Air-gapped signing means your private key never touches a device that connects to the internet. Transactions are constructed on an online watch-only wallet, transmitted to an offline signing device via QR codes or SD cards, signed there, and the signed transaction returns the same way for broadcast. The security gain is real; the UX cost is also real.
This article covers air-gapped signing as a chain-agnostic security pattern. For Bitcoin-specific air-gapped workflows using PSBT (BIP-174 partially signed Bitcoin transactions) and Coldcard or Sparrow Bitcoin-only flows, see the Bitcoin pillar's dedicated air-gapped Bitcoin signing guide. Here we focus on the multi-chain side: how QR and SD workflows operate across Bitcoin, Ethereum, Solana, and other networks, and which devices support them.
What is air-gapped signing and why does it matter?
Air-gapped signing is a wallet setup where the private key lives on a device that has never connected to the internet, a USB port, or a Bluetooth radio, and the transaction signing happens entirely on that offline device. The signed transaction crosses the "air gap" to an online device only after the user authorizes it, typically through a QR code displayed on one screen and scanned by another, or through a removable SD card carried physically between the two devices.
The contrast with a standard USB-connected hardware-wallet device matters. A hardware wallet plugged into your computer keeps the private key on the secure element, but the surrounding flow (receiving address display, transaction preview, software updates) still passes through the host computer. Malware on the host can present manipulated information to the user even when it cannot extract the private key directly. An air-gapped setup removes the host computer from the trust path entirely.
The threat model that justifies air-gapped signing is hostile host computer plus targeted malware. For users with substantial balances or institutional custody requirements, the additional security layer becomes worth the added operational friction. Combined with BIP-39 passphrase protection and good physical security practices, air-gapped signing forms the strongest practical cold-storage setup available to retail users in 2026.
How does QR-code-based air-gapped signing work?
QR-code air-gapped signing transmits unsigned and signed transactions between online and offline devices by displaying QR codes on one screen and scanning them with the camera on the other. No cable, no wireless, no physical media moves between the two devices; only photons. The flow is the same conceptually across every chain that supports it.
The typical four-step flow:
Construct. An online watch-only wallet (knowing only the extended public key derived from the offline seed) constructs an unsigned transaction with the recipient address, amount, fee, and chain-specific metadata.
Encode. The watch-only wallet encodes the unsigned transaction as one or more QR codes. Transactions that exceed a single QR's data capacity split across animated QR sequences.
Sign. The offline device scans the QR codes through its camera, reconstructs the transaction, displays the details on its own screen for the user to verify, and signs the transaction with the offline private key once the user confirms.
Broadcast. The offline device displays the signed transaction as QR output. The online wallet scans it and broadcasts to the network.
For Bitcoin this flow uses BIP-174 PSBT as the transaction format inside the QR encoding. For Ethereum and EVM chains, the encoding wraps an RLP-encoded transaction. Solana and Cosmos chains use their own transaction formats but the same QR-transmission pattern.
The user-side trust check happens at step 3: the offline device displays the recipient address and amount on its own screen, and the user verifies these match what they intended. The online watch-only wallet's display cannot be trusted (it's on the potentially-compromised online host); the offline device's display can be trusted (because the offline device never touches the internet).
How does SD-card air-gapped signing work?
SD-card air-gapped signing moves the transaction file on a removable SD card carried physically between the online and offline devices. The flow mirrors the QR pattern, but the media is microSD or full-size SD instead of photons. SD-card workflows are the default mode on devices like Coldcard, which predates widespread QR-camera adoption in this product category.
The four-step flow:
Construct. Online wallet builds the unsigned transaction.
Export. Online wallet writes the unsigned transaction file to the SD card; user removes the SD card.
Sign. User inserts the SD card into the offline device, which reads the transaction, displays it on its screen for verification, signs it on user confirmation, and writes the signed transaction back to the SD card.
Import. User moves the SD card back to the online device, which reads the signed file and broadcasts.
SD-card workflows have two operational advantages over QR. First, transaction-size limits are higher: a single file on an SD card can carry transactions far larger than QR can practically encode. Second, there's no scan-failure mode: an SD card either reads correctly or doesn't, while a QR scan can fail under poor lighting, screen angle, or animation pacing. The tradeoffs are physical: the SD card itself is a removable medium that an attacker who steals it could analyze, and the dual SD-card-slot requirement adds operational steps. Coldcard's documentation describes its SD-only and SD-plus-QR (Coldcard Q) modes in detail (source: Coldcard Documentation). The SeedSigner project, an open-source DIY Bitcoin signer built on Raspberry Pi Zero, demonstrates a pure-QR variant of the same pattern (source: SeedSigner Project).
Which devices support multi-chain air-gapped signing?
Multi-chain air-gapped device support is concentrated in a small set of vendors. Most dedicated air-gapped hardware in 2026 falls into one of four categories: Bitcoin-only purpose-built (SeedSigner, Coldcard Mk4, Coldcard Q), multi-chain by design (Keystone 3 Pro, NGRAVE Zero), software-on-mobile (AirGap Vault), and Bitcoin-primary DIY (Specter DIY).
Device | Multi-chain? | Transport | Notes |
|---|---|---|---|
Keystone 3 Pro | Yes — BTC, ETH, EVM L2s, Solana, Cosmos, Polkadot, more | QR | Most actively multi-chain; companion mobile app for online side (source: Keystone Guide Documentation) |
NGRAVE Zero | Yes — BTC, ETH, EVM L2s, Cosmos, others | QR | EAL7-certified secure OS; companion app NGRAVE Liquid |
AirGap Vault | Yes — BTC, ETH, multiple chains via plugin system | QR | Mobile-based offline signer (use a dedicated offline phone) paired with AirGap Wallet online (source: AirGap Vault Project) |
Coldcard Q | Bitcoin-only | QR + SD | Coldcard's QR-equipped successor to Mk4; vendor stance is Bitcoin-only |
Coldcard Mk4 | Bitcoin-only | SD only | The reference SD-card Bitcoin signer |
SeedSigner | Bitcoin-only | QR | DIY open-source build on Raspberry Pi Zero |
Specter DIY | Bitcoin-primary | QR | DIY open-source build, paired with Specter Desktop |
The honest scope note: SeedSigner, Coldcard Mk4, and Coldcard Q are excellent at what they do, but they're all Bitcoin-only by vendor stance. Users holding significant non-Bitcoin assets should evaluate Keystone 3 Pro or NGRAVE Zero as primary options (source: NGRAVE Zero Documentation). For the broader hardware-wallet landscape see our hardware-wallet device explainer.
For setup procedures applicable across hardware-wallet types, see set up a hardware wallet.
How does air-gapped signing protect against malware compared to USB-connected wallets?
The protection air-gapped signing adds over USB-connected hardware wallets is removing the host computer from the trust path during transaction signing. A USB hardware wallet protects the private key (the secure element doesn't release it), but the user still relies on the host computer's screen to show what they're signing. Malware on the host can swap displayed receiving addresses while the underlying wallet signs the malicious transaction.
The specific attack pattern: an "address-clipboard hijacker" or "host-display-swap" malware on the user's computer waits for the user to copy a Bitcoin or Ethereum address to send funds to, then substitutes the attacker's address while displaying the original. The user reads their intended address on the host screen, presses confirm on the hardware wallet (which is showing the attacker's address on its own tiny display), and the transaction goes to the attacker. This is documented in real-world cases on every major hardware-wallet model. The mitigation that prevents this is verifying every receiving address on the hardware wallet's own screen, which experienced users do but many users skip.
Air-gapped signing changes the trust model in two ways. First, the offline device never connects to the host, so host malware cannot manipulate what the offline device displays. Second, the QR or SD workflow makes the verification step explicit: the user must read the offline device's screen by design, not as an optional checkstep they might skip on a USB hardware wallet. Following verify wallet software practices during device setup further reduces the attack surface.
The protection is not absolute. An attacker who replaces the offline device itself with a tampered version can subvert the entire setup. Supply-chain integrity remains a concern across all hardware-wallet categories, air-gapped included.
What are the UX tradeoffs of going air-gapped?
Air-gapped signing's security gains come at real operational cost. Five tradeoffs recur in user experience: transaction speed, scan reliability, single-transaction size limits, two-device requirement, and the cognitive overhead of managing two distinct wallet contexts.
Transaction speed. A typical air-gapped flow takes several minutes per transaction: construct on online side, scan or transfer to offline, verify on offline screen, sign, scan or transfer signed transaction back, broadcast. Compared to a USB hardware wallet's single button press, this is at least an order of magnitude slower. For users who transact frequently, air-gapped friction can become a daily tax.
Scan reliability. QR transmission can fail under poor lighting, dirty screens, screen-angle issues, or animated-QR pacing mismatches. Most failures require restarting the entire flow. Coldcard Q and Keystone 3 Pro have invested in scan quality, but failures still occur with budget mobile cameras or older offline-device screens.
Single-transaction size limits. QR has a practical data capacity, and complex transactions (multisig, smart-contract interactions, Bitcoin transactions with many inputs) can exceed it. Animated QR sequences extend the capacity but slow the flow. SD-card workflows largely eliminate this limit but reintroduce physical-media concerns.
Two-device requirement. You need a dedicated offline device that you never connect to the internet. Repurposing a phone or laptop "as offline" creates risk that someone (you, or someone with physical access) inadvertently connects it. Dedicated air-gapped devices solve this but add another piece of hardware to track.
Cognitive overhead. The user must maintain two mental models: the watch-only wallet that displays balances and constructs transactions, and the offline signer that holds keys. Mistakes (using the watch-only as if it held keys, scanning the wrong QR, sending to the wrong derivation path) become possible in ways that don't exist with a single-device wallet.
From Blofin's customer-support inbox, air-gapped users predominantly escalate around two scenarios: QR scan failures across mismatched mobile-app and device firmware versions, and confusion when the watch-only wallet shows balances that the offline device cannot directly confirm. Both resolve with patience and version-matching, but they happen often enough that air-gapped UX should be considered "advanced user territory" rather than a beginner default.
Common air-gapped signing mistakes
Five mistakes cause most reported air-gapped failures: not verifying addresses on the offline device's own screen, trusting the watch-only wallet's address display, sending to the wrong derivation path on chain-agnostic devices, mishandling the SD card, and confusing air-gapped with multisig.
Not verifying on the offline screen. The single most important behavior in any air-gapped setup is reading the recipient address character-by-character on the offline device's own display before signing. Skipping this defeats the entire security model: the watch-only wallet's screen on the online side cannot be trusted, and signing without verifying on the offline screen is no safer than using a USB hardware wallet without verifying its display.
Trusting the watch-only's address display. The online watch-only wallet's display is on the potentially-compromised online host. It can show one blockchain address while constructing the unsigned transaction with a different address. Only the offline device's display is trustworthy.
Wrong derivation path on multi-chain devices. A multi-chain offline device may default to Ethereum's standard path for one chain and to a chain-specific path for another. If the watch-only wallet expects a different path than the offline device produces, the addresses won't match and funds can land on addresses the watch-only doesn't monitor.
SD-card mishandling. SD cards used for transaction transfer can carry malware between devices if reused outside the air-gapped flow. Dedicate a single SD card to the air-gapped flow, never use it on internet-connected machines for other purposes, and verify the device firmware's expected SD-card filesystem before use.
Air-gapped vs multisig confusion. Air-gapped signing is one wallet with offline key isolation; multisig is multiple wallets that jointly authorize transactions. They solve different threat models and combine well, but they are not interchangeable.
Frequently asked questions
What's the difference between a hardware wallet and an air-gapped wallet?
A hardware wallet keeps the private key on a dedicated device but typically connects to a host computer via USB or Bluetooth during transaction signing. An air-gapped wallet keeps the private key on a device that never connects to any network: the signing device has no USB, Bluetooth, Wi-Fi, or cellular radios active during operation. Transactions cross the gap via QR codes or SD cards. Air-gapped is a strict superset of "hardware wallet" security: every air-gapped device is a hardware wallet, but not every hardware wallet is air-gapped.
Can I use Ledger or Trezor in air-gapped mode?
Not by design. Ledger and Trezor connect via USB to a host application during signing, which is the channel air-gapped setups eliminate. Some advanced users have built workarounds (PSBT export to a never-connected machine, etc.), but these are unsupported and undermine the vendor's intended security model. Users who want true air-gapped operation should choose a purpose-built device: Coldcard, Keystone, NGRAVE, SeedSigner, or AirGap Vault on a dedicated offline phone.
Is air-gapped signing safer than hardware wallets with USB?
Yes, against a specific threat: malware on your host computer that manipulates displayed information to trick you into signing transactions that don't match what you think you're signing. For users without that threat (no high-value target, no exposure to nation-state attackers, no history of malware infections), a USB hardware wallet with disciplined on-device address verification provides effectively equivalent security at much lower operational friction.
What happens if I lose the offline signing device?
You restore the seed phrase into a new air-gapped device, the same way you would for any hardware wallet. The seed phrase is the master backup; the device is replaceable. This assumes you have the seed phrase backed up safely, which is the universal precondition for hardware-wallet recovery. Combined with an optional passphrase or Shamir backup, the device loss becomes inconvenient rather than catastrophic.
Can I do air-gapped signing on Ethereum or only Bitcoin?
You can do air-gapped signing on Ethereum, Solana, Cosmos, Polkadot, and many other chains. The pattern is chain-agnostic, but device support varies. Keystone 3 Pro, NGRAVE Zero, and AirGap Vault are the most actively multi-chain options in 2026. SeedSigner and Coldcard are Bitcoin-only. The Bitcoin pillar's air-gapped guide covers Bitcoin-specific PSBT workflows in detail; this article covers the multi-chain side.
Researched and written by the Blofin Academy editorial team with AI-assisted drafting. Primary sources include the BIP-174 PSBT specification, Coldcard documentation, Keystone Wallet documentation, NGRAVE technical brief, and AirGap Vault project documentation. All facts independently verified against cited documentation current as of May 2026.
This article is for informational purposes only and does not constitute financial advice, investment guidance, or a recommendation to buy, sell, or hold any digital asset. Cryptocurrency markets involve significant risk and you should conduct your own research and consult qualified professionals before making investment decisions. Blofin Academy content reflects the state of public information at time of publication; protocol parameters, fees, and ecosystem data change frequently.