Air Gap

How It Works

An air-gapped signing device never makes a direct electronic connection to any networked device. Transaction data flows through physically inspectable intermediaries. With QR codes, you can visually verify that only transaction data is being transferred — no malicious payload can hide in a QR code you can decode. With microSD cards, the data transfer is limited to small, auditable files (PSBTs) that the signing device parses in isolation.

The workflow for an air-gapped transaction is straightforward: your watch-only wallet on a computer constructs an unsigned transaction and displays it as a QR code (or saves it to microSD). You scan the QR code with your air-gapped hardware wallet (like COLDCARD), verify the transaction details on the device screen, sign it, and display the signed transaction as a new QR code. Your computer scans this and broadcasts it to the network. At no point did the signing device connect to anything.

True air-gapping requires discipline. A hardware wallet that supports air-gapped operation but is regularly connected via USB is not air-gapped. The device should never be plugged into a computer. Firmware updates should come through the same physically inspectable channel (microSD with verified signatures). The value of the air gap is its absolute nature — any compromise of the isolation boundary defeats the purpose.

Key Points

• Complete physical isolation from all networks — no Wi-Fi, Bluetooth, or USB data
• Data transferred via QR codes or microSD cards that can be physically inspected
• Prevents any remote malware from reaching the signing device
• Requires discipline — plugging in the device even once breaks the air gap
• The strongest practical isolation for protecting Bitcoin signing operations