Secure your Bitcoin without breaking your balls - a (relatively) simple guide to Cold Storage

So you've acquired some Bitcoin- whether it be by mining, a purchase with fiat currency, faucets, or goat trading. And now, since you're smart, you're thinking about security. You ask yourself, how do I make sure that some grubby little crypto-hacker doesn't get his hands on my stash? There are a few ways to go about this, with varying levels of complexity.

For small to moderate amounts of BTC (let's say roughly $1 to $50,000 worth), here is the best solution in my opinion. It balances high security with ease-of-use and ease-of-backup while still allowing accessibility to your coin should you decide you'd like to spend, sell, or otherwise transfer it somewhere else on the network. After all, eventually you might want to re-invest in goats.


“What address did you say this was going to, again?”

Permanently divorce a spare computer from the internet

The first step is to designate a computer that will never again touch the internet (or any other network) during or after your wallet installation. This can be an old desktop or laptop machine of just about any make from the past ten years. For example a Pentium 4 with 512mb of ram and 8GB hard drive will be fine- it doesn't have to be fast, just functional. Whether you use a desktop or laptop model, if it has built-in wired or wireless networking, you'll want to disable it. At a minimum, this can usually be done in the BIOS for on-board network devices, but you'll want to physically remove the devices if possible, and in the case of a laptop with built-in Wifi- assuming you want to be properly paranoid about this- disassemble the unit enough to remove or at least unplug the wireless device. Many laptops have modular wireless units that can be accessed through the same panel as the machine's RAM, others you will have to get a little more medieval on and manually disassemble until the components can be accessed. RJ45 (Ethernet) connections can also be taped over as a physical reminder of their non-working status and to prevent an errant cord from being plugged in.


Operating systems

When it comes to the operating system for your offline wallet, the best option would be to install some variant of Linux. I recommend Ubuntu 10.04.4. That said however, installing a fresh, clean copy of Windows 7 or 8 will be easier for many people and also probably be fine assuming you follow the strict guideline of never again allowing it to connect to a network or the internet during or after the wallet installation. That is to say, make sure the connection is severed BEFORE you generate your wallet. I do not recommend Windows XP though it will also likely work fine with the same precaution. A very slight possibility of security breach exists with any Windows installation (and to a far lesser extent, even with Linux) if you use an infected USB stick to communicate your transactions with this offline machine- this will become clear when we talk about how to make transactions with such a setup, below. So if you use Windows, make sure your USB flash drives are clean- format or otherwise wipe them completely if there is any doubt.

Wallet software - Electrum

Now you'll need an offline-transaction compatible wallet installed on your selected computer. I highly recommend Electrum from for a number of reasons. The current version as of this writing is 1.9.6. This is a 'deterministic' wallet where your key is derived from a 12 word randomly generated phrase, called a “Seed”: this means the forever-and-always backup of your wallet can actually be memorized, or more likely, written down on paper and stored in a secure physical location (safe, safe deposit box, or anywhere you feel comfortable about).

The other extreme advantage of Electrum is that it is 'Instant On'. Unlike traditional clients, there is zero waiting for a local copy of the blockchain to be downloaded, a process which can now literally take days. It instead utilizes a network of remotely hosted bitcoin nodes. It never reveals any private key information to them.

Back up and protect your Seed

I recommend at least one if not two additional physical-backup locations for your wallet seed as a failsafe, perhaps with some additional improvised scrambling added that only you will remember if it comes down to it. Adding a few words that you know are not part of the seed, and scrambling the order slightly are two ideas. Pick words from the official Electrum word list. This additional obfuscation is perhaps especially important for offsite backups such as 'safe deposit boxes' at a bank or other traditional financial institution which may not be 100% secure depending on political or economic climate in the future. If you are able to even stall an institutional attacker's attempts long enough to realize the attack is underway and move to a new wallet, you've won.

Dude, really? A CRT? No, no.. you can have it.

Password protect (Encrypt) your Wallet

You will absolutely still want to password protect and encrypt the digital wallet file itself, this is a built-in option in Electrum accessed from the 'Wallet' menu. Choose a long password completely unrelated to your seed, with a minimum of 16 characters. It's easiest to select something memorable to you, but not easy for anyone else. An example would be an easily remembered phrase with a random modifier or two, but avoid any phrase that has ever appeared in print. For example a line of Shakespeare would be a relatively weak password, whereas '[email protected]!' would be much stronger. Use your imagination, the point is to have something unique and unguessable, while remaining memorable.

What if someone steals my offline-wallet computer?

Having your wallet thus encrypted ensures that if your actual hardware (computer) is stolen that there will be no access gained by the attacker. Of course, in that unlucky event you would still transfer your balance to a newly generated wallet, as well as begin using a new wallet password.

If you wanted to play with even higher security, Ubuntu allows encrypting your entire file system. If you install Truecrypt for Windows you can achieve the same. This may get onerous if you follow best practices in using different passwords at every level of encryption. Given the precautions already taken, another layer of encryption is overkill for most people, and therefore optional.

Okay, so now I have the offline wallet part set up. Now what?

From here you can then set up a “watching only” copy of Electrum on your regular everyday online computer. This will allow you to monitor your cold storage/offline balance, as well as generate new addresses to receive more bitcoin- but there is No Way to spend them unless you go through a manual, physical process of signing a transaction with a USB stick swapped between your offline and online machines.

Set up the watcher - export/import your Master Public Key

On your offline computer with Electrum running, go to Wallet → Master Public Key. This will provide your Master Public Key in both text and QR-code form. Copy the text string and save it to a text document on your USB stick.

Now, on your Online computer, install Electrum. When you run it for the first time, select 'Restore' in the dialog box, and use the 'Master Public Key' that you just copied from your offline machine via USB stick.

You will now see the complete balance and transaction information for your secure, cold-storage, offline wallet. Electrum will display [watching only] in the title bar as confirmation of this read-only state.

This step only has to be completed once. You can then copy/backup this read-only wallet file like you would any other wallet. It does not contain any private key information whatsoever and does not present a risk of loss if it falls into the wrong hands, though it is still best practice to prevent it from doing so.


Spending your coins: offline transactions with the USB stick

So the day comes when Bitcoin reaches parity with Neptune and you'd like to spend some of your coinage. Here's how.

On your Online PC, go to the Send tab to make a transaction, fill in all the details required and click 'Create unsigned transaction'. Instead of sending it, Electrum will query for a location to save the transaction as a .TXN file. Select your (clean) USB stick and save it there.

Now, swapping to your Offline PC, in Electrum select 'Tools - Load Transaction - From File' and select the transaction you just created on your USB stick. It will detect it's not signed and will prompt you to do. Enter your password and sign the transaction. Save the new, signed, transaction back to your USB stick.

Once more, back to your Online PC. Again select 'Tools - Load Transaction - From File'. Select the now-signed transaction, Electrum will ask you if you want to broadcast the transaction to the Bitcoin network.

Congratulations, you have completed a highly secure Bitcoin transaction without ever exposing your Private keys to the internet.

Other thoughts on account security

If you have a second party that you trust implicitly, you may want to give them a copy of your wallet seed phrase and basic instructions on what it is, perhaps with a copy of this information as well. That way, if you happen to shuffle off the mortal coil without warning, your loved ones can still access the financial assets you have so thoughtfully accumulated.

One other tweak to monitor your wealth

From the Electrum menu, pull up Tools → Plugins. Check the box for 'Exchange rates' and select the currency of your choice. Your balance in that currency will then be displayed next to your BTC balance at the bottom left of the window.

Brought to you by

All security how-tos will eventually be archived at the website, now under development.

Contact the cryptochief: admin at cryptochief dot com

Security | Cryptocurrency | Computers | Psychology | Bitcoin | Technology

QR Code
QR Code secure_your_bitcoin_without_breaking_your_balls-a_simple_guide_to_cold_storage (generated for current page)