Bitcoin paper wallets offer a useful solution to the problem of storing funds for later use. However, the ease with which paper wallets can be generated tends to obscure important technical and security considerations that may only become apparent at a later point. This article introduces paper wallets from the beginning, with an eye toward using them for secure, long-term, offline storage.
Paper wallets can be created and used on any computer with a standard Web browser such as Chrome, Firefox, or Internet Explorer 9+. The simplified procedure consists of these steps:
- Generate and print. Visit bitaddress.org to get started.
- Fund. Transfer bitcoin held at an exchange such as Localbitcoins or Coinbase, into the paper wallet’s address.
- Store securely. You paper wallet is now funded. Store it in a safe place until needed again.
- Bring funds online. To spend stored funds, sweep them into a hot wallet such as blockchain.info.
Consider running through this procedure using a trivial amount of bitcoin (1 millibit or less). Doing so will provide a solid background for the discussion that follows.
Private Keys are Valuable
A Bitcoin private key is a carefully-selected integer between zero and approximately 1077. An address may be mathematically derived from a private key, but the reverse process is practically impossible. Knowledge of a private key is all that’s necessary for any party to spend funds stored at the corresponding address.
A recent study found a significant percentage of all personal computers hosted malware of some kind. Malware specifically targeting Bitcoin holdings poses a risk because private keys can be readily transmitted and used anonymously. This risk has led to the development of methods to generate and use private keys on systems isolated from a network.
The mathematical relationship between private keys and addresses means that two pieces of software running on different computers will always derive the same address for a given private key. Network communication is unnecessary. For this reason, offline private key/address generation plays a central role in Bitcoin security. For more, see: A Gentle Introduction to Cold Storage.
Why Paper Wallets?
Web wallets and online exchanges make it convenient to hold and spend bitcoin. However, doing so is often insecure. The main set of risks derive from the need for the service to maintain private keys on the user’s behalf. Events such as service shutdown, theft of keys from the service, and outright fraud can all result in loss of funds with little recourse. Users who find themselves holding significant quantities of bitcoin should consider taking direct responsibility for the safekeeping of their funds through paper wallets or some other form of cold storage.
A Paper wallet is one of the easiest forms of cold storage to start using. Any piece of paper bearing a private key can serve as a paper wallet. Although private keys can be written onto other media, paper offers unique advantages:
- Resistant to network-based attacks: A piece of paper folded into the pages of a book or kept in a safety deposit box can’t readily be revealed to a network-based attacker.
- Cheap: Both paper itself and the tools to print on it are readily available and easy to use.
- Portable: Paper is light and thin. It can be easily transported and stored.
- Well-understood performance characteristics: Unlike electronic storage media such as writable DVDs and USB drives, paper has been in use for a long time. Paper’s tolerance to stress and age is well-understood from everyday experience.
Paper wallets also come in handy as a way to transfer funds to another person lacking a Bitcoin wallet. Examples include: tips in restaurants; gifts to friends and family; and promotions/awards. However, this use of paper wallets will probably decline as awareness of Bitcoin and access to software wallets increases. The remainder of this post discusses paper wallets from the perspective of cold storage only.
Better Computer Security
Creating paper wallets for cold storage requires heightened attention to security. Should one of numerous Bitcoin-specific exploits be present on a computer used to generate or manipulate private keys, then any funds on the paper wallet can be stolen.
To reduce this risk, use a secure computer environment when making paper wallets. A number of methods for creating a secure environment have been proposed. The one outlined here reduces the effectiveness of network-based attacks, while at the same time being easy to set up and administer.
Tails makes it possible to create a secure, temporary environment hosted on the same computer you use for everyday tasks. Powering up most modern computers with a Tails DVD or USB boot drive will load a complete Linux operating system, without affecting the existing operating system or hard drive. Powering down the Tails system and removing the boot medium returns the computer to its original state.
Tails disregards any changes made to its configuration after shutdown, so hardware must be configured for each session. To generate paper wallets from a newly-booted Tails instance, be sure all network connections have been disabled and that a printer has been installed.
Instructions for preparing Tails boot media are available here.
Creating a Paper Wallet
A number of tools exist for creating paper wallets. One of the most popular is bitaddress.org. Its main purpose is to securely generate private keys and addresses suitable for output to a printer. Running entirely within a browser, bitaddress.org can be used from any computer equipped with a standard Web browser.
Although bitaddress.org can be used like any other website, it can also be saved as a standalone document and later run without a network connection. This is the approach we’ll take for securely generating paper wallets. It can be implemented with two USB drives and your everyday computer:
- Tails boot drive contains a bootable Tails installation.
- Data drive Used for moving data between a Tails environment and your everyday computer. Be sure this drive is clean before continuing.
From your everyday computer, browse to bitaddress.org and save the page to the data drive. Then shut down your computer, keeping the data drive in place.
Next, insert the Tails boot drive and restart your computer. From Tails, browse to the bitaddress.org
.html file by selecting the data drive from the top-level
Places menu. Double-click on the
.html file and ignore any message about the Tor network being unavailable.
You may notice that not much seems to happen after the bitaddress.org homepage is loaded. The page awaits random input in the form of keystrokes and/or mouse movements. To add keystrokes, click inside the text box and type random characters. Green circles record the path of mouse movements.
After capturing enough random input, Bitaddress is ready to generate paper wallets. Under the
Single Wallet tab you’ll find two areas. The one to the left is marked “SHARE” and contains a QR code along with a Bitcoin address starting with the number “1”. The area to the right is marked “SECRET” and contains a QR code together with a private key starting with the number “5”. The private key and address are both ready for use on the Bitcoin network.
A copy of this wallet can be printed by clicking the
Paper wallets storing significant amounts of bitcoin should be created within a secure, offline environment such as Tails. Alternatively, the site can be accessed online to experiment and print paper wallets for holding small amounts of bitcoin.
Encrypted Paper Wallet
The paper wallet created in the previous section is vulnerable to many forms of physical theft. For example, the paper itself can be stolen outright and later used to transfer funds. But taking the paper itself isn’t even necessary. A thief could simply snap a picture of the paper wallet with a smartphone, then later decode the private key QR code to steal funds. As one reporter discovered, QR codes from paper wallets can even be stolen by revealing the private key on national television.
BIP 38 encryption offers an additional safeguard against physical theft. Paper wallets encrypted by BIP 38 require a password before funds can be spent. This password is chosen by the user at the time the paper wallet is generated. Decrypting BIP 38 private keys takes a lot of computational power, decreasing the effectiveness of brute-force guessing attempts and improving security.
BIP 38-encrypted paper wallets can be generated from bitaddress.org. Click on the “Paper Wallet” tab. You should see a page with 3 colorful paper wallets. Check the “BIP38 Encrypt” checkbox, enter a passphrase, then press the “Generate” button. After several seconds, a new set of wallet images will be displayed. Blue backgrounds distinguish these paper wallets as encrypted.
Being unable to decrypt a paper wallet would be just as bad as losing the private key. Here’s a procedure you can use to verify that your BIP 38 paper wallet properly encrypts a private key, and that this private key is linked to the expected address.
First, generate some paper wallets without artwork by checking the “Hide Art?” checkbox, then clicking the “Generate” button. After a few seconds, a new set of undecorated paper wallets will be generated. Copy the encrypted private key for the first one to your system clipboard. Notice that these private keys start with the number “6”, in contrast to unencrypted keys which start with the number “5”.
To decrypt the private key, click on the “Wallet Details” tab. Paste the private key into the field labeled “Enter Private Key”, and enter your BIP 38 passphrase. Click the “Decrypt BIP38” button. A page will be displayed showing your paper wallet’s address. Confirm that the leftmost address matches the first address listed under the “Paper Wallet” tab. The decrypted private key appears further down on the page.
BIP 38 encryption adds a useful security layer to paper wallets. Consider using it if either of these conditions apply:
- You want to store significant amounts of money on a paper wallet.
- You’re concerned that a thief or eavesdropper could discover your private key.
Funding a Paper Wallet
Given that you’ve generated a paper wallet (or have used another physical medium), the next step is to fund it. To do so, initiate a payment from your software wallet or exchange into your paper wallet’s address.
At this point you’ll want to exercise caution because the payment will be irreversible. Although many wallets support scanning the private key QR code, many exchange wallets do not (e.g., Coinbase). To minimize the risk of error, make a small test payment into the paper wallet address, then verify it was successful.
The status of a transfer can be monitored through your Bitcoin exchange, your software wallet, or by entering the paper wallet’s address into the search box of a service such as blockchain.info or blockr.io.
Paper Wallet Storage
Using paper wallets (or any physical medium) for cold storage replaces the problem of network security with that of physical security. Unfortunately, the same portability characteristics that make paper wallets convenient to users also make them attractive to thieves.
Fortunately, Bitcoin offers some tools that can promote the physical security of paper wallets. As previously mentioned, BIP 38 offers an easily-implemented first line of defense.
Shamir’s secret sharing offers another useful tool for securely storing private keys on physical media without a password. Using this system, a private key can be mathematically divided into separate pieces that must be recombined to yield the private key. This allows a private key to be spread out over multiple physical locations, forcing a thief to compromise multiple systems. The website PassGuardian offers an easy-to-use tool for splitting private keys using secret sharing. Like bitaddress.org, the homepage can be saved to a USB drive for use within Tails.
Regardless of the method used to physically secure a paper wallet, backups will likely play a role in ensuring that funds can’t be lost due to simple mistakes. Seek complementarity in backups. For example, if primary copies are printed on paper, store backups on either plastic or digital media such as USB drives, discs. Likewise, if primary copies are kept onsite, consider storing backups at a secure offsite location.
Understand Change Addresses Before Spending from a Paper Wallet
Unfortunately, spending from paper wallets is fraught with pitfalls for new Bitcoin users. The first problem is that spending from a paper wallet doesn’t work the same way as spending from a debit card. This failed mental map causes many beginners to lose large sums of money. The second problem is that software wallets vary considerably in how they handle this difference.
Imagine Alice, an occasional Bitcoin user, made a paper wallet holding 10 bitcoins (BTC). One day she wants to spend 1 BTC of her savings on a purchase from Overstock. Realizing that she needs a software wallet to make the payment, Alice downloads MultiBit.
After importing the private key from her paper wallet into MultiBit, Alice pays Overstock 1 BTC. Not wanting to leave the paper wallet private key on her computer, Alice securely deletes MultiBit and all of its data. Alice then returns her paper wallet to its secure location.
A few months later, Alice wants to make another Overstock purchase. After importing her private key into MultiBit, Alice is horrified to see a balance of zero. Her paper wallet has somehow been emptied of 9 BTC.
Alice was not the victim of theft, nor did she discover a bug in her wallet software. Alice’s paper wallet funds were lost due to her own ignorance of Bitcoin change addresses.
It’s tempting to think of a paper wallet as a kind of debit card. Spending should deduct exactly the transaction amount, but no more. With this mental model, Alice’s loss of money is hard to explain.
However, paper wallets (and Bitcoin addresses in general) work on an entirely different principle than debit cards. When Alice first funded her paper wallet, she made a single payment of 10 BTC. She then imported the paper wallet into MultiBit. Unknown to Alice, her MultiBit wallet actually contained two addresses at this point - the one from her paper wallet, and an unfunded receiving address created by MultiBit.
To pay Overstock, MultiBit consumed the entire 10 BTC payment with which Alice originally funded her paper wallet. One BTC was sent to Overstock. The remainder (9 BTC) was sent as change to the receiving address, leaving Alice’s paper wallet empty. On securely deleting MultiBit, Alice lost the private key to MultiBit’s receiving address, and in so doing lost any chance to recover her 9 BTC.
For details on the seemingly counterintuitive interplay between paper wallets and change addresses, see: Five Ways to Lose Money with Bitcoin Change Addresses.
Sweep vs. Import
At some point funds stored on a paper wallet will be spent. This requires a software wallet, at least temporarily. Funds can be transferred from a paper wallet into a software wallet through two conceptually distinct methods.
Sweeping initiates a payment transaction from the paper wallet into a receiving address of the software wallet. This transaction is subject to all the constraints normally associated with transactions, including a fee and confirmations. Sweeping empties the paper wallet of all funds, unless change is returned to it.
Importing brings the paper wallet private key under the management of the wallet software. No transaction is made, so funds can be accessed immediately.
The main problem with importing a paper wallet is that it compromises the integrity of the software wallet, opening the door to unexpected behavior and security exploits (see: Five Ways to Lose Money with Bitcoin Change Addresses). Unless conditions specifically call for importing a private key, the safest option is to sweep a paper wallet.
Both sweeping and importing into a hot wallet expose a private key to a network-connected computer, if only temporarily. This opens the door to network-based exploits and possible loss of funds. Alternatively, a spending transaction can be generated online and then digitally signed on a secure computer. This approach requires more technical expertise than the procedure outlined here. Unfortunately, the tools to do so are not easy to configure or use, although this could change in the future. See A Gentle Introduction to Cold Storage for details.
Software Wallets Vary in Their Paper Wallet Support
Software wallets vary greatly in how (or even if) they work with paper wallets. Although most wallets support some form of private key import, few support sweeping, the least error-prone option. Here’s how the major software wallets support paper wallets:
- Blockchain.info: Supports both sweep and import. Also supports returning change to paper wallet through “Custom Transactions”.
- MultiBit: Directly supports import only. Funds can be swept using a semi-manual procedure.
- Electrum: Direcly supports import only. Funds can be swept using a semi-manual procedure.
- Armory: Directly supports import only. A semi-manual procedure similar to that used for Electrum can be used to sweep funds.
- Bitcoin Core: Directly supports import only. Funds can be swept through a semi-manual procedure.
- Mycelium: Directly supports drawing a portion of funds off of a paper wallet. Change is returned to the paper wallet.
The difficulty of bringing cold storage funds out of a paper wallet depends on the wallet software used. Mycelium offers the cleanest solution, whereas a Blockchain.info wallet can be used to sweep paper wallets on a variety of devices.
Watching Paper Wallets
It’s often useful to monitor the activity of a paper wallet. If you only maintain one paper wallet and only want to check its balance periodically, then a manual lookup at blockchain.info or blockr.io may be sufficient.
If you maintain multiple paper wallets or wish to be notified of its transactions, a web service might be useful. For example, Blockchain.info wallets can import watch-only addresses. From the “Import/Export” tab, click on “Import”. Then enter the address you’d like to monitor.
Blockchain.info offers a variety of notifications that can be triggered in response to address activity. From the wallet homepage, click the “Account Settings” tab. Then choose the “Notifications” option. To use this option, first verify your email address.
In my tests, Blockchain.info email notifications failed to trigger in response to funds being deposited into a watched address. Fortunately, alternatives exist, including:
Managing Paper Wallets
By using paper wallets, you’re manually maintaining a pool of private keys and addresses. Three basic strategies can either be used separately or combined, depending on your goals.
The simplest system uses a single paper wallet for all cold storage funds. This method can be used with any hot wallet capable of returning change to the sending address (e.g., blockchain.info and Mycelium).
The single store method is not recommended due to its privacy and security limitations. Returning change to a paper wallet creates a permanent, public link in the block chain between your cold storage and your hot wallet, reducing your privacy. For example, if you move funds from a paper wallet into a hot wallet and return change to the paper wallet, anyone you pay can deduce your paper wallet balance.
Using a paper wallet typically requires the exposure of the private key to a hot wallet environment, even if briefly. Doing so presents an opportunity for an attacker to intercept the private key. Should change be returned to the same paper wallet, an attacker can steal the funds by using the newly-acquired key.
Instead of returning change to the same paper wallet on each spending transaction, change can be sent to one of a number of addresses on a precompiled list. This list can be generated and printed as a batch during a single session with bitaddress.org. The first address/private key combination is selected to hold funds. After spending from it, change is returned to the second entry, and the first entry is crossed out, cut off, or folded over. And so on.
Alternatively, a fresh paper wallet can be securely generated on-demand to hold change from each cold storage spend. This approach offers the advantage of removing the precompiled list of private keys as an attack target.
Rotating paper wallets avoids the two main problems with the Single Store method. First, using a new address to receive change makes privacy invasion more difficult. Second, funds will be rotated out of any address for which the private key might be briefly exposed. An attacker intercepting the private key would be unable to steal funds because the previously-used paper wallet would be empty.
Multiple Denomination Store
Just as banknotes are printed in various denominations, so too can paper wallets. For example, to store 10 bitcoin (BTC) total, print four separate wallets, distributing funds in chunks of 5 BTC, 3 BTC, 1 BTC, and 1 BTC. Dividing up funds among multiple paper wallets reduces the risk of any one of them being compromised, either during storage or when sweeping into a hot wallet.
Spending from Multiple Denomination cold storage would involve sweeping one or more paper wallets. Excess funds could either be kept in the hot wallet, or sent to a new paper wallet.
Paper wallets offer a flexible method for long-term storage of surplus funds. Before using paper wallets to store significant amounts of bitcoin, be sure to understand the security/usability tradeoffs of your methods. To increase the safety of you funds, consider these options:
- Create and print paper wallets using bitaddress.org from a secure computing environment such as Tails.
- BIP 38 encryption or Shamir’s Secret sharing as an added physical security layer.
- Configure an auto-alert service to notify you of transactions into and out of your paper wallet.
- Understand change addresses and how your wallet software handles them.
- Sweep funds into a hot wallet unless there’s a good reason not to.
- Pick a strategy for managing paper wallets consistent with your long-term goals.