pull down to refresh

There are many posts discussing which Hardware Wallet to buy or why some Hardware Wallet companies don't accept Bitcoin, etc., but what if the whole point of Bitcoin is about self-responsibility, which includes making your own cold wallet? πŸ€”
I'm not against anyone buying any HW if you really want to, as it's definitely better than storing it in exchanges or putting your hard-earned sats in any hot wallets. But learning how to make my own cold wallet was one the most empowering moments in my Bitcoin journey, and you can create it on the go instead of waiting for deliveries, which is much more efficient and private too!

Why not Buy a Hardware Wallet and Done?

I purchased some hardware wallets before and really regretted them, now they are sleeping somewhere and as decoys... but if you really want to buy one, I recommend buying these hardware wallets when traveling. For example, I bought mine when I was in Europe, and not only did it deliver faster and with lower tax, all I did was use the Airbnb address and random name, done. Also, ideally, you shouldn't pay it with any fiat cards under your name; otherwise, it's all linked.
But the most turnoff part for me is you need to keep updating it, and the last thing I want is to pay attention to whatever this company is doing. Seriously, all I need is somewhere SAFE to keep my stash, so I found a better solution later: a DIY cold wallet with Tails OS β€” the simple understanding of this setup is using an encrypted USB with a clean OS and a built-in Electrum Wallet, and you can create any cold wallet offline this way. ( sorry, this is the best I can explain, and I don't know too much about the deeper tech levels )

DIY Cold Wallet Benefits

Private: you avoid all the potential KYC or information leaked, as these hardware wallets are essentially honey pots.
Low key: you can make your own cold wallet with USBs in different looks, while carrying hardware wallets is basically telling others: hey, I have Bitcoin, and here is where I store them.
Low cost: why waste unnecessary money when you can stack more sats? And making your own with a USB is dirt cheap...
And the good news is if I can do it, you can do it too! just need to be patient, read on to find out how.

How to Make a Cold Wallet?

1. Use cash to buy a normal USB ( 8 GB minimum )
Fun fact: you won't even have any receipt when paying in cash these days; also, choosing any USB between 16 to 32 GB is good enough.
2. Install tailsOS into the USB stick.
It might take some time to download, and simply follow all the detailed steps here. ( this tutorial is based on MacBook )
a. Download TailsOS
b. Verify your download
c. Download balenaEtcher
d. Flash TailsOS into your USB
Open balenaEtcher β€” Flash from file ( choose TailsOS ) β€” Select target ( your USB and all the data on this USB stick will be lost ) β€” flash β€” wait a bit and done β€” restart the computer.
Pretty easy, right?
Now you have the USB ready, and we are moving on to creating a cold wallet offline! πŸ₯
3. Boot the USB.
Press and hold the Option when you turn on the computer, then choose the USB stick ( FEI boot ), and press Enter, then it will load the welcome screen, here is a good video showing the process when enter your TailsOS. ( First-time users can just click start tails to see how things are inside, play around and get familiar with the OS. )
Extra note
/ It doesn't work with newer Mac computers with an Apple processor (M1 or M2), feel free to chip in solutions.
4. Create the persistent storage and set the password
If you want to keep some important information inside the USB stick, you need to set the persistent volume so you can still access the data after each shutdown because everything you do in TailsOS will be wiped the second you close it by default.
After all these setups, save something into the persistent volume, reboot the USB again, and try to see how things are entering with the password and without it. Fun fact: if you access the OS without the password, you'll enter a clean OS; And the beauty of this is even if someone else picks up your USB, they can only enter into this clean OS, with NO access to any encrypted data!
Sharing one more story: I once lost my bag with a USB with a small stash of emergency funds. However, I was quite calm thinking about where I possibly left my bag in because a. I got backups, b. people could never have guessed there was Bitcoin in it, c. no one could access that USB but me, and that's the whole point.
5. Open the built-in Electrum.
Here it comes with the normal practice of creating a new wallet in Electrum: do this when you are alone and in a calm mind; Cover ALL cameras and turn off the phones.
a. Create a new wallet
Name it to anything you like, and optionally set a password for this wallet file; then, you can simply use this password with the wallet file to open the wallet without inputting the seeds later.
You then would be shown different wallet options to choose from. For simplicity, I'm showing you how to make the standard one.
b. Write down the seeds
Create the seeds, and write them down somewhere safe.
Then you would be asked to type and confirm the seeds.
Optional: you can also extend the seeds with custom words by clicking the options; As for how to keep the seeds, one thing to note is that you always make copies, ideally 3, and in different places.
Simple solutions as reference
  • Make it into half or three pieces, and put it in different places: it can be digital, meat place, or a mix of both.
  • Use your own memory, especially for your biggest stash.
  • Make a song or poet with the words.
Be creative, but always keep it simple, and one of the good solutions is to make use of the built-in KeePassXC password manager: open it β€” create a new database β€” set file name β€” set password β€” save it in persistent storage ( important! otherwise, it would be GONE after the computer shuts down ), and mark down the Master key, seeds, and a few addresses for the later verifying.
- Master Key: click Wallet Information, it's showing in the Master Public Key area.
- Seeds: the 12 words that you just wrote down.
- Address: click View and Show Address, mark down the first and the last few addresses.
Optionally, you can also mark down the derivation path and fingerprint.
c. Set the password to encypt wallet file
Important: This password for the wallet file is useful only if you are storing the wallet file in Persistent Storage. Otherwise, the file would be gone the second you shut down the computer.
d. Restart the computer (stay offline) and verify.
You should always verify the wallet before depositing any funds: restart the computer and open both Electrum and KeePassXC password manager β€” create a wallet β€” name it β€” Standard wallet β€”I already have a seed β€” enter the seed β€” load the wallet address and compare these addresses with those that we previously marked down in KeePassXC β€” if it's the same, then congrats! you have learned how to make your cold wallet:)
This is the simplest setup, and you can definitely try with 2FA or multi-sign; Choose whatever works for you, but always KISS because oftentimes, you are your own enemy.

The Art of Using the Cold Wallet

Firstly, using cold wallets for long term saving or create Lightning channels only, it's not meant for daily use.

How to deposit?

Create a watch-only wallet, but you can't use this watch-only wallet to send any sats; the watch-only wallet choice can be a Blue wallet or Green wallet, or even Zeus ( Starting with v0.9.0 ).
πŸ‘€ Advancing step
Ideally, plan your UTXO ( unspent transaction output ) well when depositing; don't send a big chunk of sats or have too many small ones. For example, it could be 1M, 3M, or 10M for each deposit. Otherwise, it will cost too much fee or potentially bad for privacy when you are using them in the future. The solution could be to think and plan ahead how you will use these funds in the future. yes, it's not easy to be your own banker, but that responsibility comes with freedom.
Real-life samples on why UTXO planning is important
In the fiat world, if you are buying something that costs $9, logically you use either $10 or two $5 for it instead of $100, right? In the Bitcoin world, if you are buying something costing 90k sats, then you can either use one 100k sat UTXO or combine two 50k sat UTXO, and you don't want to use a 1M sat UTXO for it because it will be too much "changes" = high fee.
But as the world gradually embraces Bitcoin and people start to see the magic of Lightning, we would use onchain for large amount of transactions only; And see the chart below to show you how the fee works under different sat/vB environments. ( ideally, the minimum of UTXO should be at least 1M sat )
( not sure where this chart was originally from, and thanks to whoever made this! )

How to create a watch-only Wallet?

Go to wallet info to get the Master Public Key, or use the QR code to scan it ( use the phone offline to scan, then later back to online would show the Watch-only Wallet ).

How to recover the fund and use it?

Generally you can restore the funds in any Bitcoin wallets, but some could be quite tricky due to the derivation path, here is a good source if you would like to learn more about it.
And to make things simple the easiest option to restore is using Electrum again: create a wallet β€” name it β€” Standard wallet β€”I already have a seed β€” enter the seed one by one, done.
For nomads or travellers
If you are traveling around like me, you might want to create a small stash for emergencies. In this case, using Blue Wallet to restore is pretty handy, you can easily restore it on your phone.
How:
Open Blue wallet β€” click add wallet β€” choose Bitcoin β€” HD SegWit ( BIP 84 Bech32 Native ) β€” import wallet β€” enter the seeds and done.
But my favorite way to restore wallets is with Sparrow Wallet, it's a really powerful wallet. Not only do I get to choose which UTXO to spend, but controlling the fee better. Maybe I would write a more detailed article on how to restore each type of wallet with Sparrow wallet, as it solves many problems.

Extra Reminders

- Always make backups of the seeds, at least 3, and in different ways.
- Do more tests until you are comfortable with what you are doing.
It took me more than one month and many tests to know what I was doing, and I used small sats to do the tests, from start to finish β€” how to create β€” how to restore β€” how to spend, then think about each step and how can do better, and how to recover the fund when in an emergency.
- As for how to cross borders in general
Ideally, you make it in a way that only you are able to decode your seeds, even if it's in text, e.g., you can use 10 words to write a story and use your mind to remember the rest of two...or make it half in poet, another half in articles online, madness is plain sight is the way.
Freedom means self-responsibility and the fact that you can cross any border with 12 words in your mind and no one can take your money away is so empowering, and making your own cold wallet is definitely one of the highlights. ✨
I heard rumors that some bitcoiner has forked TailsOS and added a bunch of popular bitcoin wallets/tools to the base install. Does anyone know what I'm talking about?
reply
There's also Ben Westgate's BAILS
reply
I think that's the tool you are looking for: https://github.com/DesobedienteTecnologico/dtails
P.S. It's sort of DIY. You provide a ISO file (Tails or Debian), and it creates a custom image for you, with the additional bitcoin software you choose to add.
reply
reply
It is experimental, but there is also nixos-airgapped.
reply
Great post! And as you mentioned you like Sparrow Wallet (as I do ^^), I would add my 2 sats of info too...
It's possible to install Sparrow (using TailsOS's Persistent volume), fully integrated with desktop icons and such.
If it's something anyone would like to try, here is the link for a guide: https://danielpcostas.dev/installing-sparrow-wallet-on-tailsos-persistently
reply
11 sats \ 0 replies \ @nout 11 Jun
If you use Bails (as mentioned above), then that also installs Sparrow and configs it to use the local Bitcoin node: https://github.com/BenWestgate/Bails
reply
Sparrow Wallet is amazing! and thanks for the chip in:)
reply
Every podcast should have a 1-3 minute advert that explains this process. The only people who need a hardware wallet are the influencers that get paid to shill them.
reply
The only people who need a hardware wallet are the influencers that get paid to shill them.
a typical fiat model.
it's actually quite risky linking your name to sell others' products which you don't have much control ( who knows what's gonna happen with that company? ), yet many ppl are doing it.
reply
Here is a tutorial in Spanish, I made it some time ago: https://youtu.be/yU3Ff4NWXFY?si=OVr393AXaYPjlhqg
It's a great solution.
reply
cool!
reply
Hi Natalia, Thank you for sharing this great post, it's nearly the same example I did when I start self-custody. I'm in IT since 12 yo, and learned about Tails 10 years ago, so creating my hardware wallet was easy. In fact, you can call it "paper wallet". I'd like to share some tips here to let you know how you can improve this setup to go further on improving your bitcoin security.
  1. Never store your 12 words on digital form, that's bad practise. Even KeePassXC (or any other local password manager). Because at the end of the day, you will do copy/paste of this 12 words, and leave a trace in RAM. Of course the 3 letter agency maybe won't raid your house at this exact time of your wallet setup when you are running TAILS, but there are ways to hot dump all RAM if you leave your computer open for expert in this field. So by not leaving trace of your seed digitaly, you remove this kind of attack, even if it's a rare one, we all agree. Better to only write down the 12 words seed on paper, or different notebook to have paper backup.
  2. Instead of Electrum, I decided to go directly with Sparrow Wallet in TAILS. That means, when I prepared my USB stick with TAILS on it, I configure the persistent volume with a password, and downloaded the sparrow wallet .deb file on this persistent volume. This way I can install Sparrow locally on TAILS even offline.
  3. Border Wallets This is a great website to learn more about Border Wallets with paper wallet. The website has about 30 pages, it's a quick read, reading pages in the order like a book. https://www.borderwallets.com/ Sparrow Wallet v1.7.4 introduced Border Wallets For Memorizable Seeds. https://i.ibb.co/W6dLPH2/borderwallet.png BTC Sessions made a great tutoriel video guide here: https://www.youtube.com/watch?v=wHQrvCGVkTw
  4. 10x Security Bitcoin Guide https://btcguide.github.io/ This is one awesome guide that recommand to create a Multisig wallet. It talks about paper wallet and other hardware wallet. The principle remains the same, one could follow this guide and use 3 different paper wallet to create a multisig 2-3 for example.
  5. SeedSigner: create an air-gapped DIY Bitcoin Signing Device It is by listening to this podcast episode that I learned about the creator of SeedSigner and why he did it. To me, that will be my next challenge, to build one. https://thank-god-for-bitcoin.simplecast.com/episodes/seedsigner-on-career-change-digital-forensics-and-bitcoin-digital-defense-r5oqmSqF Here is one of a remarkable guide. SeedSigner Independent Custody Guide: https://seedsigner.com/seedsigner-independent-custody-guide/
Conclusion Lots of resources, hope you can bookmark them and take your time to go through and hopefully write other articles mentioning these resources.
reply
thanks! That's part of the points in sharing, getting input for improvements:)
Never store your 12 words on digital form, that's bad practise.
agree! I normally don't store full words anywhere, and making it in a way only I am able to decode. πŸ€“
Instead of Electrum, I decided to go directly with Sparrow Wallet in TAILS.
I'm going to try install Sparrow Wallet in Tails later tonight!
Border Wallets
interesting, never heard of this, and thanks will check it out.
10x Security Bitcoin Guide https://btcguide.github.io/ This is one awesome guide that recommand to create a Multisig wallet. It talks about paper wallet and other hardware wallet. The principle remains the same, one could follow this guide and use 3 different paper wallet to create a multisig 2-3 for exemple.
I think Multisig is a bit unnecessary for individuals? (I actually tried it before) why not simply use an extra seed phrase. πŸ‘€
reply
84 sats \ 2 replies \ @joda 11 Jun
You may want to add an explanation of air-gapped spending . Use an SD card to sign a transaction and then physically move the SD card to an online computer to broadcast, or sign then scan a QR code and broadcast via the scanning device (presumably a phone).
Also, I'm a bit confused about why you would go to all this trouble, then restore the seed in an unsafe computer (electrum & blue wallet in your examples).
reply
Also, I'm a bit confused about why you would go to all this trouble, then restore the seed in an unsafe computer (electrum & blue wallet in your examples).
I made these cold wallets mainly for long-term savings, not for daily spending ( I use LN for spending).
The BW case is if I need to use more funds than what I have in LN when I am out and about, then I can just spend or swap those emergency funds.
reply
79 sats \ 0 replies \ @joda 11 Jun
OK everyone has different trust assumptions and security models, and I'm also not following precisely what you are trying to do, so I may be misunderstanding.
Keep in mind if you save all your funds in the safest, coldest wallet imaginable, then one day import your private keys into an unsafe/online wallet, you have instantly lost all the security and opened yourself up to every vulnerability you were trying to avoid.
One thing you can do is "test" a wallet and a device to see if your funds get taken or something else is awry. You can, for example, deposit some funds and wait a week or so to see if the funds "disappear"; this also helps if you were uneducated enough to try to make your own entropy, or just made insufficient entropy with whichever method you used.
I also like to test wallets to make sure they generate the right addresses. Use both Electrum AND Sparrow (or Blue Wallet, etc), and make sure they show the same receive addresses. One benefit of a dedicated hardware device with a screen is that it can show you the addresses in the transaction it received from the software wallet, so if they are not the same, something is wack.
If not using a dedicated hardware signing device, I would also manually inspect the transaction before broadcasting. Paste the signed transaction here:
Check to make sure the address is what you intend. You can also use that website to broadcast the transaction, from any online computer. Use a VPN over Starbucks wifi while wearing a fake mustache and sunglasses if you're paranoid.
reply
The young padawan is making huge progress learning.... gooooood. The Force is strong with this one.
reply
and the young padawan still have much to learn. πŸ‘€
reply
100 sats \ 1 reply \ @Lux 11 Jun
Natalia hardware wallets sellers worst nightmare
reply
knowledge is power instead of keep buying endless things. πŸ˜‚
reply
79 sats \ 1 reply \ @flat24 11 Jun
very valuable content, great job writing this guide, thank you very much for sharing it with the community
reply
I actually learnt all these from SN, and going back to SN πŸ‘€β™»οΈ
reply
Very informative post. Definitely going to try this. Thanks for sharing
reply
this is the way, waiting to hear your progress! πŸ₯
reply
Bookmarked!
reply
Excellent guide. I am going to try this out.
reply
this is the way!
reply
Peer pressure is beneath you, @Natalia.
reply
I didnt even say anything πŸ‘€πŸ€£
reply
79 sats \ 1 reply \ @Taft 11 Jun
Great PoW and very detailed! Thank you!
reply
the goal is to make it approachable for anyone. 🫑
feel free to point out if anything is confusing
reply
This is so cool! bookmarked
reply
you mean bookmarked and try later? πŸ‘€
reply
Nice try, fed!
reply
Excellent PoW. Another well-written and edited document with valuable information.
I thought maybe Bitcoin beginners, but you are right to place it here.
Thanks as always!
reply
If hardware wallets could be purchased locally at gas station, I'd be more likely to purchase one. Check out some of my articles on Yakihonne.com on how to do this securely on a VM using linux. Every tech savvy person should be able to implement their own cold solution. But for the non-tech savvy person, this is too big of a hurdle.
reply
I think it's about how much the one is willing to learn / how much they want to be free; I was a noob too, I mean everyone was once a noob? πŸ™Š
maybe we should share detailed guidelines and encourage ppl to try, instead of thinking that they just can't manage and push them just to buy...
33 sats \ 1 reply \ @anon 11 Jun
reply
BW is super handy for restoring emergency funds when traveling.
Wow. I didn't know it was possible to do this. I'm going to try it. Thanks for sharing! Once again phenomenal.
reply
many possibilities! just need to have an open mind and stay curious:)!
reply
Great Post! This is an amazing DIY for Bitcoin wallets! For Bitcoin to Excel and prevail everywhere we need to spread knowledge about How to Bitcoin and you seem to be doing exactly the same...thank you so much...
reply
spread knowledge about How to Bitcoin
this is the way! not by talking but by doing πŸ‘€
reply
43 sats \ 0 replies \ @TomK 11 Jun
Wooow! Thank You very much for this! What a great post. I'll try it these days.
reply
43 sats \ 1 reply \ @joda 11 Jun
"Make it into half or three pieces, and put it in different places: it can be digital, meat place, or a mix of both. Use your own memory, especially for your biggest stash."
this is not best practice
reply
feel free to share the better ways:)
reply
You ignite possibilities for us all!
reply
That’s really cool actually. It’s on my to do list plus I’ve bookmarked your guide. Thanks so much! πŸ™
reply
43 sats \ 3 replies \ @OT 11 Jun
Thanks again!
Wonder how you would use a multisig wallet inside tails…. Creating it might be easy, but signing a TX probably needs to be put together outside of tails right?
reply
Not sure if you meant using multisig with one of the keys inside Tails or with all the keys "outside".
I use a multisig setup with all keys external to Tails (using Sparrow Wallet). As for signing: I either use a Jade plugged-in (or any decent hardware-wallet I guess) or I could use another air-gaped method (like the SeedSigner, or even a stateless Jade using SeedQR). 1
In the previous example, you could leave one key inside Tails (for convenience), as it would be secured by the encryption of the hard-drive, so in a 2-of-3 multisig, you would only need another "device/medium" to complete the signing, leaving the third key stored in a safe place for backup.
Also, you don't even need a hardware-wallet to do it. With a spare phone lying around you could turn it into a "cold" signing device using Blue Wallet. 2

Footnotes

reply
11 sats \ 0 replies \ @OT 11 Jun
Thanks
Yeah, I meant signing a TX inside of tails. I guess if the computer has a few usb ports external HWW or SD cards can be plugged in to sign. I’ll have a check when I have time
reply
personally I don't use any multisig, and good question! but I guess you can try this: https://electrum.readthedocs.io/en/latest/coldstorage.html#create-an-unsigned-transaction
reply
Super cool. This would be very nice to expand to individuals around the world who aren't in a position to afford a hardware wallet from one of the main manufacturers. I met some who built their own in El Salvador, but they must do it the right way. Education like this needs to be spread. Cheers!
reply
even more useful for those who can't afford it - yes; but it's also quite unnecessary for those can afford it πŸ™Š
because it's a truly empowering feeling when you can keep your coins safe with your own hand and mind instead of relying on others.
33 sats \ 1 reply \ @bisdak 16 Jun
been using tails since 2017, there's a default electrum wallet. no other config needed. plain and simple.
reply
yep, once got it sorted out, you can't go back!
not only it's more peace of mind, but a truly empowering feeling! now I feel sad that people would rather believe in things made by others than those made by themselves.
reply
Well, that's not a cold ❄️ wallet, that's a very good hot πŸ”₯ wallet.
The secret keys are in RAM instead of a secure enclave with only finished hashes/signatures leaving the secure enclave into the RAM. Which, to my knowledge, is the definition of cold wallet.
reply
148 sats \ 1 reply \ @joda 11 Jun
cold just means "offline". It's not the absolute most secure for every possible attack vector, but it's better than running Rando Wallet on the 10 year-old computer your mom downloads .exe email attachments on.
The keys are stored on the USB drive, which can be encrypted, and which can be hidden (the same way we store seed phrases).
reply
cold just means "offline"
that's my understanding too.
reply
how so? the whole process is untouch with the internet πŸ€”
reply
10 sats \ 0 replies \ @nyan 11 Jun
I think what @joda means that you have a single point of failure here. In order to transact, you need to sign with this wallet and however you do it, in this process malware can extract the private key from your wallet. Having hardware signing devices mitigates this attack vector to a huge extent. You of course open a new attack vector by trusting the manfacturer, therefore, you should use devices from at least two different ones in a multisig.
reply
My problem with this solution is that the world is moving to Arm for chip design. This setup is complicated, therefore it should endure the passing of time, and I am not sure Tails will.
reply