How to safely put your bitcoin into cold storage: the ultimate guide

This tutorial uses Electrum Wallet and a Lubuntu live DVD. You will need a DVD player.

We are not liable or responsible for any bitcoin that you lose while following this tutorial.

Get The Packages:

Advertisement

The price of bitcoin has shot up dramatically in recent months. What once seemed like some pocket cash has turned into a nest egg that you want to protect. Right now, all of your bitcoin is stored in your daily driver computer. The wallet is connected to the internet, and your computer may get a bitcoin stealing virus at any moment. Anybody on the internet could hack into your computer, break your password, and take all of that yummy crypto. But do not fear. There is a solution for all of you HODLers that will allow you to sleep easy at night.

Many of you are probably using Windows and MacOS as your computer’s operating system. They are not the most secure operating system though and they do not have some of the features required for file verication and so on. And even if you are using Linux, it is more secure to create a cold wallet using an operating system that has never touched the internet and that will not save anything, including your wallet. So, we will be using a Linux Live DVD. If you already have a DVD with lubuntu 18 desktop or newer on it, you can skip to the part of this article titled ‘Electrum’. It is right down there. But if you do not happen to already have a lubuntu DVD, download the latest desktop version of lubuntu (a lighter version of ubuntu). You can do that here:

Advertisement

Next, burn the lubuntu iso file to a DVD using the default file burning software that comes with your operating system. If you are using Windows you can do this within file explorer.

Electrum:

After the DVD is done burning, it is time to download all the files you will need to use Electrum and verify it. In case you do not know, Electrum is a lightweight bitcoin wallet (no need to download the blockchain) that has several features that make it easy to keep your bitcoin in cold storage. The first file you will need is the Electrum AppImage (a standalone program for Linux that needs no installation). You can get the latest version of the AppImage at electrum.org/#download in the Linux section.

Advertisement

Note: Never, ever, download Electrum from anywhere other than electrum.org. Check the spelling of the domain! Also remember to verify your download (will be discussed later).

Next download the AppImage’s PGP (pretty good privacy) signature. You can do that by clicking the button below. You will be taken to a page on the electrum.org website. You must right click and save as.

Finally, you must download Thomas Voegtlin’s PGP public key. Thomas Voegtlin is the lead developer of Electrum and the person who runs electrum.org. He is under constant scrutiny, so he cannot steal anyone’s funds. He is the only one who can be trusted. But, if you do not want to trust him you can read the source code HERE, make sure that there is no malicious code, and build the wallet from source. But that is unecessary. So click below and download Thomas V.’s PGP public key.

Advertisement

Finally, you must put these three files (the appimage, the appimage.asc PGP signature, and the ThomasV.asc file) on an SD card or USB storage device that you are sure does not have any viruses on it. Also, create a blank .txt file. The reason for this will become apparent later. If you are in Windows you can navigate to the SD/USB drive’s folder and right click on any empty space in the window, below the existing files. Then select new and in the submenu pick text file. This will create a blank text file. Save the file and you are done.

Once you have done that, remove the USB/SD and put your newly burned DVD into your computer’s DVD reader. Now you are ready to do the difficult part.

Pull up this tutorial on your cellular device (smartphone). Now you can follow along. Just make sure to cover your phone camera or any other cameras with a sticky note. We don’t want any spies. Now, shut down your computer.

Advertisement

At this moment, you should go on a walk or get a breath of fresh air because when you return, you will be in for the long haul.

Set The Stage For Cold Wallet Creation:

I see that you have returned now. Good. Time to finish this, once and for all! First, YOU MUST UNPLUG YOUR COMPUTER FROM THE INTERNET! This will make sure that your private keys and seed phrase never touch the internet, i.e. cold storage. Pull out that ethernet cable or find the wifi adapter on/off switch on your laptop and turn the adapter off. If you have no way of disconnecting your computer from the ethernet connection or you cannot physically disable your wifi card, you will have to disconnect your house from the internet. Tell your family that they will have to do without network connectivity for thirty minutes and unplug your router from the wide area network (unplug the cable coming from the street or from your modem. It is usually blue).

Turn your computer on now. If you want to be extra safe, open your computer and unplug your hard drive before starting the computer. You will need to enter the BIOS or UEFI menu depending on the age of your computer. It is okay if you do not know what those are. To enter the BIOS (or UEFI) you will need to hit a certain key on your keyboard right after you press the power button. This key is usually F1, F2, F10, F11, or F12, but in rare cases can be the Delete or Escape button. You can look up which key to press based on the type of computer that you are using. Or, just repeatedly press all five function keys that were specified (1, 2, 10, 11, and 12) at the same time right after pressing power. It is up to you.

Source of BIOS hot keys: disk-image.com

Once you are in the BIOS/UEFI look for a tab in the top menu called something along the lines of ‘Boot’. Then look for an option that is titled ‘Boot Priotity’ or ‘Boot Order’. It could also be under ‘Storage’. You will then need to click on that option. You must make sure that DVD is first in the boot device priority order. There should be instructions on the page about how to change the order if the DVD reader is not already first, but you usually have to use the up and down arrow keys. Once you have ensure that your DVD player is first in the Boot Priority you must press F10 to save changes (accept) and exit. If F10 does not do this in your BIOS/UEFI, click on the ‘Exit’ or ‘File’ tab and press the option bearing the same or similar name. Now, let the computer boot again. The computer should boot into your Lubuntu DVD now. If it does not you must use the internet to figure our what you did not do properly.

After a couple minutes, you should get to a screen that gives a few options. Select ‘Try Lubuntu without installing” and press enter. This will run the operating system from the DVD solely. NOTHING WILL BE SAVED TO YOUR HARD DRIVE (or SSD). Everything will be kept in RAM. This means that you will have to make sure that you save your seed phrase securely. Do not expect to have your private keys or seed phrase saved on the DVD. Nothing will be saved on the DVD. We will tell you how you should save your seed phrase later. Once you get to the desktop, you must insert the SD card or USB drive that you used earlier. Copy all those files from the USB/SD onto your desktop. Those files will be saved in RAM, memory, and will dissapear once your computer shuts down. You do not need to copy the blank .txt. After those three files are on your desktop, remove the SD card or USB drive.

Verification:

For this part you should hold your phone horizontally to see the commands better.

Now it is time to verify that the Electrum Appimage that you downloaded is authentic. You must press control + alt + t to open the terminal (or open it in some other way). Here are the commands that you must run. Run the whole command, starting after the dollar sign. Do not include the dollar sign.

$ cd Desktop

Run the command below if you DID NOT download those files earlier using linux. We need to convert the .asc.txt to .txt. Replace ‘4.0.9’ in the command below with the version that you downloaded.

$ mv ThomasV.asc.txt ThomasV.asc | mv electrum-4.0.9-x86_64.AppImage.asc.txt electrum-4.0.9-x86_64.AppImage.asc 

If you get a ‘No such file or directory’ error it probably means that your files are already in the correct format and nothing needs to be done.

Now that we are in the Desktop directory with our three good files, we must add Thomas Voegtlin’s PGP public key to our local keyring.

$ gpg --import ThomasV.asc

This is the output that you should see. You can scoll to the side in the box:

gpg: key 2BD5824B7F9470E6: public key "Thomas Voegtlin (https://electrum.org) [email protected]" imported
gpg: Total number processed: 1
gpg: imported: 1

Now that our computer knows the Electrum developer’s PGP public key, we can verify the Electrum software that we downloaded. Replace ‘4.0.9’ in the command below with the version that you downloaded.

$ gpg --verify electrum-4.0.9-x86_64.AppImage.asc electrum-4.0.9-x86_64.AppImage

This is the output that you should get. If you do not get this, your software might be malicious. You will have to remove your DVD, shut down your computer, find out why the version your got was not authentic, and get the authentic version. Watch out for websites advertizing versions of Electrum that are a higher version number than the one on electrum.org. They are almost always malware! You can scroll to the side in the box.

gpg: Signature made Fri 18 Dec 2020 02:07:20 PM EST
gpg: using RSA key 6694D8DE7BE8EE5631BED9502BD5824B7F9470E6
gpg: Good signature from "Thomas Voegtlin (https://electrum.org) [email protected]" [unknown]
gpg: aka "ThomasV [email protected]" [unknown]
gpg: aka "Thomas Voegtlin [email protected]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

Ignore this part:

WARNING: This key is not certified with a trusted signature! There is no indication that the signature belongs to the owner. 

This is because this PGP key is not part of your web of trust. The software is still authentic. Read more about webs of trust HERE.

The primary key fingerprint should be the following string:

6694 D8DE 7BE8 EE56 31BE  D950 2BD5 824B 7F94 70E6

Don’t trust us? Good! Check the primary key fingerprint that your computer outputs against the one provided on the official Electrum documentation website (made by Thomas Voegtlin also). You will have to scroll down.

Or, use this video that was pointed to on the Electrum website as a source of primary key fingerprint verification. Watch this video for a few seconds and you will see the fingerprint. You could also watch the whole video if you choose because it is a good explanation of how Electrum wallet works.

Primary Key Fingerprint Verification Video

Okay good! Your software has been verified! Now, it is time to run Electrum wallet. First, we must tell our computer that it is allowed to execute Electrum. Run this command:

$ chmod +x electrum-4.0.9-x86_64.AppImage

Now we must start the Electrum wallet. Do not worry. The command below will start an easy to use graphical user interface. An Electrum window should open after you run the command.

$ ./electrum-4.0.9-x86_64.AppImage

Creating the cold wallet:

Now it is time to create the cold wallet. Go to the Electrum wallet window. You will be asked ‘How do you want to connect to a server?’. Ignore this and press next because since you are not connected to the internet, servers do not matter. On the next screen, name the new wallet whatever you want. This does not matter much since the wallet will be deleted from your computer’s memory once you turn the computer off. Afterwards, press next. Select ‘Standard wallet’, the default option. Unless you are creating the wallet for a company, you do not need multisignature. It is always better to not overcomplicate storage of your bitcoin. You don’t want to render your money inaccesable. So select ‘Standard wallet’ and press next.

On the next screen select the default, ‘Create a new seed’, and press next. You will want a new seed. For a few reasons I do not trust hardware devices and think that it is better to just rely on simple cold storage for storing large amounts of bitcoin.

On the next screen you should select ‘Legacy’. Some people and services do not have the ability to send bitcoin to Segwit addresses yet and so your best bet is to just use Legacy. One of the main benefits of Segwit is that transactions involving segwit addresses can have lower fees, but this does not matter for cold storage since you will not be transacting with your cold storage as often as with your hot wallet.

Press next. On the next screen you will be given a twelve word seed prase. Write down this phrase in easily legible handwriting on two sturdy but small pieces of paper. This will be the only way that you will be able to recover your bitcoin! We will discuss where to store these two pieces of paper and how later. We would recommend that you extend the seed with a custom word or phrase. Since your computer is not connected to the interet, this will ensure that your wallet’s seed was not pregenerated and is not already known by somebody else. To indicate that you would like to extend your twelve word seed with custom phrase select ‘Options’ and check the box next to ‘Extend this seed with custom words’. Then press ‘OK’. You will be given a chance later to write down the custom phrase.

After writing your seed on those two pieces of paper, you will need to press next. Do not press back once you get to the next screen as you will be given a different seed and will have to write a new seed down again.

On this new screen you will be given the opportunity to enter your custom seed extension. Enter something memorable and not too complex. If you can think of something that you know you will never forget, do not write it down. If your paper with your seed gets comprimised no one will be able to steal your bitcoin. They would have to get your custom extension also. But, if you have any doubt in your ability to remember your extension for life, write down your extension twice also. You can write it on the same papers as your main seed or separate papers. We would highly recomend leaving nothing to your memory soley. So write it down.

Now, press next. You will be told to write down your twelve word seed phrase to confirm that you wrote it down properly. Don’t enter your extention yet. If this seems a little untrustworthy to you just remember that you are disconnected from the internet. Enter your twelve word seed phrase. Then press next. You will be prompted to enter your custom extension phrase. Do it. Then, press next. You will be prompted to enter a password and then enter it again to confirm. We would recommend choosing a safe password, just in case, even though everything will be deleted once you turn your computer off. But, there is no need to write your password down. It will not recover your bitcoin in any way since your wallet will not be saved digitally.

Finally, press next. You have finished creating the wallet! There are actually only two things you have to do now. First, you should look at the addresses tab in your wallet. Look at the first two receiving addresses and either make a mental note or write down the first five characters of each. Do not confuse yourself by writing these down on the same paper as your seed. Write it on another paper. This will just be for verification of your watching only wallet. We will get to that later.

Second, you will have to get your master PUBLIC key. This will allow you to create a watching only wallet. What is a watching only wallet? Well, your standard bitcoin wallet will never be connected to the internet. But what if you want to generate a new receiving address? Or, what if you want to monitor the balance of all of your adresses? This is where a watching only wallet comes into play. A master public key allows you to generate addresses owned by your seed phrase and view those addresses but it does not allow you to spend coins that are at those addresses. So you can put this master public key into an Electrum located on your daily driver operating system and connect your computer to the internet. This way you can access the bitcoin network and check your total wallet balance. You can also generate around one hundred receiving addresses without running into any problems. But, it is impossible to spend using the master public key and therefore impossible for any of your funds to be stolen. Just a quick caution: If somebody figures out one of your wallet’s private keys and knows your master public key, they can use the two to generate all of your wallet’s private keys. They can steal all of your bitcoin, even if it is spread across multiple addresses and private keys, just using one private key. Of course, it will be very difficult for them to get one of your private keys in the first place, but just be careful. Don’t post your master public keys in any forums or things like that. Just store it on one or two computers that you own. But no one will be able to take your bitcoin just using it.

To get your master public key go to ‘Wallet’ in Electrum’s top menu and select information from the top menu. In a box near the bottom of the window that will pop up will be a long string of characters. This string should start with ‘xpub’ (extended public key). Copy the whole thing using the copy button (looks like a small picuture of two overlapping documents). Now, close your wallet. We are done with the Electrum wallet on this DVD for good. Next, insert your USB or SD card again. Open that blank .txt file and copy in that master public key. Now, remove the USB/SD. Make sure once more that your seed phrase is written down. Now, go back to the command line and shut down the computer using this command:

$ sudo shutdown -h now

The computer should prompt you to remove the DVD. If it does not, turn on the computer again briefly, remove the DVD, and turn it off again before it can boot. You may destroy the DVD if it gives you peace of mind but there is no need since nothing was saved to the DVD. Your wallet is only present in your seed phrase now. Unplug your computer’s power cord now and hold the power button down for thirty seconds. This will power cycle the computer and make sure that the RAM purges. Afterwards, you can plug in the computer again to the power. Reconnect the internet and boot into your daily driver operating system.

Setting up the watching only wallet:

Note: DO NOT EVER ENTER YOUR SEED PHRASE INTO A COMPUTER THAT IS CONNECTED TO THE INTERNET UNLESS YOU WANT TO TURN YOUR COLD STORAGE INTO HOT STORAGE!

That being said, time to set up the watching only wallet. Go to electrum.org and download the proper version of electrum for your current operating system. The Windows installable one is more secure so use that.

There is no need to PGP verify since this wallet will not be able to spend any bitcoin. But, if you want to, you can. Just look up how to verify Electrum in your current operating system.

Now install Electrum. You can look up instructions for your particular opereting system if you need them, but it should be similar to installing any program. Once Electrum is open, you should name your new wallet. You may have to press ‘Create New Wallet’ if your computer already has wallets on it. Press next. Select ‘Standard wallet’ and press next again. On the next screen select ‘Use a master key’. You will now need to plug in your USB/SD device. Plug it in, open that text file, and copy the xpub into the empty box in Electrum. Now delete the text file from your SD card/USB drive (make sure to delete it from trash also). Press next and enter a secure password (you will have to confirm it by entering it twice). This is mainly for protecting your privacy and making sure that people sharing your computer cannot easily find out your bitcoin holdings (or hodlings). Press next. You have succesfully created a watching only wallet. To verify that your wallet is watching the addresses owned by your private key, go to the ‘Addresses’ tab. Now look at those first five letters of the first few addresses that you wrote down earlier. Make sure that the letters match the first addresses in your watching only wallet. If they do, your watching only wallet is watching the correct addreses.

Transfer bitcoin to cold storage:

Go to the ‘Receive’ tab of your watching only wallet. Press ‘New Address’ the address will automatically be copied to your clipboard. Now, go to the wallet that is currently holding your bitcoin. It is time to choose how much bitcoin you want to send to cold storage. Keep in mind that if you want to spend coins from cold storage, you will have to repeat the whole process of booting from the DVD while disconnected from the internet, verifying the software, and entering the seed phrase into electrum. Then you will have to sign a transaction, move it to a machine that is connected to the internet and broadcast it. It will be a hassle. So make sure to only transfer to cold storage an amount that you will not be needing any time soon.

Once you have chosen the amount you wish to send, paste the receiving address that you generated using the watching only wallet into your hot wallet’s sending interface. Send the amount that you wish. You can look up the current network fee here:

Make sure to triple check the address! Set the fee and send. After six confirmations, your bitcoin is safely in cold storage. As of when we are writing this, the fee is 23,000 satoshi to be included within six blocks (according to buybitcoinworldwide.com). 6 dollars! Back in my day, the fees were only 1,000 satoshi! Horrible. Just set the number of blocks that you want your transaction to be confirmed after to a high number like fourty eight. It will take about eight hours to go through but at least you will only spend around 1122 satoshi (0.33 USD). Hopefully fees will not continue to go up! But after a little while your bitcoin will be in cold storage.

Safely Storing Your Seed:

Note: We are not security professionals nor do we claim to be. We are merely giving you some suggestions.

Now you need to safely store your seed and extension. Put both pairs of seed and extension into a ziploc bag for water proofing. Then, seal it in a jar, preferably airtight and metal. A glass mason jar should work. You should have two jars each full of a ziploc bag which is in turn filled with one copy of your seed and extension. Now, store one jar in a secure location and one jar in a completely physically separae location. For example, put one jar in your house and one in your bank safety deposit box. Or if you are lucky enough to have a summer house, put one jar there. You can put one in your private office also, if you have one. Make sure that your jar is not easily acessible, but don’t put it in a safe. A thief will not know that the contents of the jar are valuble unless they see it protected in a safe. If you have access to four physically safe locations you could store half of your seed plus your extension in two places and the other half in another place. Just don’t do anything too complex. You want to be able to recover your bitcoin. Simple but secure is the way to go. You can figure out for your self the best way to store your two jars though. These are just suggestions and, again, we are not security proffessionals. Just don’t store your seed electronically. Anything electonic can be corrupted or hacked.

Thank you!

Thank you for reading this and for maybe following this tutorial. We hope that your bitcoins are secure and will never be stolen. But remember, we are not liable for any losses or mistakes made while following this tutorial. Click below to donate to the author if this helped you. It took a lot of research to write this. The end.

Source of images: Pixabay.com

2 Comments

  1. Ваше мнение пригодится

Leave a Reply

Skip to content