← Back to Articles
Feature article

PSBT Cold Signing for Bitcoin: Air Gapped Workflows That Prevent Key Exposure

Marcus "M.J." Varela
Marcus "M.J." Varela
June 28, 20268 min read

Plugging a wallet into a hot laptop is convenient, but convenience is not a strategy. If your goal is long term protection, PSBT cold signing gives you a cleaner separation of duties. You build transactions on an online computer, sign them on an offline device, then broadcast from the online side. Done well, it reduces the chance your private keys ever touch a networked machine. In the broader context of Crypto security & Wallets, this is one of the most reliable patterns to lower risk without giving up control.

Quick Summary

  • PSBT - Partially Signed Bitcoin Transaction - lets you prepare a transaction without exposing keys.
  • Air gapped signing keeps private keys on an offline device. Data moves by QR codes or SD cards.
  • Greatly reduces malware and phishing risk, but does not fix human mistakes or weak backups.
  • Works for single sig and multisig. Combine with solid backups, passphrases, and firmware checks.
  • Ideal for cold storage moves, high value treasury flows, and disciplined personal custody.
Diagram of PSBT air gapped workflow for Bitcoin cold signing and Crypto security & Wallets
High level PSBT flow: create on watch only software, sign offline, broadcast online.

What PSBT Actually Is and Why It Matters

PSBT, defined in BIP174, is a transaction format that separates transaction building from signing. In plain terms, you assemble the parts of a Bitcoin transaction on one device and collect signatures on another device that holds the keys. The unsigned pieces and metadata move between devices without revealing secrets. For Crypto security & Wallets, this split is powerful because it reduces the attack surface where keys could leak.

Here is the core mechanism in one sentence: the online computer prepares inputs and outputs, the offline device confirms details and adds signatures, then the online computer broadcasts the final transaction. PSBT files can also carry data for multisig and complex scripts, so teams can coordinate safely without sharing private keys.

The Air Gapped Flow, Step by Step

Air gapped means the signing device never touches the internet. Communication happens via removable media or optical scans. A practical setup looks like this:

  • Initialize a hardware signer or a DIY signer on an offline machine. Record your seed phrase on paper or steel and add a BIP39 passphrase if you use that model.
  • Export a watch only descriptor or xpub to your online computer. In software like Sparrow, Specter, or Electrum, this creates a wallet that can see balances but cannot sign.
  • Use coin control to build a transaction on the online side. Double check destination address and fees. Save a PSBT file or display a QR bundle.
  • Move the PSBT to the offline signer via SD card or scan the QR. The signer shows the amount, change address, and fee. Verify on the device screen and approve.
  • Return the signed PSBT to the online computer, which broadcasts to the network. The keys never left the offline signer.

This model works for single signature and multisignature wallets. For teams, multiple signers can independently review the same PSBT and add their signatures. The key idea is that every signer validates the transaction details on a trusted display before approving.

Threat Models and How PSBT Helps

I approach Crypto security & Wallets with a simple habit: trust but verify. PSBT cold signing directly addresses several common threats:

  • Malware on your laptop: Malware can tamper with addresses or try to grab keys. With air gapped signing, the keys are out of reach and the device display acts as your last line of verification.
  • Phishing sites and fake interfaces: Even if a site spoofs a deposit address, the offline signer shows the actual destination and amount. You catch mismatches on the trusted screen.
  • Supply chain attacks on desktop wallets: The signing logic is not delegated to your desktop app. It prepares data only. Your offline signer applies policy and enforces checks.
  • Seed phrase exposure: The seed never touches an online computer. Backups live offline and are verified offline.
  • Backup failures: PSBT does not fix this by itself, but the workflow encourages you to practice recovery on an isolated device, which surfaces backup errors sooner.

What PSBT does not solve: address poisoning in your contacts, shoulder surfing of your seed, or physical attacks. It also does not prevent mistakes like sending to the wrong network or mismanaging fees. Air gaps reduce digital risk, not human error.

Designing a Durable Setup

Good Crypto security & Wallets depend on system design, not a single gadget. Consider the following design choices when building your PSBT workflow:

  • Descriptors over legacy paths: Output descriptors capture scripts, derivations, and policies in a single shareable description. They streamline watch only wallets and reduce import mistakes.
  • Multisig with 2 of 3 or 3 of 5: For higher stakes, split signing authority. Store keys in different locations and use varied hardware to avoid shared failure modes.
  • BIP39 passphrase: Adds an extra factor on top of the seed. Keep the passphrase recorded securely and test recovery.
  • QR vs SD card: QR is convenient and leaves no physical residue, but can be limited by data size. SD cards handle larger multisig PSBTs but require hygienic handling.
  • Policy prompts: Prefer signers that visibly show receive path, change path, script type, and spending limits. Humans make better decisions when the device surfaces clear data.

Whichever tools you choose, standardize around repeatable steps and verify each component. If I change any part of my stack, I run a dry run with small UTXOs to validate the flow before moving size.

Verification Habits That Save You

Most failures come from rushed clicks. Build muscle memory with these habits:

  • Always verify the destination address and amount on the offline device screen, not just on your laptop.
  • Check change output details. Attackers aim to siphon change into their addresses where you are less likely to notice.
  • Validate firmware authenticity via vendor checksums or reproducible build signatures. Update in a controlled environment.
  • Use coin control to avoid accidental consolidation that could harm privacy or increase fees later.
  • Perform a small test send after wallet creation or firmware changes. Confirm that receive and change paths match your records.

Short Scenario: Moving Cold Funds Securely

Imagine you need to move 0.5 BTC from deep cold storage to a brokerage for a time sensitive sale. On your online machine, your watch only wallet assembles a PSBT with a fee that clears within the next block. You scan the PSBT QR into your offline signer, which shows the destination and a change output returning to your wallet. You confirm, sign, and move the signed PSBT back to the online machine for broadcast. At no point did your keys or seed phrase touch a networked device.

Practical Checklist

  • Initialize offline signer, record seed on durable media, and consider a BIP39 passphrase.
  • Export watch only descriptor to your online wallet software. Confirm addresses match between devices.
  • Construct PSBT with explicit coin control and a memo for your records.
  • Move the PSBT via QR or SD card. Verify details on the offline device display.
  • Sign offline, return the signed PSBT, and broadcast online.
  • Record the transaction ID and update your inventory of UTXOs and backups.
  • Periodically test recovery on a spare device without revealing secrets online.

Limits and Trade offs

Air gapped PSBT flows are not frictionless. Handling files, SD cards, and QR bundles slows you down, which is partly the point. Large PSBTs for multisig can exceed QR payload sizes, forcing multiple scans. Offline devices need safe power and storage conditions. Finally, humans are the brittle part - if you skip device screen checks or mishandle backups, the model cannot compensate. Accept the friction as a feature that buys you clarity.

FAQ

  • Do I still need a hardware wallet if I use PSBT?

    Yes. PSBT is a format. You still need a secure signer that holds keys offline and presents transaction details on a trusted screen.

  • Is air gapped via USB safe?

    True air gaps avoid data lines. Prefer SD cards or QR codes. If you must use USB, ensure the device never enumerates as mass storage and that firmware cannot be altered by the host.

  • What about multisig?

    PSBT was designed with multisig in mind. Each signer adds its part offline. Store keys in different places and test partial signing before high value use.

  • Can PSBT improve privacy?

    Indirectly. It encourages coin control and careful change management. For on chain privacy, also use tools that support coin labeling and avoid unnecessary consolidation.

  • What if my offline device fails?

    Recover using your seed and passphrase on a compatible signer. This is why you test recovery and maintain multiple backups in separate locations.

Closing Thought

Strong Crypto security & Wallets are built around habits and architecture, not hype. PSBT cold signing gives you a clear boundary where keys never cross into online space, while still letting you transact with confidence. My rule has not changed in a decade of security work - trust but verify. When every spend passes through an offline screen and a deliberate check, you turn fragile custody into a repeatable process you can depend on.

Keep reading

Related Articles

More coverage from the same topic cluster, selected to extend the story rather than repeat it.