How to secure your Bitcoin Wallet

Just like in the real world, where people typically have multiple places to store their money (ie – their wallet/purse, bank account, or safe) in the digital world people also have multiple places to store their Bitcoins. And just as you would not carry your life savings around with you in your wallet or purse, so you may not wish to store all of your bitcoins in an “online or hot wallet”.

So once you have more Bitcoin than what you’d be comfortable carrying around with you, then it is probably time to move some of your investment to an offline wallet.

Off-line “Cold Storage” wallets

A bitcoin wallet does not hold your coins – the blockchain does that.  A bitcoin wallet holds your private key(s).   Like the keys to your shed, a key copied now while your shed is empty can be used later to steal your future lawnmower.  Likewise, a copy of your wallet keys taken now can be used to steal any future coins that you may add to your wallet at a later date.  So it is very important that you keep your keys a secret at all times.

Currently, the simplest and most secure method to secure your private key(s) that I know of is to use one or more off-line paper wallets to securely store any coin you may have in excess of your day-to-day requirements.   For an off-line “Cold Storage” wallet to be a true “Cold Storage” wallet, it needs to have never have been on a machine that accesses the internet at any point after and including the point at which the wallet was created.

Easiest way to create a “Cold Storage” Paper Wallet

You will need:

  • A PC or laptop that you can disconnect from the net, and boot from a USB key.
  • A printer that you can connect to your “offline” computer, and twenty or so sheets of paper.
  • Three blank USB flash drives (thumb drives, USB Keys – whatever you want to call them) – At least one of them should be 4GB or greater.  We will call these, Boot, Public, and Private. It might be a good idea to label them accordingly, as you definitely do not want to get these mixed up.

Step by step process:

  1. Download and extract the Paper Wallet Generator to the “Private” USB Key.
    Go to and then click on the “clone or download” button, and then select download zip. It is a green button halfway down on the right-hand side.  
    Next extract the contents of the zip to an empty USB Key. This USB will become your off-line – “Private off line storage” key, which after we have copied a couple of things on to it, will never ever be accessed from an online machine again.
  2. Setup and Off-line machine on the “Boot” USB Key.
    You can follow the instructions here to create a USB that you can boot your machine from (either your laptop or desktop) after disconnecting from the net.  ALternatively, if you are already running Ubuntu, then select “Startup Disk Creator” from the menu.  This is now the “Boot” USB Key.
  3. Boot off the USB Key (if required to setup your printer).
    While still connected to the net, boot your machine from the “Boot” USB key.    You may need to use google to find out how to boot your specific machine from a USB key – on a Mac, for example, you need to hold down the “option” key while booting. On a windows machine, you may need to turn off “fast boot” and repeatedly tap F2 or F12 while booting – it varies a lot – so I will leave you to determine how to do this for your specific machine via either your manual – or more likely Google.
  4. Setup your printer
    While still online, connect your printer, download and install and printer drivers as may be required by your specific printer, and ensure that you can print a test page.  
  5. Disconnect from the net
    Disconnect the machine that you will be temporarily using as your offline machine from the net, and if you have not already done so boot it from the Boot USB key.
  6. Connect your off-line printer (if necessary)
    If your printer is a network or IP printer, and you can not connect it directly to your offline machine then you will need to disconnect everything from your hub including the hub’s connection to the net leaving only your machine and the printer.
  7. Optionally, setup text files to save your public and private keys on
    Create a text file called PublicKeys.txt on your “Public” USB key, and a text filePrivateKeys.txt on your “Private” USB key.  I use gedit to do this by using “Filer” to create the file and double clicking it to open it in gedit.
  8. Print your paper wallets.
    On you offline machine, go to the folder where you extracted the paper wallet archive and open the generate-wallet.html file from the bitcoinpaperwallet-master folder.  It should open in the default web browser – which is typically Firefox on a fresh Linux install, but which browser that you use shouldn’t matter.
    I normally skip straight to step two – “Print front”, as I have never found it necessary to calibrate the printer, but by all means feel free to go through each step.
    Be sure to print at least 2 copies of each paper wallet and be sure to save off the private key (-the one on the left that starts with a 5) to PrivateKeys.txt on your “Private” USB and the public key (-the one on the right that starts with a 1) to the PublicKeys.txt file on your “Public” USB key.  Note: The number of the left that starts with a 1 is also known as your bitcoin address.  It is the public address that you give out to people to send you bitcoins – which is why we copy it to your “Public” USB Key.
  9. Print a “test” wallet (optionally)
    Optionally, you may wish to print out an additional paper wallet for test purposed – let’s call this your test wallet. The main reason to do this is so that you can scan the QR Code (on the right) that contains the private key for this wallet.  If that scans OK then you can be confident that the private key on the other wallets will also scan ok.  (You don’t test these directly by scanning them as that would expose them to the net, and they would no longer be cold storage wallets.)  You also may wish to send a small amount of coin to your test wallet and then use it as a hot wallet with the paper wallet as the backup. 

Common mistakes to be avoided.

  • Inserting the “Private” USB Key into an online machine.  If this happens, then, unfortunately, your wallets can no longer be considered cold storage as a virus may have copied your private keys.
  • Leaving your “private” USB key in the machine when you are finished is a huge mistake.  Always check that you have removed your “private” USB key before reconnecting to the net or rebooting back into your native operating system (even if disconnected from the net).
  • Exposing your paper wallets to a camera.  For example, backing up your wallets by taking a photo of them with your mobile phone, photocopying them, or exposing them to a security camera would be a very bad idea.
  • Storing them all in the same place may result in them all being lost in the same accident.
  • Not storing them securely may result in your private keys being stolen without you realizing it for perhaps years, as the key could be used at any time thereafter.

Finally, be sure to always disconnect your computer from the net and shut down before inserting and booting from your boot USB key, and never insert your private USB key in to any other machine, or at any time other than when your machine is in this off-line state, and be sure to keep it unconnected until after the process has completed and you have removed the USB Key and rebooted.

How secure is this?

After all that trouble, you would think that your new wallets would be extremely secure, after all, you have created your private keys offline and they have never been exposed to the net. However, if the source file that you use to generate your keys was tamped with by a thief, then they could modify it to use a master-seed – rather than the entropy generator that the genuine generator uses.  Knowledge of the master-seed would allow them access to all of your wallets. For this reason be careful which paper wallet generator that you use, and how you acquire it. Being plain HTML and JavaScript, you could also review it yourself – with a view to ensuring that it does not use some mysterious number as the seed to the crypto functions.

Why not just use a TREZOR wallet?

TREZOR’s are an appropriate safeguard for an online “hot” wallet, but for offline storage, it is just adding another point of failure.  After all, you have to backup your TREZOR to paper anyway, so you may as well just use a paper wallet in the first place.  It is also much easier to spend directly from your paper wallet than it is to recover a TREZOR from backup.

Mobile Spending Wallet

The one that I currently run, and have run for many years is Mycelium ( or

What I like about it is that –
1. it runs on my phone,
2. that it is easy to back up.
3. it is open source
4. it requires that you enter a pin to send funds, so it is even safe for a while if you lose your phone, although if that was to happen, then I would be restoring the backup on to another device and sending the coins to a new wallet as soon as possible.

Finally, check out this book – Practical Guide to Crypto Investment 2018: Helping The Early Adopters



Leave a Reply