A method for storing Bitcoin SV securely, without a hardware wallet.
This article is a follow up article to my previous one on how to safely and easily "be your own bank" without the need for a hardware wallet. Since I wrote that article I have implemented an improvement to the process, and thus wish to share a more detailed set of steps that people can follow, also now with a distinctly Bitcoin SV focus. For those interested in the original article it is linked here:
As with that article I must begin with a disclaimer as follows:
I am providing this information as one possible method to store your Bitcoin SV. THE METHOD IS PROVIDED AS-IS AND WITH ALL FAULTS AND WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE METHOD, IF YOU CHOOSE TO USE IT, LIES WITH YOU.
Now that's out of the way, let's carry on.
A question that seems to come up fairly regularly even despite the large number of different wallets available for Bitcoin SV, is how to store Bitcoin SV safely.
(Here's a list of the wallets available for Bitcoin SV: https://bitcoinsv.io/services/wallets-and-exchanges/)
This question is mainly borne from the notion that storing larger sums of Bitcoin SV in software wallets such as mobile or desktop wallets is typically not viewed a wise idea. This belief is based on the fact that software wallets must hide within their data, the user’s private keys and seed phrase, and as such this presents a honeypot for hackers who would try to gain access to that information, especially if the wallet in question held a large amount of funds. The opportunity for attack against a desktop wallet is higher than more secure wallets such as paper wallets, since the software that holds the keys typically connects to the internet to broadcast transactions and check balances. Being connected to the internet means that hackers can potentially gain access to the wallet or the computer upon which the wallet resides. Furthermore, a computer that is regularly used to access the internet could potentially contain malware and that malware could be designed to leak the user’s private keys or seed phrase, either through some direct exploit of a weakness in the wallet software (like we saw with the Coinomi wallet: https://bitcoinist.com/coinomi-wallet-seed-phrase-bug/), or perhaps by using a key-logger to capture a user’s wallet password and gain access that way.
In short, an internet connection is both a necessity (for convenience) and a curse (in terms of security implications).
As a result of this dilemma, software wallets, if used to store a large amount of Bitcoin SV can effectively become a single point of failure and pose a higher risk than some people might want to tolerate when needing to store their Bitcoin SV, especially for extended periods of time.
There are of course ways to improve the security of using a desktop based wallet, such as installing security software on the computer that runs the wallet software or making the user’s home network more secure by using a UTM (Unified Threat Manager, e.g., https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx), or using virtual machines (e.g., https://www.vmware.com/products/workstation-player.html) to run an isolated operating system that run just the wallet software, but these things often require computer expertise and are not fool proof, even if used in tandem. They may reduce the overall risk of using a software based wallet, but they do not eliminate that risk, and in the case of storing large amounts of funds may not eliminate sufficient risk, even for the most savvy of computer users.
In light of the valid concerns and risks with software based wallets just discussed, this article will now present a way of using a software based wallet, specifically ElectrumSV, in a manner such that a significant portion of the security concern is eliminated, thus providing a very secure means of storing Bitcoin SV, whilst retaining much of the usual convenience that a desktop wallet provides. This is made possible by diverging from the traditional approach of using a single software wallet instance and making use of a feature of ElectrumSV that allows a user to securely create multiple views/instances of the same wallet, some of which do not require the user’s private information (private keys and seed phrase) to be exposed to the internet.
Features of the wallet setup
The wallet setup that will be presented has the following traits.
1. Provides a high level of security.
2. Keeps private information such as private keys and seed phrase air-gapped from the internet (with only one minor exception that we will later see is not a significant concern).
3. Allows a user to be on-line to see balances.
4. Allows a user to deposit more funds at any time and keep track of those funds.
5. Allows a user to withdraw funds as required, without exposing the balance of stored funds to any undue risk.
The setup in a nutshell
This almost sounds too good to be true, right? Use a desktop wallet and have it be extremely secure and still allow for most of the stuff that a regular wallet does! So how is this achieved? The overall wallet setup is comprised of two (or arguably three) main parts as follows:
1. A permanently off-line ElectrumSV wallet acts as a “cold storage” wallet. This wallet, by virtue of the way it works (hierarchical deterministic) creates and manages many “paper wallets” and the private keys for all those wallets and saves you from manually having to do this as you would have to if using a paper wallet generator. All that is needed to gain access to the wallet is the password for it (for the wallet file) and/or the seed phrase. To keep your funds secure you have to retain either the wallet file (or a copy of it) and the wallet password, OR, the wallet seed phrase. This wallet is setup and configured on an old computer that stays permanently off-line.
The cold storage wallet: ElectrumSV running on a permanently off-line computer. The seed phrase and private keys are never exposed to the internet. This machine only needs to run to set up the wallet and for any time a withdrawal needs to be made, else it can remain off.
2. An on-line ElectrumSV wallet that uses the master public key (xpub) exported from the cold wallet is able to “view” the funds in the cold wallet, and provide a convenient way of depositing more funds into it. It can be on-line since it does not have knowledge of private keys or seed phrase and therefore does not expose that information in any way. Information that is not present cannot be hacked or stolen. Such a wallet is called a “watching only” wallet. This wallet is setup and configured on a computer that has and is typically used for accessing the internet.
The watching only wallet: ElectrumSV running on a computer with internet access, with a “watching only” wallet. The wallet is configured using only a master public key so no sensitive information is exposed to the internet. The wallet software is run when you want to check balances or deposit more Bitcoin SV into it.
3. A mobile wallet that is able to scan (sweep) private keys, such as HandCash (https://handcash.io/) is used whenever it’s necessary to withdraw funds from the cold storage wallet and may also be used to deposit into the cold storage wallet, though you may deposit into your cold storage wallet from a range of different sources (e.g., exchange, other software wallet or even another ElectrumSV wallet, such as one that you use for smaller amounts and are therefore happy to run it in the traditional way).
Withdrawing from the cold wallet: Using a mobile wallet that can scan (sweep) private keys (in the form of a QR code) to withdraw funds from the permanently off-line cold storage wallet.
Depositing to the cold wallet: Using a mobile wallet to deposit funds into the cold storage wallet. The off-line computer is not required in this case.
This approach of using an off-line wallet coupled with an on-line watching only wallet, provides paper wallet / air-gapped level security for your stored Bitcoin SV, and a similar level of convenience as a desktop wallet, with the only downside being when you decide to withdraw some Bitcoin SV to a mobile wallet (presumably to then send it elsewhere), you have to take extra steps to sweep a specific wallet address from the off-line cold storage wallet, which means turning that computer on, accessing the wallet and querying the private key for the address you wish to withdraw from. Also at that point (when you sweep the address using a mobile wallet) you are technically exposing the private key for that specific address to the internet, so one could argue that this is the one part of this setup that is less secure than a hardware wallet since hardware wallets never expose private keys. The trick is thus to divide the funds up in the cold storage wallet such that you are never sweeping a large amount of funds at any single time and thus the additional risk* over and above a hardware wallet at that point becomes absolutely negligible. For example, you might split 50 BSV into 50 different addresses (we don’t have to worry about fees like those poor suckers who use BTC) and thus each address would have 1 BSV and when you withdraw (sweep) back to your mobile wallet you are only exposing the single private key for 1 BSV; the remaining 49 BSV is still as secure as it always was.
*The concept of “risk” seems to be something that some people have some difficulty in mentally processing. In reality nothing is 100% risk free. Risk can be mitigated by taking various actions. One normally stops taking such actions when the level of risk is reduced to a sufficient point to make the probability of failure acceptably low. No solution or thing is 100% fool proof. People fly in planes because the risk of crashing is acceptably low. Using a software wallet, if you properly follow the steps in this article should also provide a level of risk that is acceptably low, however, what is acceptable for you, is for you to decide, not me.
Now that the overall setup has been described at a high level, we will walk through all the details required to make it become a reality and will also discuss some other minor technical points that will hopefully answer any questions that you may currently have.
Setting up the wallets
To set up this system, you will need:
1. A verified copy of ElectrumSV.
2. An old computer that is capable of running ElectrumSV. This computer must stay off-line permanently.
3. A computer than can connect to the internet that is capable of running ElectrumSV.
4. A mobile device that can run a Bitcoin SV wallet app that is able to scan/sweep private keys (such as HandCash).
This wallet setup can be created and used at virtually no expense, if you have an old computer handy, and I assume that most people reading this article will have access to a mobile phone that is capable of running a Bitcoin SV mobile wallet. The old computer doesn’t have to be powerful; just good enough to run the desktop wallet software.
For the base level of security that this setup can provide, a rudimentary knowledge of computers should be sufficient to follow through, however, it is possible with some additional computer skills and knowledge, to further enhance the level of security that this approach provides.
Preparation of the Off-line / Old computer
The off-line computer, as already mentioned, is likely to be an old or spare computer you have lying around. It doesn’t need to do anything other than run Windows (or Linux if you have all the necessary packages on CD/DVD) and the ElectrumSV software. It thus doesn’t need a good video card, doesn’t need a lot of RAM, doesn’t need a big screen, doesn’t need a big hard disk etc. The most basic system will do.
For Windows you’ll probably want it to have (or be able to install) Windows 7 at a minimum (maybe even Windows Vista would work). For Linux (if you are keen) you’ll probably need a fairly recent version of your popular Linux distro or at least the knowledge on how to upgrade packages (bearing in mind you have no internet access) to make that happen.
You will need to ensure that this computer absolutely does not and cannot connect to the internet. If the computer has a wireless (wifi) card, make sure it is disabled (or even better, removed). Ensure that there are no network cables plugged into it and that none will accidentally be plugged in.
The only way data gets to/from this computer is via USB during the setup phase and after that, not even USBs are used. (Later during the setup, we’ll need to copy the ElectrumSV software to this off-line computer and also export the master public key (as a text file) from this computer to the on-line computer).
If you are tech savvy and want extra security you may choose to fully encrypt this off-line computer using one of several different options. If you are running a version of Windows like Windows 7 you may use something like TrueCrypt (discontinued) or VeraCrypt (https://www.veracrypt.fr/en/Home.html) or BitLocker from within Windows. (Personally I only trust TrueCrypt since it was publicly audited, but it may be difficult to get hold of a verifiable version these days. Either way that is a topic outside the scope of this article). If you are using Linux you likely have the ability to configure full system encryption when you set up your OS using the in-built disk encryption support.
Preparation of the On-line computer
For this computer, using the computer that you use for every day internet access should be fine, though if you intend to run any additional wallets on it (e.g., a low value ElectrumSV or other desktop wallet for every day stuff) then you may wish to consider using a virtual machine or making a pass over the security software you have installed. For the purposes of the setup as described by this article, however, even the dirtiest machine will be fine for running the wallet, because on this machine there will be no sensitive or private information (all that is on the permanently off-line, optionally encrypted, machine).
If your computer is genuinely dirty though (and by that I mean you don’t just do your banking, check work e-mails and read the news on it), then you may wish to consider that when you acquire (and verify) the Electrum SV software. That is, it could be good to do a virus scan before you download the wallet software. We talk about how to acquire the wallet software now.
The first step is to obtain a copy of ElectrumSV for the platform of your choice (Linux or Windows). For the purposes of this document we will assume Windows, though the same general procedure is possible using Linux. (I personally use a mix of the two as already alluded to; installing Linux on a computer that is permanently off-line is less convenient than Windows, unless you have already acquired the necessary Linux packages on CD/DVD. (Linux distros can be very large and typically only contain the most commonly used packages on the first CD/DVD).
The ElectrumSV software can be obtained from here:
For Windows, look for the download that looks something like “ElectrumSV-1.2.0.exe” (the version number may change over time).
At the very least you should check the SHA256 hash of the downloaded exe file against the value reported here:
e.g., the hash for ElectrumSV-1.2.0.exe is listed as:
There are tools such as 7-zip (https://www.7-zip.org/download.html) that make this process easy. Make sure that the hash given by the tool that you use matches the hash on the github site.
Using 7-Zip to check the SHA256 hash of the ElectrumSV-1.2.0.exe.
The SHA256 hash value obtained by 7-Zip for the ElectrumSV-1.2.0.exe.
For extra security you should also (or preferably) check the signatures of the download against the known PGP keys for the developers. The signatures are available from the download folder here:
[EDIT: It seems that the 1.2.0 sub-folder was removed. Instead try the following URL for the appropriate version of ElectrumSV]:
(Note that the version number will change depending on the version you downloaded).
The signature files have the same name as the corresponding file that they represent the signature for, except with “.asc” on the end. For example, “ElectrumSV-1.2.0.exe.asc” is the signature for the file “ElectrumSV-1.2.0.exe”.
ElectrumSV-1.2.0.exe 20-Mar-2019 05:24 26387066
ElectrumSV-1.2.0.exe.asc 20-Mar-2019 05:22 195
This document does not go into the steps for properly and securely validating the PGP signatures as ample information on how to do this exists on the internet already. On Windows, a program like Kleopatra adds a convenient user interface on top of gpg to make the process easy.
Using Kleopatra to verify the PGP signatures for ElectrumSV-1.2.0.exe.
If the files match the signatures then Kleopatra will confirm this.
Verified PGP signatures for ElectrumSV-1.2.0.exe.
For this process to work you must first securely obtain the developer PGP keys and trust them, but again this is a process that is outside the scope of this article.
You can find more information here:
Installing Electrum SV (on to the off-line computer)
First you will want to install ElectrumSV on to the computer that is permanently disconnected from the internet. Since this computer is off-line, it’s easier to install ElectrumSV on to a Windows computer than it is for Linux, as with Linux you typically require an internet connection to source software packages from on-line repositories. It can still be done off-line with Linux, but if you are a competent Linux user then you’ll already know how. For the purposes of this document we assume a Windows machine.
For the Windows machine you should copy the verified ElectrumSV software (exe) on to a USB drive and copy that file to the off-line machine. This is the first of the last two times you will use a USB with this machine.
Once copied to the off-line machine, you can run the program from wherever you copied it to. You can copy it to an appropriate place such as “C:\Program Files (x86)\ElectrumSV\” or you could just copy it to your desktop and run it from there. How you manage your computer is your own business!
Preparing to create the cold-storage wallet.
Before we create the cold storage wallet, let’s first recap what the purpose of the cold storage wallet is.
The cold storage wallet is intended to be a permanently off-line wallet that in essence acts as a paper wallet manager. Through the use of a wallet seed, it can create an unlimited number of addresses and private keys such that you do not have to worry about manually creating paper wallets and recording them.
To gain access to your cold storage wallet all you need is the wallet software, the wallet file, and the password, OR, the wallet software and wallet seed (in which case the wallet can be completely restored).
You will set up this cold storage wallet, save the seed, export the master public key (xpub) and save for needing to withdraw funds, you never have to access this computer again.
The securer this computer and wallet is, the securer your Bitcoin SV is. Ways that you can increase the security level on this cold storage wallet include:
1. Store the seed phrase securely and redundantly. - Non negotiable.
2. Encrypt the wallet file with a strong password. - Non negotiable.
3. Use a seed phrase with additional seed words. - Recommended.
4. Encrypt the off-line computer with a suitably secure access mechanism. - Optional.
5. Keep the computer in a safe place. - Recommended.
6. Keep redundant/secure backups of the wallet data (e.g., second hard drive). - Recommended.
Even if you only did items #1 and #2 (which are both essential steps) and took none of the other measures, your cold storage wallet would still be, for all intents and purposes, extremely secure since anyone who stole your computer would not be able to access the private information within it, and you could restore your wallet from the seed phrase on a different clean, off-line computer, when you needed to access the funds in it. The extra steps of using additional seed words and properly securing the computer add to the security, but they are not essential. We all decide the level of risk that we are comfortable with.
Creating the cold storage wallet.
Now we understand exactly what we are creating, on the permanently off-line computer, start the ElectrumSV wallet software. You should see a screen like the following.
Give your new wallet a name, such as “bsv_cold_storage”. Click Next.
Choose Standard wallet. Click Next.
Choose Create a new seed. Click Next.
The words that appear above are absolutely sensitive and should never be shared with anyone! (I’m only showing the words from my wallet since I am just creating a throw away wallet to demonstrate the process; bottom line. Never share your seed phrase with anyone you do not trust 100%).
Take a note of the seed phrase. The best approach is to write it down on a piece of paper as the software suggests.
Click the Options button.
In the dialog that opens, check the check box and click on OK. Click Next.
In this dialog you should enter some additional words (I would typically enter 6 words, to go with the other 12, to make 18 in total) that are completely random. They don’t even have to be the same language. Write these words down on that same piece of paper as the first 12 words and make sure they are marked as “custom seed words” so you will know where to enter these words in the case that you ever need to recover your wallet from the seed words.
When you have selected your 6 (or as many as you chose) custom words, click Next.
This is where the software checks if you have been following instructions. You should re-enter the 12 seed words that you wrote down, into this window.
When you have the seed words correct, the Next button will become clickable. Click Next.
Now the wallet software will ask for the custom seed words that you also wrote down. Enter those.
When you have the seed words correct, the Next button will become clickable. Click Next.
The last step of the setup process is to choose a password for the wallet file. Be sure to choose a strong password. This means a password that is long enough and complex enough to introduce sufficient entropy for the wallet encryption. Fortunately the wallet software will tell you when your password is secure enough. Make sure it’s something that no one else is able to guess!
The wallet software giving you feedback on the strength of your password.
When you have entered and confirmed your strong password, the Encrypt wallet file check box will become editable. DO NOT UN-CHECK IT. Click Next.
(Encrypting the wallet file with a strong password is the baseline level of security of this method. If you leave your wallet un-encrypted, anyone who gains access to your off-line computer will have access to your Bitcoin SV. Sure, this requires someone to have physical access to your computer, and whilst this approach eliminates every single on-line attack vector, consider that as the value of your Bitcoin SV increases over time, leaving your wallet un-encrypted is still a bit like leaving the door open on your safe. The more you have in your safe, the less likely it is that you will want to do that).
At this point the cold storage wallet is 100% completed! All that is left to do is export the master public key (xpub) and also check how to access (withdraw) funds. i.e., how to get at the private key QR codes for any single address.
Note that the wallet software, bottom right says “Not connected”. This should never change on the off-line computer.
Exporting the Public Master Key
In your newly created off-line wallet, choose Wallet -> Information.
The above dialog shows the master public key. This key is not sensitive at all; hence the name “public”. That long string of letters and numbers is what we’ll need to create the on-line “watching only” version of this wallet that can be used to see the address balances and also as an easy way to deposit more Bitcoin SV at zero risk of being hacked (from the ElectrumSV side).
Click the blue “copy to clipboard” button and paste the text into a new text file.
Save the text file to a USB. At this point you can remove the USB from the off-line computer. You won't need it there any longer.
Checking how to withdraw funds
Before we turn off the off-line computer, we’ll just demonstrate how you access the private key for any single address in the wallet, as a QR code, that can then be swept by a mobile wallet such as HandCash, by scanning the QR code. “Sweeping” an address simply means that with access to the private key, a program is able to broadcast a transaction that spends the funds in the cold storage address and send the funds to an address in the mobile wallet. Conceptually it’s like sweeping up or sucking up the funds in that address. The term is usually used in relation to paper wallets that don’t have software that is able to broadcast transactions and thus the way to acquire funds from a paper wallet is to "sweep" them using a wallet that can do the transaction on “behalf of” the originating address.
In your newly created off-line wallet, if you cannot see an Addresses tab, choose View -> Show Addresses.
Next click on the Addresses tab and you will see a list of addresses. Right now you cannot see if any of these addresses contains funds; that’s the purpose of the watching only on-line wallet that we are going to set up shortly, but for now assume that you know which address has the funds you want to withdraw and so right-click on an address and choose Private Key.
You will be requested to enter your wallet password, after which you will see a dialog that looks like this.
To see the QR code for the private key, simply click the QR code icon top right of the top window.
When you have a Bitcoin SV mobile wallet that can scan/sweep private keys (such as HandCash), then scanning this QR code will allow the funds from that cold storage address to be withdrawn. This is literally the only time from now on that you will need to turn on your off-line computer with your off-line cold storage wallet.
Furthermore, this is the only time you ever expose any private information to the internet in any way, shape or form. If you are using a reputable Bitcoin SV wallet such as HandCash, and the amount you are sweeping is not too big, it’s perfectly reasonable to expect that the risk in doing this is absolutely negligible and it impacts the overall security level of the total wallet setup, absolutely in no way what-so-ever.
As mentioned previously, the idea is to deposit amounts of Bitcoin SV into the wallet in small enough chunks (bearing in mind future potential appreciation) such that any single address does not contain an amount of Bitcoin SV that you would not be comfortable having stored (even temporarily) on a mobile Bitcoin SV wallet.
At this point feel free to close the ElectrumSV software on the off-line machine and close down the machine. You won’t be needing it now unless you need to withdraw funds.
Be certain to keep redundant copies of your seed phrase and wallet password in a secure place. Whatever you do, do not lose the seed phrase. Approaches to store your seed phrase (and wallet password) securely, are beyond the scope of this article.
Backups of the wallet file on the off-line computer are also highly recommended, but note that if you have the system fully encrypted, the backup mechanism that you use should be equally as secure, else it defeats the purpose of the system encryption. I personally use a second hard drive in the same off-line computer that is also fully encrypted. Backup practices and encryption, however, are outside the scope of this article.
Creating the on-line “watching” wallet.
The next step is to install the ElectrumSV software on to the on-line computer. Since the computer is on-line this makes it more practical to use a Linux machine if that is your thing. I personally use a clean Linux installation for my on-line wallets, but like we have already discussed, for the purposes of this cold storage wallet setup, the on-line watching only wallet could be on any computer at all; it is still secure since it contains absolutely zero sensitive information other than access to the balances in the addresses that relate to the cold storage wallet. So long as the general public don’t have access to the computer and get wise to the amount of Bitcoin SV you have stored, there isn't any problem that should arise from that.
Now we understand exactly what we are creating, on the on-line computer, start the ElectrumSV wallet software. You should see a screen like the following.
Give your new wallet a name, such as “bsv_cold_storage”. Click Next.
Choose Standard wallet. Click Next.
This time, instead of “Create a new seed” we want to pick Use public or private keys. Click Next.
Take the xpub master public key that we saved from the off-line computer on to USB and paste it into the above window. When you have done this, the Next button will become clickable. Click Next.
ElectrumSV will tell you that the wallet you just created is a “watching only” wallet.
The warning is about not sending any Bitcoin SV to addresses in this wallet unless you also own the private keys for those addresses. We do of course own the private keys; they are just stored on the off-line version of our wallet. Everything is good to go.
The newly created watching only wallet looks like this:
Note in the title bar the words “watching only” which indicate that the wallet does not hold any private or sensitive information. Those of you who have been paying attention will notice that the addresses in the wallet are the same as the ones for the off-line wallet that we created.
At this point the setup of our cold storage wallet system is 100% complete! (The task of acquiring a mobile wallet such as HandCash and setting it up are left as an exercise outside the scope of this document). As you can see, this was a really easy process to follow. Writing this document was probably ten times more effort than doing the actual steps. Now you have a very secure setup for cold storage of Bitcoin SV.
The last thing to cover is how to deposit funds to the cold storage wallet.
Depositing funds to the cold storage wallet is very simple. You just use the watching only wallet just as if it was a regular desktop wallet. Simply go to the Receive tab and send funds to the address shown, or deposit funds to any un-used Receiving address on the Addresses tab. The balance will show up just like a regular desktop wallet. The only difference is that you can't spend the funds from this wallet directly (as expected).
One last detail
One thing that you may run into with the off-line ElectrumSV wallet is if you want to withdraw funds beyond the default 20 addresses that the off-line wallet displays. Because the wallet is off-line it does not know that funds may be stored in some of the addresses and so it won’t load any more than the default (of what it thinks) are 20 empty addresses.
To combat this you may get the off-line wallet to generate additional addresses in the heirachical deterministic sequence as follows.
In the off-line wallet software choose View -> Console. Click in the console to remove the warning message and then type:
Then press the enter key.
This will cause the wallet to create a new address beyond the 20 “gap limit” as it is so-called. Addresses beyond the gap limit appear highlighted in red, but other than the color difference, the address can be interacted with just like any other address in the software. Thus you will now be able to access the private key for such addresses, whilst keeping the off-line wallet 100% off line.
Feel free to ask them in the comments section.
No one has reviewed this piece of content yet