ledger-setup-tips.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Air-Gapped Signing & Offline Transaction Workflows

Caleb Reyes Caleb Reyes
Try Tangem secure wallet →

What is air-gapped signing?

Air-gapped signing is a workflow where the hardware wallet that holds your private keys never connects to a networked computer or phone while signing transactions. The device is purposely isolated (air-gapped) and only exchanges transaction data through one-way media such as QR codes, microSD, or a physically transferred file. Short explanation: the transaction is prepared on an online host, moved to the offline signer, signed on-device, then the signed transaction is moved back for broadcast.

Why go to the trouble? Keeping private keys physically separated from internet-connected systems reduces the attack surface dramatically. In my experience, the added steps protect against a range of malware and remote-exploit scenarios. And yes, it adds a few steps compared with a USB plug-in workflow.

This page focuses on practical air-gapped workflows (including PSBT — Partially Signed Bitcoin Transaction), what to expect, and how to avoid common pitfalls.

How air-gapped signing works (PSBT basics)

PSBT stands for Partially Signed Bitcoin Transaction (BIP-174). It’s a standardized container that allows an online wallet to assemble a transaction and then hand that unsigned container to an offline signer for approval. The offline signer adds signatures and returns a fully or partially signed PSBT for broadcast.

Try Tangem secure wallet →

High-level flow:

  1. Build transaction on an online host (wallet software or coin-specific builder).
  2. Export unsigned PSBT file (or a QR representation) to a transfer medium.
  3. Import PSBT into the air-gapped hardware wallet and verify the details on the device screen.
  4. Approve/sign on the device; export the signed PSBT.
  5. Import the signed PSBT back into the online host and broadcast the transaction.

(Air-gapped workflows for non-Bitcoin chains use the same principle — construct an unsigned transaction, sign offline, then broadcast — though the exact file formats and tools differ.)

Step by step: Set up an air-gapped workflow

How to (practical):

  1. Prepare the hardware wallet
  2. Create a watch-only wallet on your online machine
    • Export the public descriptor or extended public key (xpub/descriptor). Import it into your online wallet so it can build transactions without holding private keys.
  3. Build an unsigned PSBT on the online host
    • Enter recipient, amount, and fee settings. Export the PSBT to an external medium (file, QR, microSD).
  4. Transfer the PSBT to the air-gapped hardware wallet
    • Import via QR, microSD, or USB OTG depending on your device capabilities.
  5. Verify and sign on the device
    • Check recipient address, amount, and fee on the device screen. The device is the only trusted display — verify carefully.
    • Approve and export the signed PSBT.
  6. Broadcast from the online host
    • Import the signed PSBT back to your online wallet and broadcast.

Test the full flow with a tiny amount before sending large sums. I recommend practicing the complete process twice; you’ll catch UI quirks and transfer nuances.

Connection methods & security implications

Methods for moving PSBTs to/from an air-gapped wallet:

  • QR codes: convenient and truly one-way if the device only displays/scans QR data. Good for small transactions. (Use a camera-only transfer tool or a freshly booted device.)
  • microSD/USB sticks: handles larger files and many PSBTs. But be careful with potentially compromised readers or OTG adapters.
  • USB OTG: some setups allow one-way file transfer using a hostless USB cable. Check your device docs and the wallet compatibility matrix /wallet-compatibility-matrix.
  • Bluetooth/NFC: avoid for long-term cold storage. Bluetooth increases the remote attack surface; I don't use it for deep cold backups. But some users accept the convenience trade-off for daily spending.

Which is safest? Physically transferred media (microSD or QR) reduce network exposure. But convenience vs security is a personal decision. But those extra steps pay off when you’re protecting significant holdings.

See more about connection trade-offs at /connections-usb-bluetooth-nfc.

PSBT and multisig: offline cosigning workflows

PSBT is particularly useful for multisig setups. Each cosigner receives the same PSBT, signs it (offline), and passes the partially signed file along. When the required number of signatures is attached, the transaction can be finalized and broadcast.

Practical tips:

  • Use watch-only descriptors on the online host so the wallet can calculate fees and construct transactions.
  • Track signing order and versioning (avoid mixing descriptors from different derivation paths).
  • Test a 2-of-3 flow with small amounts before moving larger funds. Read the multisig guide for workflow patterns: /multisig-setup-ledger.

Security architecture & firmware verification

A secure element on the hardware wallet stores private keys and performs cryptographic signing inside the chip. The whole point of air-gapped signing is that the private keys never leave that secure environment.

Firmware verification is critical. An attacker who can install or downgrade malicious firmware undermines air-gapped protections. Always verify firmware signatures per the manufacturer's instructions and read the verification guide: /firmware-update-verify. Also review supply-chain safety: /supply-chain-and-tamper-risks.

Seed phrase, passphrase and backups in air-gapped setups

Your seed phrase (recovery phrase) remains the master key to funds. Use metal backup plates for long-term durability and consider Shamir backup (SLIP-39) if you want split backups — see /backup-metal-slip39. If you use a passphrase (a 25th word), record your plan for inheritance and recovery carefully; a passphrase doubles as a second secret and losing it means losing access permanently (read: /passphrase-usage-risks).

I recommend a documented recovery plan that does not expose your seed phrase or passphrase to online systems.

Common mistakes and troubleshooting tips

  • Buying from unofficial sellers. Tampered devices are a real risk. Always source from trusted channels. See /where-to-buy-and-seller-safety.
  • Skipping firmware verification before going air-gapped.
  • Not verifying address/amount on the device screen (this defeats the purpose of offline signing).
  • Using infected peripherals (compromised SD readers, OTG cables).

If a transfer fails or a device is unresponsive, consult troubleshooting resources such as /troubleshoot-cannot-connect and /troubleshoot-firmware-stuck.

Feature comparison: air-gapped vs connected workflows

Feature Air-gapped-only workflow USB/Bluetooth connected workflow Software-only cold wallet
Supports PSBT offline signing Yes Yes (depends on host) Partial / depends
On-device address verification High High Low
Requires extra peripherals Often (QR/SD) Sometimes Yes (manual signing tools)
Ease of daily use Lower Higher Varies
Multisig compatibility High High Varies
Remote attack surface Lowest Low–Medium High

This table generalizes feature trade-offs. Your choice depends on threat model and frequency of transactions.

FAQ

Q: Can I recover my crypto if the device breaks? A: Yes — if you have a correctly recorded seed phrase/recovery phrase. Practice a restore on a spare device or simulator. See /recovery-when-device-breaks.

Q: What happens if the company behind my device goes bankrupt? A: Your funds are not held by the company; they are on the blockchain. Keep backups and ensure your recovery plan is vendor-agnostic. Read more: /company-bankruptcy-and-business-risk.

Q: Is Bluetooth safe for a hardware wallet? A: Bluetooth adds convenience but also attack surface. For long-term cold storage I avoid it. For smaller daily balances some choose it for convenience (know the trade-offs).

Q: Can I use PSBT for non-Bitcoin chains? A: PSBT is a Bitcoin-specific standard. Other chains support offline signing but use different file formats (raw tx hex, JSON). Check compatibility in /wallet-compatibility-matrix.

Conclusion & next steps

Air-gapped signing is the strongest practical way to keep private keys off internet-connected machines while still allowing regular spending and multisig workflows. It takes practice, but once you have the transfer methods and verification habits down, the process is reliable and repeatable. In my testing, the biggest wins are discipline (verify on-device) and backups (metal, redundantly stored).

Ready to build your workflow? Start with the setup overview: /getting-started-setup and the advanced transactions guide at /advanced-transactions-signing. Good luck — and always verify the address on the device screen before you tap "Approve."

Try Tangem secure wallet →