Many new BTC users asked me to write this guide, about how to create your own cold wallet and not using a hardware wallet. So I will describe here how to use TailsOS on a USB stick, with Electrum and KeePass.
This storing method is for those users that are comfortable with using computers, systems and already have a base knowledge about Bitcoin.
This method IT IS NOT for those very new to this technology and are not so techy. For those I recommend to just buy a hardware wallet and forget about this method.
Important aspects about cold wallets:
- a cold wallet always have to have at least a copy (even in another form of backup) and stored in another geographic place. You never know what could happen.
- a cold wallet is NOT your day to day usage wallet! As I explained here in his guide, you should keep your stash in three levels of wallets. Any cold/HODL wallet in whatever format you keep it, must be stored in a safe place, that nobody else knows and do not use it. To deposit to that same wallet, you need only few BTC addresses and/or MPK/Xpub key imported into a “watch-only” wallet app. Watch-only means that the private keys will never touch online world, you can only deposit to that wallet and check the balance. Here is a guide how to use “watch-only” wallets.
- a cold wallet can be accessed only when you really need to move funds from there (urgent matter) or you want to upgrade the wallet system, firmware, OS etc.
- always test recovery procedure BEFORE you put any funds in that wallet. Many times until you are comfortable with the process and you are sure you will be able to restore your wallet in case of SHTF. Practice is the key to proficiency.
Why I recommend this method, let’s call it “Tails wallet” ?
There are many reasons from which we can mention:
- is dirty cheap (the only cost is the USB stick/s). So why not stacking more sats instead of buying (for some) expensive hardware wallets?
- TailsOS is a strong Debian Linux system OS, portable, with Tor built-in and many other useful apps.
- is not getting attention. Nobody will know that in a simple normal USB you can carry the keys to your HODL wallets. Instead of walking around with a Trezor, ledger, cold card etc, now everybody will recognize those are “carrying BTC”, so you could be a target by default. In the past I saw users in a cafeteria pulling up their Trezor and connect it to a laptop, just to pay the bill. WRONG, totally wrong.
- Same USB OS can be used as emergency clean system for other tasks. Let’s say you are traveling and you need a clean computer to use. TailsOS is great for that, just boot up with it and you have a read-only live clean OS. Accessing in a safe way your personal data, BTC wallets etc. And comes with a lot of simple useful tools.
- It can store multiple wallets, can be copied and stored in many different locations. It can be used also for storing more personal data (scanned documents, password manager, private stuff), all encrypted, safe from enemy eyes.
- Offers easy and fast access anytime to your cold wallets, without any additional software susceptible of malware, phishing, infected computers. TailsOS is ALWAYS CLEAN no matter which computer you use. Many users are losing wallet control because they are using them on infected computers and are sloppy with security.
Let’s get started
A. Create and prepare your Tails Wallet
- Download TailsOS, live USB, and use Rufus to create the bootable USB drive with TailsOS ISO image. Rufus will erase and format that USB drive.
- Boot with that USB drive (change the settings in the computer BIOS to start with USB drive or press F12 for some systems), and select RUN/Execute, not install, offline. This live OS already includes Electrum BTC wallet app and KeePass (password manager).
- If you plan to re-use this LiveUSB TailsOS, you can create also a hidden active partition, that will be encrypted, to save important information, like the KeePass database file, electrum wallet backup. Here are instruction how to use “Persitent Partition” and a video tutorial here. Put a strong password to open that persistent partition space and DON’T FORGET IT!
- Once you are done with persistent partition creation, open KeePass app and create a new passwords database. Save a copy on another USB memory and also use persistent encrypted space from Tails. In that database you start saving all your wallets (seed words, XPUB, BTC addresses, MPK) and other personal info. Don’t forget to make copies of this file in other safe places. Here is a guide how to use KeePass and sync across devices.
- If you want to use a latest version of Electrum and not the already installed Tails version, you can download the AppImage (for linux) directly from Electrum page https://electrum.org/#download
- and save it into your persistent partition. You just need to launch it, no need to install it. But any version of Electrum from Tails is enough for creating an offline wallet. Latest version is needed only if you want to use Tails to broadcast a transaction from that cold wallet.
- Open Electrum app and create a new wallet. Save the seed words into your KeePass file. Once is created, go to Electrum menu – wallet information – copy the MPK (Master Public Key) and save it into your KeePass database (where you saved the seed too). Go to menu – activate view addresses, then go to Addresses tab and copy 3-4-5 addresses and put them into your Keepass file. Later will be used for restore procedure test.
DONE! You just created your cold wallet in TailsOS. Close all apps and shut down your TailsOS.
OPTIONAL you can download and save in your persistent partition the Sparrow wallet app if you want to use a more advanced and a Taproot supporting type of address, as I explained in this guide. Almost same procedures to follow for creating wallet, saving backup and keys as for Electrum app.
B. Test restore wallet procedure
- Start again TailsOS, unlock the persistent partition, to be able to open your KeePass database file.
- Open Electrum app, select restore wallet, I already have seed and then follow the instructions step by step. Select segwit native and also the option button for BIP39 seed. See more details about using Electrum app here.
- Open your KeePass and the entry for your Electrum wallet details.
- Put the seed words to restore and check them one by one.
- Once the restore process is done, wallet is loaded, go to menu – activate “view addresses”, then go to Addresses tab and check the first 3-4 addresses generated that are the same you saved in your KeePass file. If are the same, you’ve just done a correct restoration of your wallet. Optional you can check also the MPK if is the same, see menu – wallet information.
Done! Now you are good to go, you can deposit funds into your cold wallet. You can use the MPK in a watch-only app or just using few BTC addresses from your wallet.
C. Make backups and copies of that wallet!
OK now that you test the restore procedure, you deposit some funds into that wallet, is time to make security copies.
- Open TailsOS, open Electrum wallet
- Go to menu File – Backup wallet. Save that wallet file copy into your persistent partition and also in another encrypted USB as a copy together with a copy of your KeePass database file. Here are some guides how to encrypt a USB drive, with Windows and with Linux.
- The copy of that Electrum wallet is encrypted also with your Electrum password you put it when you create first time that wallet. That password is also used when you have to broadcast a tx, for the signing process. So, keep in mind it is very important, save it also in your KeePass file.
- So now, you can just open that wallet file with Electrum app, without having to restore from seed, will just ask you to open it with your Electrum password to decrypt the file. Seed will be necessary only in case this file get corrupted or lost. This file also contain all txs you’ve made, labels, history and in time can get bigger.
- In the USB drive copy (encrypted) you can store many other files too, like a picture file that embed a seed using steganography, private documents, anything digital that is important for you. Make more copies of this “private offline storage” and save them in different locations. Optional you can put them into a metal recipient, protected from EMF, water, sun, heat etc.
D. Use it as a “watch-only” wallet
Here is a more detailed guide how to import and use the MPK of this cold wallet into an app for deposit only wallet.
I have several recipients like these hidden into deep forest / mountain places, easy (for me) to recover them in any SHTF case. Even if are found by somebody else (I really doubt it) cannot be accessed due to hard encryption. I am very comfortable with that encryption and the secret place where are hidden. But is up to each individual where and how to save those copies. Also could be in an online storage, is enough that KeePass file to be stored and optional a copy of your electrum wallet file (no more than few hundreds kb of data).