There are three ways that I can think off to store your private keys safely (offline)
1) Having a hardware wallet (Trezor, Ledger, and so on). The problem: Having to trust their custom RNG, their while hardware, that there will be no surprises (see trezord.exe phoning home)
You don't have to do this. You can create your own seed offline and insert it in the machine. They'll recognise anything that's valid. Beyond that I do wonder how many other horrors will be uncovered in the years to come with hardware wallets. The spoils would be humongous.
I used to be all paper. Now I'm all hardware.
The third option sounds cool but far too much ball ache. If I'm to spend at the moment I'll get rid of one of my numerous forks, stick the proceeds in a phone wallet and go retail crazy.
I just can't trust hardware wallets. I think airgapped linux laptop is the way to go, but im still unsure how to go about signing offline transactions... I tried to practice with testnet coin. Got a testnet node synced and set another testned core wallet on the offline machine, then I put the public keys on the online node to see my funds in watch-only mode, but crating the transactions is too complicated if you need to pick specific inputs. I mean, it's like trying to do the "Coin Control" part of the GUI but manually... a pain in the ass indeed.