Air-gapped signing is a workflow that keeps the device which holds your private keys physically or logically isolated from the internet while signing transactions. Short version: the private keys never touch an online computer. That isolation reduces attack surface. It also adds friction. And that friction is intentional.
In practice you prepare a transaction on an online host (a wallet interface), export that transaction in PSBT format, move the PSBT to the air-gapped hardware wallet, sign it offline, and then move the signed PSBT back to the online host for broadcast.
If you want a primer on how a given hardware wallet approaches secure storage and firmware, see the more general security overview: [/trezor-security-overview].
PSBT stands for Partially Signed Bitcoin Transaction. The full term is often written out as partially signed bitcoin transaction. PSBT is a standard format for building transactions in steps. One device (or several) can add signatures without exposing private keys.
Why use PSBT? Because it separates transaction construction from signing. That lets you use an air-gapped hardware wallet with a more feature-rich online wallet (which crafts UTXO selection, fees, and complex outputs) while keeping signing offline.
In my testing, PSBT workflows are slower at first, but they catch many common attack vectors (malware that alters outputs, for example). I noticed that forcing an explicit review of outputs on a hardware wallet screen stops most scams.
See also: trezor-suite-vs-web-wallet for host wallet choices that support PSBT workflows.
High-level flow:
This is a practical, vendor-neutral guide. Adjust details for your chosen wallet software.
Step 1 — Prepare on the online host: choose inputs, outputs, and fee. Export the transaction as a PSBT (file or QR). Why export? Because PSBT carries the unsigned transaction skeleton and metadata (input scripts, derivation paths).
Step 2 — Move the PSBT offline: copy the PSBT to a clean USB drive or scan a QR code (if both host and device support it). Some air-gapped hardware wallets accept microSD/USB or camera-readable QR bundles. Use a clean laptop only if necessary (preferably one that hasn't seen your seed phrase).
Step 3 — Verify on the hardware wallet: the device will show outputs, amounts, and destination addresses. Check every detail on the device screen. I believe this check is the single most important step.
Step 4 — Sign: the hardware wallet adds signatures to the PSBT without exposing private keys. The result is a partially (or fully) signed PSBT.
Step 5 — Return and broadcast: move the signed PSBT back to the online host, finalize if required, and broadcast.
Note: PSBT is Bitcoin-focused. Other chains use different signing standards. Always confirm compatibility before attempting an air-gapped workflow.
Always check outputs on the device screen. Not the host. Not the browser. The device shows where coins will go.
Verify firmware authenticity before relying on an air-gapped device (see [/firmware-updates-verification]). Tampered firmware can show one address while signing another.
Consider supply-chain risks. Unsealed packaging and unknown sellers introduce risk. See [/supply-chain-tamper-verification].
Use a passphrase (25th word) with caution. It adds a hidden account layer but complicates recovery and increases the chance of loss. Read [/passphrase-guide-25th-word] for trade-offs.
But what about the transfer medium? The transfer channel (USB, QR, microSD) matters. A compromised intermediary can swap the PSBT. That’s why the device verification step is non-negotiable.
PSBT is especially useful for multi-signature (multisig) setups. Multisig spreads signing across multiple hardware wallets or signers, and PSBT lets each signer contribute a signature offline.
Who should use multisig? People holding large amounts or planning geographic distribution of keys. It’s also useful for inheritance planning and business wallets.
PSBT alone doesn’t create multisig — you must use compatible wallet software and follow a multisig setup guide. See [/trezor-multisig-guide] and [/multisig-wallet-compatibility] for interoperability notes.
| Feature | Connected signing (USB/Bluetooth) | Air-gapped signing (PSBT) | Hot wallet (no hardware) |
|---|---|---|---|
| Private keys off-host? | Yes, but device is connected | Yes — fully offline during signing | No |
| Risk of host malware altering outputs | High | Low (if you verify on device) | Very high |
| Convenience | High | Moderate to low | Very high |
| Multisig support | Yes (depends) | Excellent | Limited |
| Best for | Daily use | Long-term cold storage, high-value tx | Small, quick trades |
Buying used hardware wallets without securely wiping and re-seeding is dangerous. See [/buying-used-trezor] and [/where-to-buy-trezor-safely].
Relying solely on a passphrase without a documented recovery procedure invites loss. Document your plan (securely) and practice recovery from your seed phrase and passphrase. See [/seed-phrase-basics].
Not testing a dry-run. Always send a small test transaction first. Sounds obvious. People skip it.
Forgetting to back up your seed phrase to metal. Paper degrades. Metal backups survive (see [/metal-backups-plates]).
Skipping firmware verification. A compromised device or fake firmware can undermine air-gapped signing. Check signatures. Read [/firmware-updates-verification].
Q: Can I recover my crypto if the device breaks?
A: Yes. As long as you have your seed phrase (and any passphrase), you can recover private keys onto a new compatible hardware wallet or a secure software wallet (in an air-gapped environment if desired). See [/recovering-a-trezor].
Q: What happens if the company behind the wallet goes bankrupt?
A: Your keys belong to you, not the company. Seed phrase recovery standards like BIP-39 and PSBT are open; you can move to another compatible solution. Plan for compatibility when choosing a backup strategy.
Q: Is Bluetooth safe for a hardware wallet?
A: Bluetooth adds convenience but increases attack surface. Air-gapped signing avoids radio interfaces altogether. If you use Bluetooth, prefer short-range pairing, firmware updates only from verified sources, and strong device hygiene. See [/connectivity-usb-bluetooth-nfc].
Q: Can PSBT be used for chains other than Bitcoin?
A: PSBT is a Bitcoin standard. Other chains use their own signing formats and standards. Check supported networks in [/supported-coins-trezor] before attempting a cross-chain workflow.
Air-gapped signing with PSBT is a proven way to keep private keys offline while still using modern wallet features. It trades convenience for stronger guarantees. If you hold meaningful amounts of crypto, I recommend testing an air-gapped PSBT workflow with small transactions until the steps feel routine.
Start by reading the setup guides and security pages: [/trezor-unboxing-and-setup], [/firmware-updates-verification], and [/trezor-multisig-guide]. Then try a single PSBT transaction using a clean host (or a dedicated machine) and verify outputs on the device every time.
Want a deeper walkthrough on multisig or passphrase strategies? See [/multisig-wallet-compatibility] and [/passphrase-guide-25th-word] for next steps.
(Practical tip: document and rehearse your recovery and inheritance plan. It saves headaches later.)