How to use an air-gapped wallet for cold storage? (QR Code Sign)

Air-Gapped Wallet Fundamentals

1. An air-gapped wallet operates on a device completely isolated from any network—no Wi-Fi, Bluetooth, cellular, or Ethernet connections are permitted.

2. The private keys never leave the isolated environment, ensuring cryptographic sovereignty remains with the user at all times.

3. Transaction signing occurs offline using deterministic algorithms compliant with BIP-32, BIP-39, and BIP-44 standards.

4. Hardware devices like Coldcard, BitBox02, and Jade implement air-gapped workflows by design, but software-based air-gapped setups using air-gapped Linux VMs or Raspberry Pi units are also widely adopted.

5. Boot media must be verified using GPG signatures before initial setup to prevent supply-chain compromise during firmware or OS installation.

QR Code-Based Signing Workflow

1. A transaction is prepared on an online “watch-only” device using public blockchain data and exported as a PSBT (Partially Signed Bitcoin Transaction) file.

2. The PSBT is encoded into a QR code sequence—often split across multiple frames due to size limitations—and displayed on the online device’s screen.

3. The air-gapped device captures each frame using its built-in camera or manually scans them via a dedicated QR reader interface.

4. Once fully reconstructed, the air-gapped device validates all inputs, outputs, fees, and change addresses before applying the private key signature.

5. The signed PSBT is then rendered as another QR code sequence and scanned back into the online device for broadcast to the network.

Security Hardening Measures

1. Screen recording prevention is enforced by disabling screenshots, screen mirroring, and GPU-accelerated compositing on the air-gapped device’s OS layer.

2. Camera firmware must be audited for side-channel leakage; some wallets disable autofocus and auto-exposure to reduce timing-based inference risks.

3. QR codes are generated with high-contrast, error-corrected versions (e.g., Reed-Solomon level Q or H) to withstand minor scannable degradation.

4. Air-gapped devices reject PSBTs containing unknown input scripts, non-standard sighash flags, or unverified UTXO proofs unless explicitly overridden by advanced users.

5. All firmware updates require manual verification of SHA256 checksums against developer-signed manifests hosted on immutable IPFS gateways.

Operational Best Practices

1. Maintain separate air-gapped devices for different mnemonic seeds—never reuse hardware across distinct key hierarchies.

2. Store recovery seed phrases on stainless steel plates using BIP-39 wordlist-compliant engraving, not paper or laminated cards.

3. Perform signing sessions in electromagnetically shielded rooms when handling multi-million-dollar UTXOs to mitigate TEMPEST-style emissions.

4. Rotate air-gapped devices every 18–24 months to avoid hardware-level vulnerabilities exposed through long-term usage patterns.

5. Log all signing events on an offline ledger: timestamp, transaction ID prefix, fee rate, and output count—without storing full hex or signatures.

Frequently Asked Questions

Q: Can QR code scanning be compromised by malicious camera firmware?A: Yes. Camera drivers on consumer-grade devices may contain undocumented telemetry or buffer overflow vectors. Use only open-source camera stacks validated by independent audits, such as those shipped with Qubes OS or PureOS.

Q: Is it safe to generate QR codes on a browser-based wallet?A: No. Browser environments expose entropy sources, memory contents, and rendering pipelines to adversarial JavaScript. QR generation must occur inside hardened native applications like Sparrow Wallet or Electrum with air-gap plugins enabled.

Q: What happens if a QR frame is mis-scanned during signing?A: The air-gapped device will fail PSBT parsing with a checksum mismatch or incomplete base64 padding. It will not proceed to signing and will discard the partial data without exposing internal state.

Q: Do all air-gapped wallets support multisig QR workflows?A: Not universally. Coldcard supports multisig PSBT QR flows natively. BitBox02 requires companion desktop software for complex multisig coordination. Jade relies on Blockstream Green’s mobile app for multisig QR orchestration.