Bitcoin Cold Storage

I like to keep my funds in addresses where the private keys have never touched a network, a technique often referred to as “Cold Storage.” Even if the host operating system has a keylogger, since the computer will never be plugged into the internet, the spyware can never phone home.

(Skip to the section at the end if you want to generate a cold storage wallet and seed, without a dedicated computer.)

Setting up your cold storage wallet

1. Install the wallet software of your choice on an old computer — remember, this computer can never use the internet again for the entire time you want your funds to be secure in your new cold storage wallet. I use an old RaspberryPi 2 with Electrum.
2. Disconnect your cold storage computer from the Internet, for good.
3. Create a new wallet on your cold storage computer — you should save the seed somewhere (forever) in case this computer fails. Your wallet’s seed is basically a copy of the money, so keep it safe from damage and prying eyes! Memorize it for good measure, it’s all you need to restore (or steal) your funds. If you’re worried about somebody gaining physical access to the computer, you should probably password protect your wallet file (the last step in the Electrum wallet creation wizard).
4. Find your wallet’s xPub key, a long public address you can safely share with networked computers. It might be challenging to copy this from your cold storage computer without a network, but you can usually generate a QR code and scan it with your phone. Do not copy the xPriv key to any other device, that would defeat the purpose of creating a cold storage wallet!

Sending to and monitoring funds on your cold storage wallet

1. Download and install your wallet software, this time on a computer connected to the internet.
2. Import an existing wallet as “watching only” using the xPub key you took from your cold storage computer in Step 4 above.
3. Send your funds to any receiving address provided by the wallet software. Your funds are safely stored in cold storage!

Spending cold storage funds

If you want to spend all of your cold storage funds, you might as well recover your wallet on a computer connected to the Internet by using the seed, as if your cold storage computer does not exist. This destroys the “cold” part of the cold storage wallet and you’ll need to generate a new one if you want to put more funds into cold storage.

Otherwise, if you only want to spend some of the funds (or don’t want to destroy the cold wallet), you just generate a transaction on a networked computer and sign it on the cold storage computer:

1. On a networked computer, using the “watching only” wallet (described above), create a new transaction. For example, in Electrum on the “Send” tab, you can Pay to a Bitcoin address recipient. Create the transaction normally, even though the software does not know the wallet’s private keys.
2. Copy the raw text of the unsigned transaction to the cold storage computer. I like to use my Pi camera to copy as a QR code, but some people write out the long string of characters manually. Never connect your cold storage computer to the network “just for a second,” because that defeats the purpose of the cold storage setup! A USB drive can carry it from your networked computer to the cold storage computer, but tricky spyware on your cold storage computer could theoretically hide the private keys on any connected drive for the next time you plug that drive into a computer with Internet.
3. Sign the unsigned transaction by importing the raw text into your wallet software on the cold storage computer. Skip this if in Step 2 above you scanned the QR code or wrote the text directly into your wallet software.
4. Copy the signed transaction to broadcast on a networked computer. I usually scan it with my phone.
5. Broadcast the signed transaction to the network. I like to verify it all looks good first with Coinb.in and then I use their Broadcast feature to send it off to the mempool for inclusion in the blockchain by the miners.

Cold storage without another computer

You don’t need a cold storage computer just to keep your funds in cold storage, but you do need a device you can completely wipe clean after generating your wallet file/private keys. Another downside is that you can’t spend a portion of your money; you have to recover the entire seed when you want to move the funds out of cold storage. You would also have throw out and make a new seed if you wanted to put additional funds into cold storage.

Nevertheless, if you’re keeping the funds long-term and don’t intend to spend it very frequently, this method is fine for you.

1. Install your wallet software.
2. Unplug the Internet.
3. Create a new wallet, saving the seed somewhere super safe from theft, fire, and away from prying eyes. Make more than one copy or memorize it, because this set of words will be the only way to spend the funds from cold storage in the future.
4. Copy the wallet’s xPub key to a different computer or onto your phone (without connecting the cold storage computer to the internet yet). Later you can import the xPub key into your wallet software as “watching only” to generate receiving addresses where you can send your funds to be kept in cold storage. Do not copy the xPriv key, it must be kept private (it is also encoded in your seed words for when you will restore the funds).
5. Completely wipe the cold storage computer’s hard drive and all attached drives before plugging it back into the internet. Yes, you will have to reinstall your OS. Use those ‘cleaning’ programs where they write nonsense 0s and 1s all over the drive or just make sure to spare no expense in ensuring complete eradication of all file fragments.

Safe and sound, encoded on your cold storage seed. Recover the funds in the future by importing the seed words like you would recover any wallet.