In this article, I use the term "storage unit" to refer to any item that could conceivably store a Bitcoin private key.
Examples:
- Text file on an offline laptop.
- A normal paper notebook.
- Minecraft game files, in which the key is written out in large letters in an underground cavern, lit by torchlight, accessible within the game only via a specific door and passageway.
- Last year's diary, where the key is written in sections in between various appointments and notes. Perhaps it is written using the first 16 letters of the Greek alphabet instead of hexadecimal numbers.
- Metal letters on a wire loop.
- A handwritten poem with some sort of encoding scheme.
- A crossword puzzle book with the key written in invisible ink along the tops of several pages.
- A printout of the text of an argument on a Star Trek fan forum, in which the numbers that originally referred to the dimensions of a fictional spaceship have been replaced with the numbers that comprise a Bitcoin private key.
- A Bible, in which particular verse numbers and letters are underlined.
- Architectural drawings, in which the numbers have been altered.
- A can of soup, which has been emptied and cleaned, that contains several laminated cards.
- An unused computer component, which has been hollowed out and contains several rolls of paper.
- Etc, etc.
Effective offline storage of a Bitcoin private key is:
1) Robust: Store multiple copies so that the loss of a single copy is not catastrophic. Avoid storing all copies in one building, due to the risk of fire. [0]
2) Secure: Keep the storage unit in a location that is difficult for someone else to access.
3) Hidden: The storage location should not be in plain sight.
4) Secret: Other people should not know the storage location.
5) Disguised: The storage unit should look unimportant. It should not include / involve anything that someone else is likely to want to use / pick up / look at. [1]
6) Decentralised: Split the key into at least two sections. Apply the other principles in this list to each section of the key. Ensure that no storage unit contains all the sections.
7) Referenceable: Create a name for each key. Store the name with the key in the storage unit. Store the name and the corresponding address somewhere more accessible, so that you can use the address [2] without getting it out of secure storage. [3]
Relevant article:
How to write a Bitcoin private key on paper
Notes:
- Private keys can be stolen via cameras. Do not open the storage unit near a camera or potential camera.
- Be careful of printers. Many of them are computers in their own right, are remotely accessible via Wifi, and keep digital copies of what they print.
- A Bitcoin address is necessarily public, and can be shared with anyone without risk to the bitcoin held in it. You can therefore store extra copies of it without taking any additional security risk (although this does of course create a secrecy risk - someone might find a copy and deduce that the address belongs to you).
You may also decide to store the address in the offline storage unit alongside the private key. This has several advantages:
- It is not necessary to re-calculate the address from the key on an offline computer in order to view the address.
- A written address, kept offline, is a resilient copy of the address. Address copies kept on network-connected computers might conceivably be altered by mistake or by third parties.
- When the key is entered into an offline computer, the stored address can be used as an additional confirmation of the newly-entered key's accuracy, by generating an address from the entered key and comparing it to the stored address. If a transcription error has been made in the private key during the original storage or during entry into the offline computer, the newly-generated address will be different.
- Extra safeguards:
-- Within the storage unit, separate the key and the address [4]. This means that you can look at the address and know which private key is stored there, without uncovering the key itself.
-- Encipher the address in some way so that it doesn't look like an address.
Relevant article:
How to write a Bitcoin address on paper
[start of footnotes]
[0]
Optional further safeguards:
- Use a waterproof container.
- Store two copies in each storage unit, as protection against any small amount of damage that makes it hard to read a character or sequence of characters within a single copy.
- Use a waterproof container.
- Store two copies in each storage unit, as protection against any small amount of damage that makes it hard to read a character or sequence of characters within a single copy.
[return to main text]
[1]
It would also be reasonable to encipher the private key in some way so that it looks like some other type of information that's common and unimportant. However, be very careful to make a record of the cipher algorithm (and keep multiple copies of it).
[return to main text]
[2]
For checking its balance, making transfers into your savings, accepting payments, etc.
[return to main text]
[3]
Perhaps write out the address twice, to reduce any future concern that there might be a typo.
If storing the address in a text file on a computer, then keep several copies on a few consecutive lines.
Some text editors, when you select a string and highlight it, highlight other identical strings in the document. This can be used as a quick test to confirm that all copies of the address are identical (i.e. that no copy has a typo).
If storing the address in a text file on a computer, then keep several copies on a few consecutive lines.
Some text editors, when you select a string and highlight it, highlight other identical strings in the document. This can be used as a quick test to confirm that all copies of the address are identical (i.e. that no copy has a typo).
[return to main text]
[4]
If there are multiple key/address pairs, then write a human-readable pair name next to each address and key, so that you can easily match them together.
[return to main text]
[end of footnotes]