For Bitcoin, long-term funds should be signed offline. Cold storage is an operations problem: where signing happens, and what failures you accept.
If signing happens on an internet-connected machine, your threat model includes malware, browser compromise, dependency compromise, clipboard replacement, and remote exfiltration. If signing happens on an offline signer (hardware wallet or air-gapped device), most remote paths are removed and your remaining risk shifts to physical theft, coercion, and backup failure.
The practical architecture is straightforward. Run an online watch-only wallet (xpub/descriptors only) for address generation and UTXO tracking. Build unsigned transactions online. Move them to the signer as PSBT. Verify outputs and fees on the signer screen. Sign offline. Return signed PSBT for broadcast. This split is old, boring, and still hard to beat.
BIP32/descriptor details matter more than people think. Do not expose more derivation data than needed. Treat xpubs as sensitive metadata, because they leak full address history and future receive branches. Keep account-level hardened boundaries where appropriate; non-hardened derivation has clear operational benefits, but also clear blast radius if private material leaks under a known parent path.
Backups are usually the real single point of failure. Have at least two physically separate backups, verify restoration on fresh hardware before storing real value, and record enough wallet metadata to recover deterministically later (script type, derivation path, descriptor/export format, passphrase usage, and network). A seed phrase without context is a common recovery failure.
A sane baseline is: hot wallet for daily spend, cold single-sig for medium savings, multisig only when holdings justify the operational overhead. Multisig reduces key compromise risk, but it increases coordination risk. If your runbook is weak, multisig can be less safe than disciplined single-sig.
The goal is not maximum theoretical security; it is minimizing expected loss over years. Keep the system legible, test recovery periodically, and prefer procedures you will actually follow under stress.
Reference material that still holds up:
