1. creation
the first thing to do is to create the paper wallet correctly so that you are not leaking anything in this step. for that you should start by choosing a good tool and for that you first have to decide whether you want to store a single key or a seed.
if it is a single key (the most common form of paper wallet) then you can use any trusted wallet that allows you to export the private keys. you can also use specialized tools such as bitaddress.
if it is seed then your choice is limited to the HD wallets such as Electrum.
then you have to download this "tool" and verify its authenticity. this is usually done with a PGP signature.
and the final step is to run it and generate your key(s). in this case you want to choose a clean environment to do that. the best way to do it is using a live linux with network physically disabled.
I am considering only a single key, seeds are not an option for my application. My wallet generates them and allows me to export private keys as a text string. I then want copy-paste these into a QR code generator to make QR codes and print the codes + text strings as public/private key pairs. Is this simply too compromised? What can I do to improve this short of abandoning this approach entirely?
then you have to download this "tool" and verify its authenticity. this is usually done with a PGP signature.
and the final step is to run it and generate your key(s). in this case you want to choose a clean environment to do that. the best way to do it is using a live linux with network physically disabled.
The generator of my keys is a wallet, so while it can be temporarily physically disconnected, it cannot be permanently so to broadcast tx's to the world. Ideally internet-facing elements have only public read-only keys and private keys are kept back in paper wallets (the purpose of this thread). Since my goal is to input keys into this wallet via QR codes, including private keys, there will have to be a camera which is a source of compromise at some point. Should the wallet be air gapped completely and the tx text be transmitted somehow to a node for broadcast? This is where it gets tricky for me.
2. printing
using seed words helps in this case since you wouldn't need a printer, in case you don't own one or are worried about printer memory. you can write down phrases on paper easier than random characters of a private key.
using encryption in this case is encouraged. it prevents someone from physically stealing your coins since they would need the password but then you will have to create a back up of that password too. using encryption also solves the problem with printers if the password was strong and the encryption was a good one (such as BIP38 or simply using AES-256).
As I said, seeds are out, full stop. I fully appreciate the value of seeds, but not this time. I see walletgenerator.net allows BIP38 and ASC256 encryption of keys but I don't see any means to decrypt them later. Again I am using keys generated from my wallet and not walletgenerator.net or elsewhere. I am trying to secure these keys beyond them just sitting on a HD pretty much in the clear.
I concur on everything in sections 3 and 4. I am trying to find a way to properly secure keys not using seeds or a hardware wallet. If those are off the table, what are my "best practices?"