As we've said before, it is not necessary to spend a hundred dollars on a Trezor or any such "cold storage wallets". You can create a 100% safe encrypted cold storage USB thumb drive where you can store encrypted wallets and use them when necessary.
All you need it a USB thumb drive and a free program called VeraCrypt, which is the successor of TrueCrypt, one of the best encryption programs out there. VeraCrypt is safe, robust, and it has much stronger encryption capabilities tham TrueCrypt.
You can download VeraCrypt for any operating system from this link.
You can use any USB drive, but for the sake of speed we suggest to use a 2 GB drive, as you don't really need that much space for bitcoin wallets.
These are the steps:
1. Download VeraCrypt.
2. Follow the VeraCrypt tutorial for encrypting an entire USB drive. Basically run the program, click on the "create volume" button and then select the second option for encrypting a non-system/partition drive. You will get step by step indications on how to encrypt the drive with the program. WARNING: Any contents on the drive will be erased.
3. Make sure you pick a strong password for the drive, containing uppercase and lowercase letters, numbers and symbols, and more than 20 characters in all.
4. A 2 GB drive takes less than 10 minutes to encrypt. Once it is encrypted, you will only be able to open it using VeraCrypt. So have it installed in your machine and keep a portable copy just in case (you can create a portable copy by installing it to another flash drive.)
5. Test the drive. If you enter the password correctly, VeraCrypt will open in a window like a regular drive and you will be able to put files in it and open files directly from it. The encryption and decryption is done on the fly.
6. Once the drive is tested and safe to use, the wallet creation is now possible. This can be done by creating several BIP-38 encrypted paper wallets and storing them in the encrypted drive.
7. Bitcoins can be transferred to to the public addresses of the encrypted wallets, starting with a small amount just as a test to check if the coins are visible in blockchain.info. Once the tests are passed, larger amounts of bitcoins can be sent to the encrypted BIP-38 wallets. Now you will need to defeat two layers of encryption in order to get access to the coins; one for the USB drive and one for the wallets themselves.
You may be thinking "Well, this is all nice for long term cold storage, but what if I need to send some bitcoins quick?" Here's the answer: In order to retrieve the coins fast all you need is a smartphone or a desktop-based wallet capable of sweeping the coins from the BIP-38 wallets. Here's what can be done:
1. Run VeraCrypt and plug in the encrypted USB. Open it with VeraCrypt by clicking on "select device". It will ask you for the password (you can set a "favorites" command on VeraCrypt to detect the drive and ask you for the password once it gets plugged in to speed up things, by the way.) BONUS: This can be done with or without an internet connection. So if you want extra security, disconnect the modem.
2. Once you open the encrypted USB, open one of the encrypted wallet graphic files so you can see it on screen. Don't worry if somebody sees it. It's encrypted. Nobody will be able to crack it if it has a strong password.
3. Now take out your smartphone and sweep the prive key. You can do this on iOS with Breadwallet or on Android with Mycelium. Enter the password. The coins are now in your phone. Or sweep them with a desktop wallet capable of sweeping the encrypted wallets. For security purposes, I suggest using a smartphone or an iPod or an iPad capable of running Breadwallet.
4. Send the coins you need to send and then send the rest to another encrypted wallet on the drive (remember I said create several wallets? That's why).
5. Your remaining coins are now safely back into an encrypted wallet in an encrypted drive.
The best part of this system is you can create several encrypted thumb drives and thus have backups. If something happens to a Trezor you can recover the wallet with a passphrase, but you can't replace the device itself without spending another 100 Dollars. But if one of the encrypted USB drives gets lost, damaged, or stolen, they can be be replaced with copies.
WARNING: If you change the contents of one encrypted USB drive, make sure you make the same changes to the backup encrypted drives. That way if one is lost you will always have a copy.
In theory, if you create enough encrypted wallets you won't need to change anything on the USB drive. Maybe delete the wallets that were swept and are now empty, but other than that it isn't really necessary to change anything. Just sweep the encrypted wallets when necessary and send back the change to another unused address.
PS: In case you are really paranoid, VeraCrypt has a feature just for you; It allows you to create a hidden volume in the encrypted drive with a different password that can't be detected. VeraCrypt calls it "plausible deniability" and it will allow you to give an attacker the password for the main non-hidden drive in case of extortion without compromising the contents of the hidden drive. I didn't mention this in the tutorial because it felt like overkill, but if you enjoy your paranoia go ahead and read the VeraCrypt documentation. It has a step-by-step tutorial on how to create a hidden volume.
UPDATE: Somebody on Reddit brought up the issue of the encrypted drive being used in a compromised machine. In theory, if you use an encrypted drive in a compromised computer (with viruses, keyloggers, etc) the contents of the drive are no longer safe once you plug it and enter the password. But here's where things get awesome: it doesn't matter if the computer is compromised.
Since the wallets are encrypted anyway, even if an attacker were to copy them he still can't crack them. And once you remove the drive from the machine the attacker would have to get physical access to the drive in order to use it.
But guess what? Even if the attacker gets physical access to the drive, the wallets are encrypted, so he can't do a thing with them because you're using an external device (a smartphone) to sweep them and you're entering the password in the phone, not on the computer. As I said: two layers of encryption between an attacker and your coins. And all for a mere fraction of the price of a Trezor or for free if you already have a USB drive that you can encrypt.
Found this tutorial useful? Tip us!