Air-Gapped Signing
Signing Bitcoin transactions on a device permanently disconnected from any network, transferring data via QR codes or microSD cards.
Key Takeaways
- Air-gapped signing keeps private keys on a device that never connects to any network, eliminating USB, Wi-Fi, and Bluetooth attack surfaces. Data moves between the offline signer and an online watch-only wallet through QR codes or microSD cards.
- The PSBT standard (BIP-174) makes air-gapped workflows practical by packaging everything a signer needs: the unsigned transaction, UTXO data, derivation paths, and scripts, all in a single portable file.
- Air-gapped devices like Coldcard, SeedSigner, and Foundation Passport offer the strongest isolation model for cold storage, but the multi-step signing workflow trades convenience for security compared to USB-connected hardware wallets.
What Is Air-Gapped Signing?
Air-gapped signing is the practice of signing Bitcoin transactions on a device that has no electronic connection to any computer or network. The term "air gap" refers to the literal gap of air between the signing device and the internet: no USB data cable, no Wi-Fi radio, no Bluetooth, and no cellular modem. Private keys are generated, stored, and used exclusively on this isolated device, and they never touch a networked machine.
The approach splits the transaction workflow into two distinct roles. An internet-connected coordinator (the watch-only wallet) constructs transactions and broadcasts them to the Bitcoin network. A separate offline signer holds the keys and produces signatures. Data moves between the two through physically mediated channels: QR codes displayed on screens, files saved to microSD cards, or in some cases NFC at very close range. This separation ensures that even if the networked computer is fully compromised by malware, the attacker cannot extract private keys or alter a transaction without the user noticing on the signing device's own display.
Air-gapped signing represents the most security-conscious approach to self-custody. It is widely used for long-term Bitcoin savings, multisig setups, and institutional custody where the cost of a key compromise far outweighs the inconvenience of a multi-step signing process.
How It Works
The air-gapped signing workflow relies on Partially Signed Bitcoin Transactions (PSBTs), defined in BIP-174. PSBTs package everything a signer needs into a single portable container: the unsigned transaction, previous UTXO data, redeem scripts, witness scripts, and BIP-32 derivation paths.
- The user opens a watch-only wallet (such as Sparrow or Specter) on a networked computer. This wallet knows the public keys and can track balances and UTXOs but cannot sign.
- When the user wants to send bitcoin, the watch-only wallet constructs a PSBT containing the unsigned transaction and all metadata the signer needs.
- The PSBT is transferred to the air-gapped device via QR code (displayed on screen and scanned by the device's camera) or via a microSD card physically moved between machines.
- The signing device displays the transaction details on its own screen: destination address, amount, and fee. The user verifies these details independently of the potentially compromised computer.
- After user confirmation, the device signs the transaction with the private key and produces a signed PSBT.
- The signed PSBT is transferred back to the networked computer through the same physical channel.
- The watch-only wallet finalizes the transaction and broadcasts it to the Bitcoin network.
Data Transfer Methods
Three physical channels are used to bridge the air gap, each with different tradeoffs:
- QR codes: the device's camera scans codes displayed on the computer screen, and the device displays signed data as QR codes for the computer's camera to read back. For large PSBTs (common in multisig), animated QR sequences split the data across multiple frames. Two competing standards exist: Blockchain Commons Uniform Resources (URs), which use fountain codes for resilient scanning, and BBQr (by Coinkite), which uses Base32 encoding with optional ZLIB compression. Sparrow Wallet supports both formats.
- MicroSD cards: the PSBT file is saved to a card, physically carried to the signing device, signed, and carried back. This method handles arbitrarily large transactions without scanning complexity, but requires physically moving media between devices.
- NFC: operates at under 4 cm range for tap-to-sign workflows. Used by Coldcard Mk4 and Q. NFC is controversial among air-gap purists because it is technically a wireless protocol, though the extremely short range limits remote attack feasibility.
PSBT Example Workflow
Using Coldcard with microSD as an example:
# On the networked computer (Sparrow Wallet)
# 1. Build transaction, export PSBT to microSD
# File saved as: txn-unsigned.psbt
# On the Coldcard (air-gapped)
# 2. Insert microSD, review transaction on device screen
# 3. Approve and sign
# Device writes: txn-signed.psbt
# Back on the networked computer
# 4. Import signed PSBT from microSD
# 5. Broadcast to Bitcoin networkAir-Gapped Hardware Options
Several signing devices support fully air-gapped operation:
| Device | Transfer Methods | Key Features |
|---|---|---|
| Coldcard Q | MicroSD, QR (BBQr), NFC | Dual secure elements from different vendors, full QWERTY keyboard, runs on AAA batteries |
| SeedSigner | QR only (UR format) | DIY build from off-the-shelf parts (~$50), stateless (wipes keys on power-off), fully open source |
| Foundation Passport | QR, MicroSD | Open-source hardware and firmware, power-only USB-C (no data lines), replaceable battery |
| Keystone 3 Pro | QR only | 4-inch touchscreen, EAL 5+ secure element, co-authored BIP-129 (multisig setup standard) |
| Blockstream Jade Plus | QR only (animated) | Virtual secure element model (fully open-source hardware), anti-klepto protocol support even in QR mode |
Stateless devices like SeedSigner take air-gapping further: they store nothing between sessions. The user re-enters their seed phrase (or scans a SeedQR) each time they need to sign, so even physical theft of the powered-off device reveals nothing. For a broader comparison of custody approaches, see the Bitcoin custody solutions comparison.
Security Advantages
Air-gapped signing eliminates entire categories of remote attack vectors:
- No USB attack surface: eliminates BadUSB attacks, malicious device enumeration, and USB-based malware injection
- No wireless attack surface: no Bluetooth pairing vulnerabilities, no Wi-Fi network attacks
- No network-based firmware update attacks: firmware is verified and loaded via microSD or QR, not pulled over the internet by the device
- Physical separation as operational discipline: a device that stays in a vault is harder to reach, reducing exposure to physical tampering
The security value of air-gapping is primarily operational rather than purely cryptographic. A malicious PSBT on a microSD card is no more inherently safe than one delivered over USB: security depends on how the device validates incoming data. The real protection comes from the discipline of keeping the signing device physically isolated and verifying every transaction on its independent display.
The Nonce Covert Channel Risk
One important caveat: a compromised signing device can leak a seed phrase through as few as two to four signatures by manipulating ECDSA nonces. These signatures appear on the public blockchain, so an attacker who controls the device firmware can exfiltrate the seed even across an air gap. The anti-klepto protocol (supported by Blockstream Jade and Coldcard) mitigates this by requiring the host to contribute randomness to the nonce, but this protocol requires a real-time round-trip that is difficult to implement across QR-based air gaps. Open-source firmware that users can audit and reproducibly build remains the primary defense.
Use Cases
- Long-term savings: storing bitcoin that will not be spent frequently, where the extra signing steps are acceptable for maximum security
- Multisig setups: air-gapped devices serve as individual signers in a threshold signature scheme, where multiple geographically distributed devices must each sign a PSBT before it can be broadcast
- Institutional custody: exchanges, funds, and custodians use air-gapped signing ceremonies in secure facilities to authorize large withdrawals
- Inheritance planning: a signing device stored in a safe deposit box, paired with a watch-only wallet accessible to heirs, creates a recoverable but secure custody arrangement
- UTXO consolidation and coin control operations on cold storage, where the user periodically batches housekeeping transactions
Air-Gapped vs. Connected Hardware Wallets
Connected hardware wallets like Ledger and Trezor communicate with the host computer via USB (and in some cases Bluetooth). This simplifies the workflow to a single step: plug in, confirm on device, unplug. But it introduces an electronic data channel that, while protected by the device's firmware, represents a theoretical attack surface.
| Factor | Air-Gapped | USB-Connected |
|---|---|---|
| Signing speed | Minutes (multi-step transfer) | Seconds (direct communication) |
| USB/wireless attack surface | Eliminated | Present (mitigated by firmware) |
| Firmware updates | Via microSD or QR | Via USB from companion app |
| Anti-klepto support | Limited (requires extra round-trip) | Native (real-time protocol) |
| Driver compatibility | No drivers needed | May require drivers or browser extensions |
| Learning curve | Higher (PSBT workflow) | Lower (plug-and-sign) |
For users who sign infrequently and prioritize maximum isolation, air-gapped signing is the stronger choice. For users who transact daily and need a faster workflow, a USB-connected hardware wallet with open-source firmware provides a practical middle ground. For a deeper look at how these tradeoffs play out across custody models, see the self-custodial vs. custodial wallets research article.
Risks and Considerations
- Supply chain attacks: if the signing device is tampered with before delivery (modified firmware, pre-generated seed), the air gap provides no protection. Always verify device integrity: check tamper-evident packaging, verify firmware signatures, and generate your own seed on the device
- User error during transfer: misreading QR codes, using the wrong microSD card, or failing to verify the transaction on the device's screen can lead to signing a malicious transaction crafted by malware on the networked computer
- Firmware trust: even open-source firmware must be compiled and flashed correctly. Reproducible builds (where anyone can verify the binary matches the source code) are the gold standard but not all devices support them
- Physical security: the air gap protects against remote attacks, but the device and its seed backup remain vulnerable to physical theft or coercion. Passphrases, duress PINs, and geographic distribution of multisig keys mitigate this risk
- Animated QR fragility: scanning animated QR sequences can be unreliable in poor lighting or with low-quality cameras, and the two competing standards (UR and BBQr) are not interoperable
Why It Matters
Air-gapped signing represents the highest standard of key isolation available to Bitcoin holders. As the value stored in self-custodial wallets grows, so does the sophistication of attacks targeting key management infrastructure. Air-gapping addresses the most common vector: remote compromise of a connected device. For builders working on wallet infrastructure, understanding the air-gapped workflow and PSBT standard is essential for designing custody solutions that interoperate with the broadest range of signing devices. Layer 2 protocols like Spark complement this security model by enabling day-to-day spending from a separate, more accessible wallet while the bulk of funds remain in air-gapped cold storage.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.