machines. While QR's could be printed by both, probably easier to use cheap smart phone with all network connectivity disabled since you can use's camera to scan and screen to display QR's. This should be its only means of communication to the outside world.

Based on this, how can I be sure a phone's network connectivity (cellular, wifi, bluetooth) is COMPLETELY disabled? I've heard it is possible to remotely access a phone even if all network are turned off in settings? Its not like you can just rip out the relevant hardware from inside it.

Now my wallet doesn't have a mobile version, only a desktop one, so this idea is out. So my options are:

1. An air-gapped desktop printing QRs back and forth
2. A paper wallet of some method
3. Trusting in memory cards/sticks with encrypted text files of key pairs. Based on what has already been said I guess I need multiple cards/sticks to ensure data integrity.

As reluctant as I am to say it the later seems like where I'm probably headed.

I've had no issues with electrum? The issues were people that fall for phishing scams.... There were connectivity issues but if you're not in a rush to spend, it doesn't matter and if you are you can put your signed transaction into the network with online tools.

There was a json rpc injection thing also which wasn't as bad as I thought and you could get past that with merely a password which you should use anyway.

None of these issues (other than connectivity ones) have faced android electrum as it doesn't show errors anyway in detail...

---

An sd card can withstand more than paper can...

You have to generate the paper wallet somewhere unless you use dice throws and do it purely mathematical.

Don't print. Make a paper wallet by using seed words, people shouldn't be messing with private keys directly anymore. These words, you write in a piece of paper using your own hands. Then using the same hands copy them to another piece of paper. Secure both in separate physical places, that should be it.

If anything, you'd want to print/copy/email whatever some of the addresses to deposit funds to.

Procedure to make the cold wallets vary but i tend to favor booting a linux iso from usb (like TailsOS), install Electrum, create the wallet and shutdown. There are ways to monitor a cold wallets using Electrum or the other wallets (Electrum just happens to do it quick because SPV, but you depend on others).

If Paranoid run your own bitcoin node first, then you can either use core or your own Electrum server. Don't worry, after the wallet is made you don't need either afterwards, but its nice to have.

Yes you can technically make the wallet with a computer unplugged to the network, and then move some non compromising data to a computer plugged to broadcast.

I like booting TailsOS in the plugged computer because it uses Tor by default, and you want your Electrum wallet to use tor as well (and/or your own server).

The chances of someone catching your seed words when you boot something like TailsOS to make your wallet are minimal. Since the OS wasn't installed in the first place, there was no chance to install a keylogger, and sniffing the network won't do much, unless there is some exploit in that particular version that could be used in the small amount of time it takes you to make the wallet and copy the seed words by hand (which is why some people like to do that part in a computer unplugged to the network).

Actually, I totally agree with your main idea. But it doesn't sound wise for me to save all the information on a $ 100 device. I guess you didn't follow the latest developments about Electrum wallets. Unfortunately, there are many problems with the Electrum wallet. I have doubts about trusting such devices and apps.

In fact the best option might be the paper wallet. As you said, taking extra security measures for those who have invested a significant amount.

When we find our holdings to be much worth, then we should take the necessary steps to keep it secure. As suggested having few copies of the paper wallet and keeping them secure on different places will ensure the holdings to be more secure.

Another thing is to have a ledger wallet. When you have $1500 worth cryptocurrency holdings, spending 10% value to keep the holdings more secure buying a ledger wallet is the best choice along with having paper wallets.

If you really think you are at a lot of risk  at paper wallet then try another kind of storage.

I used electrum and I have the seeds in a small paper. (3 copies) One I always bring and another at my stash which is secured from fire and water.
Oh I literally used a paper and a pen. Just so you know.

Another is just the private keys. Wrote it down in a piece of paper again.
If you want security, go old school. Remember, we have more of privacy before than now. Android, IP's, computers, sim cards, all of them can be used to trace you but not with a pen.

Another way to encrypt your wallet is to come up with a specific algorithm. For example, increase each digit in the wallet address by one and record the result. Thus, even if it is stolen, the scammers will still not be able to steal your funds.

There are many paper wallets online that are free to download. But, it could be difficult to trust since many online platforms now had integrated to the system by daby assisting groups m

That's the price you gotta pay if you want to be the true owner of your coins. What happens if Blockchain wallet vanishes? Don't be dependent to other people/services.

For my own understanding and experience so far, paper wallet is more risk usage, because anytime your device clash or lost from the owner, paper wallet is more difficult to recover, than blockchain wallet.

there is no compromising information inside a raw transaction (unless your wallet is broken and does something that is not normally done in a crazy scenario, and since you are apparently talking about an altcoin you might want to double check this) so transferring it will not have any risk.
although if you are doing the transfer using something like USB disk and connecting that disk to the online computer, then it can be infected there and then "infection" can be transferred to the cold storage.
a way to mitigate is is using QR codes for transactions!

if your wallet doesn't support it, then your only option is finding another application on the internet (hopefully an open source one) and generate the QR code using that tool and using a phone you can scan that and do the transfer back and forth.

yes the private key is kept on the air-gaped offline computer never connecting to the internet.
the public keys are kept on the online computer connected to the internet and the P2P network one way or another.

it can be anything as i explained above. QR codes being the safer option.

usually other wallets offer some sort of command line tool that has additional "expert" lever options. you might have to look into that.
usually these user friendly options are added since there is a demand for it. but if nobody wants it for some altcoin, obviously nobody creates them.

your wallet must offer some sort of encryption (they all do), see if there is an option to encrypt/decrypt private keys using that. if not there are popular tools for encrypting messages (raw data) you can simply use one of them, convert your private key to hexadecimal (base-16) format and encrypt it using one of those tools and AES-256 encryption technique which they must support.

A paper wallet is considered a primitive way of storing your Bitcoin in 2019. 10 years back technology was not so advanced as it is now.

If you want to store any cryptocurrency safely and securely then the best option available in the market is a Hardware wallet. A good wallet like Ledger Nano X can cost up to $100. They do have other models that cost you less than $100.

It would be wise to spend some money to store your assets than using a paper wallet by a third party website. A paper wallet is not a secure way of storing Bitcoin wallet seeds.

bitaddress.org and walletgenerator.net don't support my coin. my wallet will make QR's for public addresses, but not private keys.

between steps 3-5: is copying the tx through these steps a possible compromising vector?

is the private-key part of steps 1-5 an air-gapped computer vs. the public-key/internet-connected part a node?

how do they communicate? QR codes? usb drives?

I can see how you'd do all that with electrum but there isn't an electrum version for my coin.

I see the BIP38 encryption thing at bitaddress, but that works only for BTC addr's.

unless the tool you are using already offers QR code generation, using third party tools to generate that QR code requires extra care. and again you should be doing all of this offline. for example you could download https://github.com/pointbiz/bitaddress.org and run it offline, after generating the key you can store the QR image it generates. other wallets usually support QR codes too. for instance Electrum lets you see your private keys as QR (but not seed)

i haven't used walletgenerator ever so i don't know. bitaddress however has a BIP38 encrypt, decrypt option. for example you can open the website and check this as a test (i created a random key for testing, don't use it for anything else)
encrypted key:
go to wallet details tab and enter the key in first box and click wallet detail and enter the password in second box:
you'll see the decrypted key

encryption is the same, enter the key (L3rp...) check the passphrase checkbox and enter a strong password (123 here for testing only) the encrypted key is going to be at the bottom.

I am considering only a single key, seeds are not an option for my application. My wallet generates them and allows me to export private keys as a text string. I then want copy-paste these into a QR code generator to make QR codes and print the codes + text strings as public/private key pairs. Is this simply too compromised? What can I do to improve this short of abandoning this approach entirely?


The generator of my keys is a wallet, so while it can be temporarily physically disconnected, it cannot be permanently so to broadcast tx's to the world. Ideally internet-facing elements have only public read-only keys and private keys are kept back in paper wallets (the purpose of this thread). Since my goal is to input keys into this wallet via QR codes, including private keys, there will have to be a camera which is a source of compromise at some point. Should the wallet be air gapped completely and the tx text be transmitted somehow to a node for broadcast? This is where it gets tricky for me.


As I said, seeds are out, full stop. I fully appreciate the value of seeds, but not this time. I see walletgenerator.net allows BIP38 and ASC256 encryption of keys but I don't see any means to decrypt them later. Again I am using keys generated from my wallet and not walletgenerator.net or elsewhere. I am trying to secure these keys beyond them just sitting on a HD pretty much in the clear.

I concur on everything in sections 3 and 4. I am trying to find a way to properly secure keys not using seeds or a hardware wallet. If those are off the table, what are my "best practices?"

lets split the whole process into 3 groups/steps:
1. creation
the first thing to do is to create the paper wallet correctly so that you are not leaking anything in this step. for that you should start by choosing a good tool and for that you first have to decide whether you want to store a single key or a seed.
if it is a single key (the most common form of paper wallet) then you can use any trusted wallet that allows you to export the private keys. you can also use specialized tools such as bitaddress.
if it is seed then your choice is limited to the HD wallets such as Electrum.

then you have to download this "tool" and verify its authenticity. this is usually done with a PGP signature.

and the final step is to run it and generate your key(s). in this case you want to choose a clean environment to do that. the best way to do it is using a live linux with network physically disabled.

2. printing
using seed words helps in this case since you wouldn't need a printer, in case you don't own one or are worried about printer memory. you can write down phrases on paper easier than random characters of a private key.
using encryption in this case is encouraged. it prevents someone from physically stealing your coins since they would need the password but then you will have to create a back up of that password too. using encryption also solves the problem with printers if the password was strong and the encryption was a good one (such as BIP38 or simply using AES-256).

3. storage
you choose paper wallets when you want to store a key for long term so you have to store it in a way that it is not damaged in long term and stays safe. choosing the material to "print" the key on is important in this case.
for very long periods, metal is the best choice because of its durability. there are projects that sell ready to use metallic letters designed to be used for bitcoin paper wallets. or you can use an old fashioned chisel an a plate.
paper is the most common and cheapest option. but its durability is limited, it can however be increased by using good material and laminating it. (encryption helps in this case if you don't want to buy a laminating machine).
digitally storing a paper wallet (storing on a USB disk) is discouraged because digital storage is always at risk of being hacked and leaking your key and also for "storage" they are not durable.

[optional]4. testing
i always suggest that when you create something like a paper wallet, you test it. for example you can do all of the above and send a small amount to the wallet you created. then after confirmation sweep that key and spend that amount.
this way you will eliminate any possible mistakes that you might have made in any of the above steps and it can give you a good idea of how things should work. then throw away this test key and create a new one for real usage.

USB sticks aren't very reliable, especially for repeated use.

If you must use them, I'd suggest at least 5 USB sticks and you can normally get small ones in packs of 20...



Hard drives also demagnetise themselves after 3 years (or begin to) if you don't rewrite the entire data.

That is what I mean. Can I just buy an old PC and use it as an air-gap? Or should DIY one? How do I know what printer saves my print jobs vs. one that doesn't? Are there recommended products? Protocols? What is the preferred "set up?"

I actually wouldn't use a paper wallet. I'd get a small USB stick and create a text file. Then add the private keys to the text file and put the text file on the USB stick.

Throw the USB stick in the safest place you can imagine and you've got yourself secure holding.

You could probably do with coming up with something seedlike for the private keys in case you have a misspelling. Alternatively, you could write down the seed in a number base with few overlaps (base 8 or 10 might be good ideas). And make a checksum at the end just in case you mess it up...

As said, you can also use a bip38 password for enhanced security.

You can also encrypt your paper wallet private-key with a BIP38 password, so anyone getting your paper wallet will also need a password to unlock it.

Bitaddress.org does that (check the 'Wallet Details' page).

What really matters is WHERE you're generating the paper wallet (so you need a trusted air gapped PC) and how you're printing this information (does your print save a history of what you print?, are you using a trusted address generator?). These are the main things you should focus.

So an air-gapped computer+printer is best, and then protect the paper + computer from access and fire/water etc. No special stuff beyond that?

I ask because I want to store some keys that don't use BIP39/HD seeds to generate them.

The best practices for paper wallets IMO would be:
1. Put the paper in a fireproof safe if your bitcoins are worth enough for them to be protected (this can also be helpful for dumping the airgapped laptop also so no one tries to check their social media through it)...
2. Air gapped computers are extremely secure on their own (with a password) and are probably better than a paper wallet. But if you're wanting to use a paper wallet (i.e to not put all your eggs in one basket) then air gapping the computer and the printer is the best option.
If you can avoid printing entirely, then try writing out the address or using a QR code (you should encrypt the information you are printing anyway).
A better alternative to writing down your key or printing it off is to use some software like electrum which generates seeds for you to use and these are 12-24 words depending on the security you are after and are much easier to write down and store as you don't have to question "if that's a 5 or an S?".
3. Try finding a way to verify that what you have downloaded to make a seed has given you an accurate address and private keys by putting it into two devices not connected to the internet (or the same device with different operating systems).

---

Some alternatives to paper wallets:
1. Buy a cheap android phone/tablet for a maximum of $100 (preferably an old one that's still sold) and install electrum on it. Then take it completely offline and put it in a safe and secure place.
2. If you can go a bit higher, you can buy a phone and a trezor (or another hardware wallet) and try using that to store your funds (or use the hardware with a computer instead of a phone, this can also be done in an airgapped way once all firmware is installed).

Hi all. What are considered "best practices" to ensure a paper wallet is as secure as can be for cold storage? I realize the paper itself is vulnerable to fire, water etc. And to be sure to guard your private key from view of people and cameras. But I've also heard about needing a special printer because most modern printers have memory in them that saves what you print and that can be compromised. Also an "air gapped" computer using something called "iceberg protocol" or something like that. Can someone tell me what is the best way to set up a paper wallet?