Doesn't bitcoin-qt/bitcoind have wallet encryption built in? The walletpassphrase feature uses strong encryption via a passphrase to unlock it before letting the system see the private keys in the wallet.dat

If your wallet.dat is encrypted with a strong passphrase this should be all you need. You can back up as many times as you want and even if you lose your wallet.dat to someone else, they can't open it without your passphrase. (So choose a strong one so they can't brute-force it).

When generating a paper wallet via a unix terminal or some other program. Make sure the private key generated with the public/private key pair isn't stored in the system history. For instance with Unix, sometimes even the clear command can leave remnants of printed data to SystemOut in programs like xterm, or even a traditional tty.