trezor-safe-guide.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Air-Gapped Signing & Offline Use

Daniella Winslow Daniella Winslow
Try Tangem secure wallet →

Quick summary: who this guide is for

If you care about long-term, non-custodial storage of cryptocurrency and want to reduce the attack surface of your private keys, this guide explains air-gapped signing for hardware wallets (including trezor air-gapped workflows). I write from hands-on testing and months of routine use. What I've found: air-gapped setups add friction but substantially limit remote attack vectors.

Who this guide is for:

  • Holders storing meaningful amounts of crypto offline.
  • People willing to accept extra steps for stronger security.

Who should look elsewhere:

  • Users who need instant, frequent trading and zero friction (see the daily use guide).

What is air-gapped signing?

Air-gapped signing is the process of approving and cryptographically signing transactions on a device that has no active network connection to the internet or to other devices during the signing step. The goal is simple: the private keys never touch an online host. The term "air-gapped hardware wallet" describes a hardware wallet used in this way.

Try Tangem secure wallet →

Why does that matter? Because attackers that control your computer cannot extract keys if the signing device never communicates with that computer while holding the keys.

And yes, it feels old-school. But that old-school step can stop many modern attacks.

How air-gapped signing actually works

There are a few practical methods. Most use one two-step flow: build the unsigned transaction on an online machine, move it to the offline device to sign, then move the signed transaction back to broadcast.

Common transport mechanisms:

  • QR codes (device screen -> phone camera or vice versa)
  • File on removable media (SD card / USB flash formatted per the wallet's guide)
  • USB transfer via an OTG host in situations where the device remains offline during signing

(PSBT = Partially Signed Bitcoin Transaction — a standard used to move unsigned transactions between wallets.)

Step-by-step: how to use an air-gapped wallet (practical)

  1. Prepare the offline device and generate the seed phrase on the device itself. Do not type the seed into a computer.
  2. Verify the seed phrase on the device screen and create a metal backup (see seed backup guide).
  3. Optionally set a passphrase (25th word). I believe passphrases are powerful but they add recovery complexity — document your plan (see passphrase guide).
  4. On your online computer, create the transaction using a watch-only wallet or an online wallet that supports PSBT export.
  5. Export the PSBT to QR or file. Transfer that to the offline device (scan the QR or insert the file media).
  6. Review the transaction carefully on the hardware wallet screen and confirm. The device signs and outputs the signed PSBT.
  7. Move the signed PSBT back to the online machine and broadcast.

Tip: Always verify amounts and destination addresses on the device screen, not on your computer.

For a device-specific start guide, see the Safe 3 setup and firmware updates guide.

Security architecture: what protects your keys

Hardware wallets used in an air-gapped way still rely on internal protections. Key elements to understand:

  • Secure element: a tamper-resistant chip that stores private keys and performs signing. It isolates the cryptography from the rest of the system.
  • Air-gapped signing: removes the host computer from the signing path during critical steps.
  • Supply-chain verification: confirming device authenticity at first boot reduces the chance of a pre-compromised unit (see supply-chain-authenticity).

In my experience, pairing a secure element with an air-gapped workflow offers a meaningful increase in safety. But nothing replaces careful handling of your seed phrase.

Seed phrase, passphrase, and backups when air-gapped

12 vs 24 words? 24 provides more entropy and, in some setups, compatibility with third-party recovery tools. BIP-39 is the most common standard. Shamir-like schemes (SLIP-39) split a recovery into multiple shares and are useful for distributed backups (see shamir-metal-backups).

Passphrase (often called a 25th word) gives plausible-deniability and an additional secret. But it turns your seed into a device-specific wallet: if you lose both the seed phrase and the passphrase, recovery is impossible. What I've found: use passphrases only if you can document and securely store the plan for inheritance.

Metal backup plates are worth the investment for long-term storage. They survive fire and water better than paper.

Multisig with air-gapped devices

Multisig (multi-signature) increases resilience by requiring multiple hardware keys to sign. You can combine air-gapped devices with hosted signers or other air-gapped units. Advantages: geographic distribution, no single point of failure.

Drawbacks: more complex recovery, longer transactions, and compatibility checks. If you're considering multisig, start with the multisig guide and test small transactions first.

Connectivity trade-offs: Bluetooth, USB, NFC

Bluetooth adds convenience for mobile flows. But wireless equals more attack surface. USB is typically more direct and easier to control, though it depends on the host. NFC is rare for air-gapped workflows but can be used in short-range transfers.

Which should you pick? For long-term cold storage, I prefer physically disconnected (screen + QR or SD) methods. But if you frequently transact with small amounts, Bluetooth can be acceptable with careful hygiene.

But remember: the convenience-security balance is personal. Choose based on your threat model.

Common mistakes and troubleshooting tips

  • Buying from unofficial sellers — always buy from verified channels and check supply-chain authenticity.
  • Entering a seed into a phone or computer — never do this.
  • Relying on a single backup stored in one place.
  • Skipping firmware verification. For how and why, see firmware updates guide.

Troubleshooting quick wins: if an unsigned PSBT fails to import, check format/version compatibility. If a signed PSBT doesn’t broadcast, ensure the PSBT was fully finalized.

Air-gapped signing methods: quick comparison table

Method Offline during signing? Ease of use Risk profile Best for
QR code exchange Yes Moderate Low (visual transfer) Mobile users and photographers
Removable media (SD/USB) Yes Moderate Moderate (media tampering risk) Power-users and large files
Direct USB OTG (device offline) Yes (if host is offline) Easy Depends on host Single-computer setups
Bluetooth No (wireless) Easy Higher (wireless attacks) Frequent mobile transactions

(Use the method that matches your convenience and threat model.)

FAQ

Q: Can I recover my crypto if the device breaks?

A: Yes, recover with your seed phrase on a compatible hardware or desktop wallet. If you used a passphrase, you must have that as well.

Q: What happens if the company goes bankrupt?

A: Your crypto is under your control if you have the seed phrase and use open standards (BIP-39, PSBT). For proprietary formats, check export options and documentation (see recovery and restore).

Q: Is Bluetooth safe for a hardware wallet?

A: Bluetooth increases attack surface. For long-term, high-value cold storage, prefer air-gapped options (QR/SD). For frequent small transactions, Bluetooth can be convenient with good hygiene.

Final thoughts and next steps (CTA)

Air-gapped signing reduces remote attack vectors by keeping private keys offline during signing. It adds steps. But for many holders (especially long-term holders), that trade-off makes sense. In my testing, carefully executed air-gapped workflows catch a lot of common compromises.

If you want hands-on guides next, check the Safe 3 setup, read about secure element architecture, and review seed backup options. If multisig looks appealing, start small with the multisig guide.

Want to compare air-gapped habits between devices? See the Safe 3 review and the Safe 5 review for more model-focused notes.

Safe storage is a process. Start small, test your recovery, and build a routine you can trust.

Try Tangem secure wallet →