Signing Device

What Is a Signing Device?

A signing device (commonly called a hardware wallet) is a special-purpose electronic device designed to store cryptocurrency private keys and sign transactions without ever exposing those keys to a general-purpose computer. When you use a signing device, your seed phrase and derived keys exist only within the device's memory. The computer you pair it with never sees, transmits, or stores the private key material.

The core principle is separation of concerns. A general-purpose computer runs a web browser, email client, third-party applications, and potentially malware: all sharing the same memory and operating system. Storing private keys on such a machine means any compromised application could steal funds. A signing device eliminates this attack surface by confining key operations to a minimal, single-purpose environment with no network connectivity and a vastly reduced codebase.

The term "signing device" is preferred in security-focused communities over "hardware wallet" because it more accurately describes what the device does: it signs transactions. The wallet functionality (tracking balances, constructing transactions, managing addresses) lives in companion software on your computer or phone.

How It Works

The security model of a signing device rests on a simple guarantee: private keys are generated on the device, stored on the device, and used for signing on the device. At no point in the normal workflow do keys leave the device boundary.

Transaction Signing Flow

Every transaction follows a consistent pattern regardless of which signing device you use:

1. The companion app (Sparrow, Electrum, or the manufacturer's own software) constructs an unsigned transaction, encoding it as a PSBT (Partially Signed Bitcoin Transaction)
2. The PSBT is transferred to the signing device via USB, Bluetooth, microSD card, or QR code (depending on the device and desired air-gap level)
3. The device parses the transaction and displays the destination address, amount, and fee on its own screen for the user to verify
4. The user physically confirms by pressing a button on the device, triggering the device to sign the transaction with the stored private key
5. The signed transaction (or signature) is transferred back to the companion app, which broadcasts it to the Bitcoin network

The critical security property: even if the companion computer is fully compromised by malware, the attacker cannot extract keys from the signing device. They could attempt to trick the user into signing a malicious transaction, but the device's screen provides an independent verification channel.

PSBT: The Standard Interface

The PSBT format (BIP 174) is what makes the signing device ecosystem interoperable. It provides a standardized way to pass unsigned transactions between software and hardware:

# Export unsigned PSBT from wallet software
$ bitcoin-cli walletcreatefundedpsbt '[]' '[{"bc1q...": 0.05}]'

# Transfer to signing device (via file, QR, or USB)
# Device signs and returns the PSBT with signatures added

# Finalize and broadcast
$ bitcoin-cli finalizepsbt "cHNidP8BAH..."
$ bitcoin-cli sendrawtransaction "0200000001..."

Before PSBT existed, each signing device required custom integration with wallet software. PSBT created a universal contract: any wallet can produce a PSBT, any signing device can consume and sign it, and any node can broadcast the result. This is especially important for multisig setups where multiple signing devices from different manufacturers must collaborate on the same transaction.

Secure Element vs. Open Architecture

Signing devices fall into two broad design philosophies, each with meaningful tradeoffs:

Neither approach is strictly superior. Secure elements provide stronger physical tamper resistance but require trusting the chip vendor's proprietary silicon. Open architectures allow complete auditability but are more vulnerable to sophisticated physical attacks if an adversary gains possession of the device.

Air-Gapped Communication

Some signing devices go further by eliminating all wired and wireless connections. Air-gapped devices communicate exclusively through QR codes or microSD cards, ensuring there is no electronic data channel that malware could exploit:

• QR code exchange: the companion app displays a QR containing the unsigned PSBT, the device's camera scans it, signs, and displays a QR with the signed result for the companion app to scan back
• MicroSD transfer: the unsigned PSBT is saved to a microSD card, physically moved to the device, signed, and the card is moved back

Air-gapping eliminates USB-based attack vectors entirely, though it adds friction to the signing workflow.

Major Signing Devices

The market includes several well-established devices, each targeting different points on the security-usability spectrum:

Ledger

Ledger devices (Nano S Plus, Nano X, Stax) use a dual-chip architecture with a secure element running a proprietary operating system called BOLOS. Ledger supports a wide range of cryptocurrencies beyond Bitcoin and offers Bluetooth connectivity on some models. The tradeoff: the secure element firmware is closed-source, requiring trust in Ledger's implementation.

Trezor

Trezor (Model One, Model T, Safe series) pioneered the signing device category in 2014. The firmware is fully open-source, running on a standard microcontroller without a secure element. Users can compile and flash their own firmware. The tradeoff: the lack of a secure element means physical attacks against the chip are more feasible if the device is stolen.

Coldcard

Coldcard is a Bitcoin-only signing device focused on advanced security features. It includes a secure element for key storage, fully air-gapped operation via microSD, a passphrase entry directly on the device, duress PINs, and countdown timers for brute-force protection. Coldcard's firmware is source-viewable, and the device is designed for users who prioritize security over convenience.

BitBox02

The BitBox02 (Bitcoin-only edition) combines a secure element with open-source firmware. It uses a unique touch-slider interface and communicates via USB-C. The firmware is fully reproducible: users can compile the source and verify the binary matches what ships on the device. This addresses the auditability concern typical of secure-element designs.

Use Cases

Long-Term Cold Storage

The primary use case for signing devices is securing Bitcoin held for the long term. By keeping keys offline, holders protect against remote attacks (malware, phishing, exchange hacks) that represent the vast majority of cryptocurrency theft. A signing device paired with a well-managed seed phrase backup provides strong security for cold storage.

Multisignature Setups

Signing devices are essential components in multisig configurations. A typical 2-of-3 multisig vault might use three different signing devices from different manufacturers, stored in different locations. This eliminates single points of failure: no single stolen device, compromised manufacturer, or supply chain attack can result in fund loss.

Inheritance and Estate Planning

Signing devices simplify Bitcoin inheritance. A holder can create a multisig arrangement where family members or attorneys each hold a device, with clear instructions for recovery. The physical nature of the device makes it easier for non-technical heirs to understand compared to raw seed phrases or key files.

Institutional Custody

Organizations holding Bitcoin on behalf of clients often use signing devices as part of their custody infrastructure. Combined with threshold signature schemes or traditional multisig, signing devices ensure that no single employee or system can unilaterally move funds.

Risks and Considerations

Supply Chain Attacks

The most significant risk with signing devices is receiving a tampered unit. An attacker could intercept a device during shipping, modify the firmware to exfiltrate keys, and repackage it. Mitigations include:

• Buying directly from the manufacturer rather than third-party resellers
• Verifying tamper-evident packaging and holographic seals on arrival
• Running the device's attestation check, which cryptographically verifies the firmware is genuine (supported by Ledger, BitBox02, and Coldcard)
• For open-source devices: compiling firmware from source and flashing it yourself, eliminating trust in the pre-installed binary

Physical Theft

If an attacker physically obtains your signing device, the PIN protects against immediate access. However, sophisticated attackers may attempt side-channel attacks (power analysis, fault injection) to extract keys from devices without secure elements. A strong passphrase provides an additional layer: even if the device is cracked, the attacker still needs the passphrase to derive the correct keys.

Address Verification

A compromised companion app could display a different address on your computer screen than what the transaction actually contains. This is why verifying the destination address on the signing device's own screen is critical. Users who skip this verification step negate much of the security benefit of using a signing device.

Firmware Updates

Signing devices require periodic firmware updates to patch vulnerabilities and add features. Each update is a trust decision: you are replacing the code that guards your keys. Best practice is to verify update signatures, read changelogs, and wait for community review of new firmware versions before updating.

DIY Alternatives

For users who want maximum control, DIY signing devices built on commodity hardware offer an alternative. Projects like SeedSigner (Raspberry Pi Zero-based) and Krux allow users to assemble their own air-gapped signing device from off-the-shelf components. The device generates keys, signs PSBTs via QR code, and runs fully open-source firmware. The tradeoff: no secure element, no tamper-resistant enclosure, and the user is responsible for sourcing trustworthy components.

# SeedSigner workflow (QR-based, fully air-gapped)
1. Generate seed on device using camera entropy + dice rolls
2. Export xpub via QR to companion wallet (Sparrow, Specter)
3. Companion wallet constructs unsigned PSBT
4. Display PSBT as animated QR code
5. SeedSigner scans QR, displays transaction details
6. User verifies and confirms on device
7. SeedSigner displays signed PSBT as QR
8. Companion wallet scans, finalizes, and broadcasts

DIY devices are particularly appealing for multisig setups: if one of your three signing devices is a DIY build with independently sourced components, you further reduce the risk of a coordinated supply chain attack across manufacturers.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.