Cold storage for bitcoins



I'm planning to store some bitcoins in cold storage. I'm doing a very simple setup, no complicated algorithms, no wallets...

Here is my plan

  1. Create an air-gapped machine with a Linux distro. The machine won't have access to Internet and I'll disable wifi/mobile connection on purpose to be sure that no Internet is available.

  2. Copy 4 files to the air-gapped machine using a microSD card. The first archive has a version of "" which will help me create transactions. The second archive has a "" file which is a set of bash functions to create bitcoins addresses. The third archive, is a small HTML/JS qrcode generator. The forth file is the diceware words list.

  3. On the air-gapped machine, create the mighty bitcoin address. I'm going to use a brainwallet with the following format (or a variation of it)

SALT (5 char) + 10 Diceware words + My Password (10 char) + SALT (5 char)

  1. The passphrase will be hashed one time with SHA-256. The resulting Hex. will be used as the private key. Generate the address/public-key with the bitcoin utility.

  2. With the Qr-Code generator, create a qrcode of the bitcoin address. Now I use my mobile phone to scan the QrCode and send a few millibits to that address.

  3. Using my connected laptop, I retrieve the Transaction id and Script of the transaction that I made. I write those down on paper. I then go to my air-gapped machine and I enter these information to create the transaction and sign it.

  4. Once signed, I use my qrcode utility again to create a qrcode of the transaction raw HEX code. I then use my mobile phone to scan that QrCode and send it to my pc.

  5. I check that the transaction is valid and I broadcast the transaction.

Some precaution I'll be taking:

  1. Make sure that the Wifi is not running when the air-gapped machine is running.

  2. When scanning the QrCode, make sure that the private key is not visible somewhere in the screen.

So this is the setup that I implemented. I'm wondering if I missed something or something is possibly at risk. Since the setup is tested, I'm here referring to the problem of funds being stolen by cracking my passphrase or infecting my air-gapped machine.

Ideas and critics welcome!

Omar Abid

Posted 2015-11-06T18:54:05.900

Reputation: 131

You're very likely to lose your money doing this. You're using un-reviewed software which is running in an extremely vulnerable environment (coinbin.js), and you've created a long and arduous process which has you interacting directly with raw keys multiple times. – Anonymous – 2015-11-06T21:21:41.290

@Bitcoin Could you precise how I could lose money? Could the air-gapped machine get infected? or maybe through technical error? I'm not sure I get your point. – Omar Abid – 2015-11-06T23:15:40.730

If the code is malicious it will produce compromised keys, online or offline. – Anonymous – 2015-11-07T03:02:47.127

@Bitcoin I'll be using the tool only to create transactions and verify them online. I'll be using another utility to create the private key. – Omar Abid – 2015-11-07T07:11:19.450

Either one can compromise your money easily. – Anonymous – 2015-11-07T07:24:55.053

@Bitcoin Can you develop more on that part? The private key is derived from the SHA-256 of the passphrase. The utility I'm using is a simple bash script to calculate the address and WIF format of the private key. – Omar Abid – 2015-11-07T09:22:09.547



Omar, you can do almost everything you want there with Armory using the offline feature. The offline, air-gapped computer can create the private key and store it there. The watch-only wallet on the internet connected computer can create transactions to be signed by the offline computer.

From a security standpoint, it's generally better to use something a lot of other people have used before than creating your own process.

Jimmy Song

Posted 2015-11-06T18:54:05.900

Reputation: 7 330

I just downloaded Armory but I don't see the option to create a private key or create a custom transaction. – Omar Abid – 2015-11-06T23:13:58.510

Create a wallet to create private keys. Import the watch-only wallet, create a transaction by doing a "send bitcoins" and on watch-only wallets, you'll create a transaction in ASCII that can be imported to the off-line machine to sign. – Jimmy Song – 2015-11-07T00:19:40.263