How about an air-gapped PC?
This. With the proviso that this means a dedicated machine which is never connected to a network, and has hardware capable of non-contact connections (such as wifi and bluetooth) physically removed. I state this explicitly, for Ive observed that many people mistakenly believe that rebooting their network machines with a live CD/USB makes for an airgap.
Part of the advantage of an airgap machine is that the hardware can be purchased anonymously. For ordinary individuals, buying an inexpensive laptop (sufficient for Bitcoin, PGP, etc.) off the shelf for cash is the only practical means I know for precluding any chance of a targeted supply-chain attack. Wherefore this part of the
Ledger vulnerability disclosure blog post caught my attention (boldface is in the original):
That's too extreme. In most cases, use Bitkey
https://bitkey.io/.
It would take someone familiar with Linux to use it, but all the information needed on how to make a bootable USB, use, and configure it are available online. There is no excuse for a newbie Bitcoiner not to learn.