Air-gapped signing is a workflow where the hardware wallet that holds your private keys never connects to a networked computer or phone while signing transactions. The device is purposely isolated (air-gapped) and only exchanges transaction data through one-way media such as QR codes, microSD, or a physically transferred file. Short explanation: the transaction is prepared on an online host, moved to the offline signer, signed on-device, then the signed transaction is moved back for broadcast.
Why go to the trouble? Keeping private keys physically separated from internet-connected systems reduces the attack surface dramatically. In my experience, the added steps protect against a range of malware and remote-exploit scenarios. And yes, it adds a few steps compared with a USB plug-in workflow.
This page focuses on practical air-gapped workflows (including PSBT — Partially Signed Bitcoin Transaction), what to expect, and how to avoid common pitfalls.
PSBT stands for Partially Signed Bitcoin Transaction (BIP-174). It’s a standardized container that allows an online wallet to assemble a transaction and then hand that unsigned container to an offline signer for approval. The offline signer adds signatures and returns a fully or partially signed PSBT for broadcast.
High-level flow:
(Air-gapped workflows for non-Bitcoin chains use the same principle — construct an unsigned transaction, sign offline, then broadcast — though the exact file formats and tools differ.)
How to (practical):
Test the full flow with a tiny amount before sending large sums. I recommend practicing the complete process twice; you’ll catch UI quirks and transfer nuances.
Methods for moving PSBTs to/from an air-gapped wallet:
Which is safest? Physically transferred media (microSD or QR) reduce network exposure. But convenience vs security is a personal decision. But those extra steps pay off when you’re protecting significant holdings.
See more about connection trade-offs at /connections-usb-bluetooth-nfc.
PSBT is particularly useful for multisig setups. Each cosigner receives the same PSBT, signs it (offline), and passes the partially signed file along. When the required number of signatures is attached, the transaction can be finalized and broadcast.
Practical tips:
A secure element on the hardware wallet stores private keys and performs cryptographic signing inside the chip. The whole point of air-gapped signing is that the private keys never leave that secure environment.
Firmware verification is critical. An attacker who can install or downgrade malicious firmware undermines air-gapped protections. Always verify firmware signatures per the manufacturer's instructions and read the verification guide: /firmware-update-verify. Also review supply-chain safety: /supply-chain-and-tamper-risks.
Your seed phrase (recovery phrase) remains the master key to funds. Use metal backup plates for long-term durability and consider Shamir backup (SLIP-39) if you want split backups — see /backup-metal-slip39. If you use a passphrase (a 25th word), record your plan for inheritance and recovery carefully; a passphrase doubles as a second secret and losing it means losing access permanently (read: /passphrase-usage-risks).
I recommend a documented recovery plan that does not expose your seed phrase or passphrase to online systems.
If a transfer fails or a device is unresponsive, consult troubleshooting resources such as /troubleshoot-cannot-connect and /troubleshoot-firmware-stuck.
| Feature | Air-gapped-only workflow | USB/Bluetooth connected workflow | Software-only cold wallet |
|---|---|---|---|
| Supports PSBT offline signing | Yes | Yes (depends on host) | Partial / depends |
| On-device address verification | High | High | Low |
| Requires extra peripherals | Often (QR/SD) | Sometimes | Yes (manual signing tools) |
| Ease of daily use | Lower | Higher | Varies |
| Multisig compatibility | High | High | Varies |
| Remote attack surface | Lowest | Low–Medium | High |
This table generalizes feature trade-offs. Your choice depends on threat model and frequency of transactions.
Q: Can I recover my crypto if the device breaks? A: Yes — if you have a correctly recorded seed phrase/recovery phrase. Practice a restore on a spare device or simulator. See /recovery-when-device-breaks.
Q: What happens if the company behind my device goes bankrupt? A: Your funds are not held by the company; they are on the blockchain. Keep backups and ensure your recovery plan is vendor-agnostic. Read more: /company-bankruptcy-and-business-risk.
Q: Is Bluetooth safe for a hardware wallet? A: Bluetooth adds convenience but also attack surface. For long-term cold storage I avoid it. For smaller daily balances some choose it for convenience (know the trade-offs).
Q: Can I use PSBT for non-Bitcoin chains? A: PSBT is a Bitcoin-specific standard. Other chains support offline signing but use different file formats (raw tx hex, JSON). Check compatibility in /wallet-compatibility-matrix.
Air-gapped signing is the strongest practical way to keep private keys off internet-connected machines while still allowing regular spending and multisig workflows. It takes practice, but once you have the transfer methods and verification habits down, the process is reliable and repeatable. In my testing, the biggest wins are discipline (verify on-device) and backups (metal, redundantly stored).
Ready to build your workflow? Start with the setup overview: /getting-started-setup and the advanced transactions guide at /advanced-transactions-signing. Good luck — and always verify the address on the device screen before you tap "Approve."