Cold storage for your Bitcoin can set you back a hundred dollars or more in hardware expenses. And third-party services charge a percentage of your holdings for cold storage, an ongoing investment that not every risk model requires.
But you can also make a DIY Bitcoin cold wallet for the cost of a café frappé at your favorite bistro, offering a secure and affordable way to put your coins on ice.
Sure, you can spend money on the latest crypto gizmos to secure your assets. To be fair, some of these devices offer extra features worth the investment. But then, that leaves less money for Bitcoin.
To make your own Bitcoin cold wallet, you’ll need a thumb drive ($10) and a specialized operating system called Tails that’s designed to run off a thumb drive. The Tails OS is free and open source. Expect to invest about an hour of your time if you’re new to the process.
Here’s what you’ll need to know to get started.
tl;dr: How-To Make a Bitcoin Cold Wallet
If you don’t have time to read the full article, the following summary can point you in the right direction. However, it’s helpful to understand the nuts and bolts of the wallet you’re building to reduce the risk of potentially costly mishaps.
- Choose an 8GB or larger USB thumb drive.
- Download the official Tails OS image file from Boum.org.
- Use Balena Etcher to write the Tails image to the thumb drive.
- Boot your PC from the thumb drive.
- Once Tails boots, do not connect to the internet. Really.
- From the top-left menu in Tails, select Internet and then Electrum.
- Walk through Electrum’s wizard setup steps to start a new wallet, but don’t enable persistence when building a cold wallet.
- Write down the 12-word seed phrase Electrum provides. Electrum will prompt you to type it in again.
- From Electrum’s top menu, select “Wallet” then “Information” to show your public key.
- From the same screen, click to open the QR Code to transfer your public key to another computer or mobile device. Other installations of Electrum can read the QR code to import a “watching-only” wallet. A watching wallet can’t spend or transfer funds.
- Once you’ve tested the watching wallet and safely stored a copy of your private key or seed words, you can shut down Tails. The next time you start Tails, the OS won’t remember anything that happened previously.
A secure Bitcoin self-custody strategy benefits from a basic understanding of how the pieces fit together. Read on for a more in-depth breakdown of how what’s going on under the hood when you make a Bitcoin cold wallet.
What is Cold Storage?
Cold storage refers to a cryptocurrency wallet that has never had its private keys exposed to the internet.
Bitcoin wallets use two keys: a public key which allows Bitcoin to be sent to a wallet address, and a private key which allows Bitcoin to leave the wallet. With a Bitcoin cold wallet, only the public keys are ever exposed to the internet.
The only way to guarantee that the private key is never exposed to the internet is to create the wallet offline. But even that precaution isn’t enough. If you’re using a computer that has been online previously or may be online in the future, the machine may still be compromised, possibly putting any keys created on that computer at risk.
A computer that has already been online may already have keyloggers or other forms of malware on the system, including malware that can open an internet connection. A computer that will be online in the future may not be any safer because a record of the keys still exists on the hard drive — even if deleted, again possibly putting your private key at risk.
Both scenarios can also potentially risk exposing your seed words. The seed words for the wallet allow the wallet to be recovered elsewhere or on another computer and allow funds in the wallet to be spent or transferred.
Connecting to the internet before or after creating your wallet keys introduces risk. So, the best solution is to create a cold wallet inside an operating system that will never go online.
Don’t worry; solving this dilemma is easier than it seems.
What is the Tails Operating System?
Tails is an acronym for The Amnesic Incognito Live System. The name accurately describes the operating system.
And no, Tails isn’t some geeks-only interface that limits users to command line prompts. Tails uses the Gnome desktop, a well-known Linux desktop environment that provides an easy-to-use graphical interface.
- Amnesic: Tails, by design, forgets everything after it is used. You also have the option to enable a “memory” for Tails, using a feature called persistence. But you won’t need to enable persistence to build a Bitcoin cold wallet.
- Incognito: In applications where Tails connects to the internet, Tails uses The Onion Router (TOR) network to help conceal your location and identity. The Tails operating system includes a specialized browser, which is based on Firefox and designed to work over TOR. However, we won’t connect to the internet when building a Bitcoin cold wallet, not even over TOR.
- Live System: Tails OS is designed to work as a live operating system that runs off a thumb drive. The other option is to run Tails in a virtual machine such as VirtualBox, which is cross-platform, or Gnome Boxes, which is a Linux solution. For building a cold wallet, a USB drive is the best option because it requires extra steps to connect to the internet. By contrast, a virtual machine might (probably will) connect your Tails installation to the internet automatically.
Tails OS uses open-source software, making both the operating system and applications free to use.
If you have another operating installed, you can use tails without disrupting your current setup; simply boot the computer from the thumb drive with Tails installed. You can usually choose the boot device from your computer’s bios settings, although some computers may already be set up to look for a bootable thumb drive before booting from the hard drive.
After creating your Bitcoin cold wallet, you might find other uses for Tails. It’s a solid privacy solution.
Although the need doesn’t arise often, I keep an up-to-date install of Tails on a thumb drive for the odd time when I need to research topics that may not fit the current political narrative.
How to Install Tails to a Thumb Drive
To install Tails, the first step is to choose a suitable thumb drive.
If you don’t have one handy, this SanDisk 16GB thumb drive has proven reliable and offers a compact, retractable design.
Then, download the image file from Tails directly.
On the Tails page, you’ll find instructions for installing tails using Windows, Mac, or Linux. Further down the page, you’ll also find a link to get started with Tails in a virtual machine.
Note: For installation on a thumb drive, you need to download the .img file as opposed to the ISO file. The latter is used for virtual machine installations.
To install Tails to a thumb drive, the safest method for building a Bitcoin cold wallet, the instructions for Windows and Mac recommend using Balena Etcher. Balena Etcher is another open-source tool that’s free to use. Linux users can use Etcher, but the Gnome Disks utility can also transfer the Tails image to a thumb drive.
Installing Tails to your thumb drive will destroy all data on the drive, so be sure to choose a drive that’s not being used for anything else.
Using Balena Etcher, only part of the drive will be filled by Tails and its included apps. Later, you’ll have the option to make the remaining space available for persistent file storage. Again, persistence isn’t necessary (or desired in many cases) when making a Bitcoin cold wallet.
How to Use Electrum as a Bitcoin Cold Wallet
Because the Electrum Bitcoin wallet comes preinstalled in Tails and because a Tails thumb drive can be used without connecting to the internet, Electrum on Tails offers a perfect way to make a Bitcoin cold wallet.
From the top menu in Tails, choose “Internet” and then “Electrum.”
You’ll see the following:
Tails will recommend enabling persistence for Electrum. However, persistence isn’t the right choice when building a cold wallet. Ignore the suggestion.
Persistence allows you to save data to your thumb drive, which could expose your keys if you connect to the internet at a later date.
It isn’t necessary to choose a special name for your wallet. The wallet name isn’t stored on the blockchain, and your installation of Tails will forget the entire incident when you shut down Tails.
You can choose “Standard wallet,” as shown above, for a simple Bitcoin cold wallet. However, Electrum also supports two-factor authentication or multi-signature wallets if you have a need for these options.
Since we’re making a new wallet, choose “Create a new seed,” as shown above. Electrum chooses a 12-word combination from a bank of 2048 unique words.
These seed words, also called a seed phrase or a recovery phrase, allow funds to be transferred from the wallet. Now, you can understand why you’d want to generate the seed offline.
Segwit, short for Segregated Witness, enables lower-cost transfers in some cases but may not be compatible with all wallets.
Electrum automatically assigns a unique seed for your wallet. Write the seed words down and start thinking about a longer-term strategy to protect your seed words.
In the next step, you’ll be asked to type in your seed to be sure you have it written down, as seen above.
Pro tip: Clicking the back button on the screen pictured above will generate a new seed. If you click the back button, be sure to note the updated seed phrase. The old one won’t work anymore.
Choose a password to protect your wallet. Don’t fret over password strength because you’re just making a Bitcoin cold wallet and won’t be logging into the wallet using this password after you exit Tails.
Instead, you’ll be logging into Electrum on another machine, another operating system, or a mobile device using a “watching only” wallet.
To find your public key, which allows you to send funds to the wallet, first click on “Wallet” in the Electrum menu and then “Information.”
This opens a window titled (unsurprisingly) “Wallet Information.” You’ll see your Master Public Key provided as a lengthy hexadecimal value. But there’s no need to write this hex value down if you have a smartphone or another computer with a camera.
Instead, you can click on the QR code icon under the Master Public Key to open a QR code. You can then use the QR code to import the Master Public Key on another device you own that has Electrum installed, such as an Android phone.
Next, add the wallet you’ve created to the new device.
Caution: Don’t use the private key or seed phrase when building the watching wallet on the second device. Exposing these to an internet-connected device can put your funds at risk.
Use the QR code to transfer your wallet to the new device as a watching-only wallet.
On the next screen, choose a “Standard wallet.” And on the screen that follows, choose “Use a master key.”
Click on the camera icon to scan your QR code for the public key (!) from your cold wallet and import the cold wallet into your connected device.
The process is similar for Windows or Mac with Electrum installed, although taking a picture of the QR code might be a bit trickier.
Using Tails in a Virtual Machine
Think of a virtual machine as another computer within your computer, complete with its own operating system.
You can use Tails OS in a Virtual Machine to make your Bitcoin cold wallet, but this method leaves more room for error. One key issue is that virtual machine applications try to make things easy for the end user, including automatic internet connections in many cases.
A cold wallet in which the private keys are exposed to the internet is no longer a cold wallet.
As a precaution, you can disable internet access for the host computer before installing the Tails virtual machine. But this still leaves security risks. For example, there’s no way to know if the host computer is clean or if it’s been infected with malware that will phone home later.
Booting Tails from a thumb drive is a safer way to create your Bitcoin cold wallet. But if you need to use a virtual machine for some reason, download the Tails ISO rather than the image file. Your Virtual machine software can build your Tails installation from the ISO.
Storing Your Private Keys
As a starting point, you’ll need to write down the seed words for your wallet. But paper isn’t very durable. And it’s flammable too. To protect your seed words against risks like fire, floods, or teething puppies that chew everything they can find, you have some options.
- Metal cold wallets: A metal wallet offers a way to save your seed words in a way that’s fire and water-resistant. It might even survive teething puppies.
- Fireproof and waterproof case: A purpose-built case can protect your private keys as well as your other important documents. Check the fire resistance rating before buying, though. Some cases are only rated for 1/2 hour, whereas the SentrySafe case below is rated for 1 hour.
- Share your key with someone you trust: As an alternative, you can share your cold wallet keys with someone you trust, possibly the person to whom you’d like to leave your Bitcoin if you die unexpectedly or become incapacitated. Consider this choice carefully, and be sure to discuss your security concerns before sharing.
- Shamir’s Secret Sharing Scheme (SSSS): If you must store your keys online and you don’t intend to keep large a large value of Bitcoin in your cold wallet, there is one option you can consider. Shamir’s Secret Sharing Scheme offers a way to encrypt an input (a secret) and then split the encrypted output into multiple parts. When splitting your secret, you can require a certain number of parts to decrypt the secret. For example, you can require three of five parts. SSSS is available for Debian, Fedora, and other Linux distributions through the repository.
- Memorize your seed words: Because there are only 12 seed words, you can memorize your seed phrase. Memorization is good practice regardless of other backup methods but can have its own risks if used alone. What if you forget one of the words or mix up the order? What if you become incapacitated? Each Bitcoiner has to decide for themselves which combination of security measures is appropriate for their needs.
What you don’t want to do is to store your seed phrase in plain text on a computer, phone, tablet, or in cloud storage, that last of which is just someone else’s computer. Anyone familiar with cryptocurrency who stumbles upon a file containing 12 or 24 words will know immediately what they are looking at and how to appropriate your funds.
Hardware Alternatives to Tails With Electrum
Hardware wallets, such as Trezor or Ledger devices, offer a way to protect your keys electronically. The obvious caveat is that you may be spending up to $100 or more to secure your Bitcoin with one of these devices.
Other concerns revolve around apps needed to run these devices, which may introduce additional security risks.
You’ll need also to back up the recovery keys for a hardware wallet, just like a software wallet. So, while a hardware wallet can help protect your Bitcoin by requiring authorization by a device you control, there are still seed storage considerations.
Match Your Security to Your Risk Model
In the end, we each need to choose the security measures appropriate for our level of risk. A Bitcoin wallet holding $10 worth of Bitcoin probably doesn’t need the same level of security as a wallet that holds $10,000 or $10 million worth of Bitcoin.
A Bitcoin cold wallet provides a good starting point, but your complete security strategy may require more than one solution. For example, you may want to keep multiple cold wallets as well as one or more hot wallets connected to the internet, the latter of which holds spendable Bitcoin.
Frequently Asked Questions
Should I keep my bitcoin in a cold wallet?
Even if you don’t have much Bitcoin yet, you should practice safe storage habits such as using a cold wallet. As the value of your Bitcoin grows over time, you’ll already be familiar with the best ways to protect your stack.
What happens if you lose your cold wallet?
A cold wallet isn’t like an online bank account where you can recover your password. If you lose the private key to your cold wallet, you won’t be able to spend or transfer the funds in the wallet. Make safe storage of your private key or seed words a top priority.