A way to secure online storage
One thing that could very much help with securing any data file of interest from access is to make use of Mandatory Access Control (SELinux in this example) and an second machine, possibly airgapped. You'll need a small program running on the wallet machine (I'll call it banker
for this post) whose job it is to generate challenges and release coins only to properly authenticated requests.
We rely on SELinux to do the following: prevent read, write, and permission changing access to the bitcoin and authentication seed files to every application except for banker
and whatever it spawns. We also rely on SELinux to prevent itself from being taken out of enforcing mode without a system reboot.
The banker
authenticates any withdrawal by printing a random seed value and the corresponding HMAC output generated by combining the seed value with your authentication seed. This authentication seed is kept somewhere else, perhaps on your phone. You can use any method you'd like for exchanging the signed request such as email, scp, web interface, or taking a picture of a QR code and running it through your own app on the phone, then taking a picture of that code with your computer's camera. Go wild! You could also make use of an incrementing counter that never lets an equal or lower-numbered request succeed in order to make one-way authentications, or if you're feeling very fancy, you can use GnuPG and an OpenPGP smartcard to authenticate with a pinpad.
Expire any requests after a certain period of time: five minutes to an hour depending on how speedy you feel. Expire any requests that work immediately so they can't be replayed. Not that I recommend it (defense-in-depth is always wise), but in theory this should permit you to allow somebody to login to your machine as root and still be unable to steal your coins.
The security of your offline storage
I realized I didn't actually answer your initial question, so here's the followup: you're trying to defend against losing your money in one of two ways:
- Somebody steals your wallet
- You lose your wallet
In both cases of offline storage, you're protected if you weren't compromised before the data was printed out and erased from the computer's memory. That second part is a big caveat: if you're printing files they may be left as temporary files somewhere on the disk.
Both systems are roughly equal for risk of loss. Your password should be very long and complex. If you forget or lose the paper where your password is written, your wallet becomes lost, in essence to a fire. If you lose the paper your printed individual values on, the same happens.