Then I cloned this git repo: https://github.com/pointbiz/bitaddress.org and looked at the code. Sure enough it still has complete self-contained javascript for generating random numbers, create ECC keys, displaying the QR codes, etc. So I ran it in another browser by opening the bitaddress.org.html file stored on my computer. I moved the mouse around for entropy for the random number and it generated a private key and corresponding address. I printed it.
Next I scanned the printed private (they call it secret) key into the mycellium app on my phone. I honestly don''t know what app to trust anymore, and mycellium seems to be a little junked up with promotional stuff. But you won't need to do that until you want to spend. I did it simply so I know (1) the private ("secret") key on the paper is readable and (2) my proceeds will actually be transacted from coinbase to my brand new address.
Next I copied the address (derived from public key) from my other browser into the coinbase screen where it asks where to send the bitcoin. I set the amount I wanted to send. Next coinbase texted another code to my phone. I typed that code into the browser. Then it said "sent".
Next I opened mycelliium on my phone. I see the amount that I sent from coinbase on my phone. Had to wait a few minutes, long enough to type the message to you above. I now have my private key in two place: on a piece of paper about to go in my safe, and in my phone.
Bad policy someone might point out. Almost everyone generates private keys (with corresponding address) from seed phrases and they transact the bitcoin to the generated address. They always generate a new key/address for every transaction. But I don't care because right now I am cold storing like you. I happen to have a second copy of the private key on my phone at this moment. But I could erase that any time I feel like it. Or spend it. I haven't decided. I don't know when I'll decide. Either way there's the paper in my safe with the same private key.
Thanks for the step-by-step.
I need to study it for a few days make sure I don’t mess up.
What does that mean? Two basic possibilities: the private key that it generates is not secure. It might just pretend to generate a random number after collecting entropy when it might simply be choosing the next number in a pseudorandom sequence (looks random but isn't) that the bad guys can predict.
Second possibility the javascript has hidden code in it to send the generated private key to the bad guys. I could preclude that by running the javascript on a second computer that's not online. Or taking my computer offline, running, clearing browser caches, rebooting, then going back online. But I am much too lazy to do all that.
I think the bitaddress.org code is probably secure enough for my purposes. Drago please feel free to correct if you disagree.
I've always heard that you shouldn't keep a private key on your phone...