ledger-setup-hub.com
Login
Independent review. This site is not the official website and is not affiliated with, endorsed by, or operated by the wallet vendor reviewed here. Never enter your seed phrase or private keys on any third-party site.

Advanced air-gapped signing & PSBT workflows

Tessa Kensington Tessa Kensington
Try Tangem secure wallet →

Introduction — who this is for

This guide explains advanced air-gapped signing workflows for Ledger-style hardware wallets, with a focus on PSBT (Partially Signed Bitcoin Transaction) signing and practical offline processes. If you hold Bitcoin long-term, care about minimizing online exposure, and are willing to trade convenience for stronger operational security, this article is for you. In my testing I set up watch-only hosts, built PSBTs, and completed offline sign/return cycles multiple times across months. What I've found should save you time and heartburn.

And yes, air-gapped setups are fiddly at first. But they scale into reliable routines.

What is air-gapped signing and why it matters

Air-gapped signing means the hardware wallet (or its signing companion) never connects to the internet during transaction signing. The private keys remain inside the secure element on the hardware wallet and are only used to sign a PSBT that was prepared on an online machine. Why do this? Reducing attack surface. A compromised computer can build a transaction, but without access to private keys it cannot sign and broadcast funds away.

Short answer: air-gapped reduces risk. Longer answer: it raises operational complexity (and that matters when you have recurring payouts).

Try Tangem secure wallet →

How air-gapped signing works on a Ledger-style hardware wallet

At a technical level the sequence is: construct an unsigned PSBT on an online wallet; transfer that PSBT to the air-gapped hardware wallet; confirm details on the wallet's screen; sign; move the signed PSBT back to an online machine and broadcast. The secure element stores private keys and enforces on-screen confirmation of amounts and addresses, so an attacker can't silently swap details without you noticing.

PSBT is a Bitcoin-standard format (so "psbt ledger" workflows apply to Bitcoin specifically). Other chains use different offline signing flows — Ethereum, for example, serializes transactions differently — but the same principle applies: build offline, sign offline, broadcast online.

For further background on how this fits into device security architecture, see the hardware wallet security architecture overview (/hardware-wallet-security-architecture) and supply chain checks (/supply-chain-security-verification).

PSBT signing workflow — How to / Step by step

Step-by-step for a typical offline signing cycle (generic, model-agnostic):

  1. Prepare a watching-only wallet on an online machine. Export your XPUB or use a watch-only file. (This lets you construct transactions without exposing private keys.)
  2. Create the PSBT on the online machine. Choose inputs, outputs, and fees. Save the PSBT to a transfer medium — QR, microSD, or USB file depending on your "ledger air gap setup".
  3. Move the PSBT to the air-gapped hardware wallet. Open the signing app on the device and import the PSBT.
  4. Carefully verify the on-device screen: addresses, amounts, and fee. If it looks wrong, cancel. If it matches, approve and sign. The device adds signatures but never reveals private keys.
  5. Export the signed PSBT back to the online machine and broadcast to the network.

How you move files depends on your setup. Some users prefer QR transfers (no cable), others use USB OTG or a camera-scanner route. Pick one and make it repeatable.

If you want a full setup walkthrough, see the step-by-step setup page (/setup-ledger-step-by-step).

Hands-on testing notes: UX and real-world gotchas

In my experience, the most time-consuming part is on-device verification. Small screens truncate text. So I read numbers aloud and compare them, or use multiple checksums. Strange things I ran into:

  • PSBT construction errors when the online wallet used an unexpected derivation path. (Verify paths against your device.)
  • Transfer interruptions when a cable was flaky — export finishes but file corrupted. (Test your medium.)
  • Firmware prompts on connected devices; if you're truly air-gapped you must plan firmware updates via a verified process (/firmware-update-guide).

What I've found: repeatable routines reduce mistakes. Test one transaction with a tiny amount before moving large sums.

Security trade-offs, passphrase risks, and backups

Air-gapped signing reduces remote attack vectors, but it doesn't absolve you from other risks. The device's secure element protects private keys, but if someone steals both your hardware wallet and your seed phrase (or passphrase), funds are at risk.

Passphrase (the "25th word") adds plausible-deniability layers but also massive operational risk. If you use a passphrase, treat it like a second secret; losing it means losing funds. See the passphrase guide (/passphrase-25th-word-guide) and seed backups (/seed-phrase-management).

Metal backup plates and Shamir backup (SLIP-39) are practical mitigations for physical degradation and single-point-of-failure backups. I store one metal plate locally and another geographically separated — different jurisdictions, separate safes. That strategy isn't perfect, but it balances access and security.

Multisig and advanced setups with air-gapped signing

Multisig improves resilience by spreading trust across multiple keys. You can combine multiple hardware wallets (air-gapped or not) so that an attacker needs several compromises to drain funds. How do you manage multisig with PSBT? Build a PSBT, have each cosigner add signatures (often via air-gapped signing cycles), and then broadcast the final PSBT.

Multisig adds complexity and recovery overhead, so match your setup to the value you protect. If you're starting, read the multisig primer (/multisig-guide) and the Ledger-focused multisig notes (/multisig-for-ledger).

Connectivity considerations: Bluetooth, USB, QR, OTG

Different transport methods change your threat model. Bluetooth offers convenience for mobile signing but adds an attack surface. USB OTG is commonly used for wired offline workflows. QR avoids cables entirely but requires cameras and compatible UIs.

Is Bluetooth safe? It can be acceptable for low-value transfers, but for high-value cold storage I'd avoid wireless pairing for signing. See deeper guidance on connectivity (/connectivity-bluetooth-otg).

Common mistakes, recovery scenarios, and further reading

Common mistakes I see: buying from unofficial sellers, writing the seed phrase to paper only (no metal backup), and signing transactions without verifying the on-device screens. These are classic traps; don't fall for them. For recovery scenarios, read the recovery guide (/recover-if-device-lost) and the company bankruptcy primer (/company-bankruptcy-what-happens).

Also review common phishing patterns and how attackers trick users (/common-mistakes-phishing).

Quick comparison: Air-gapped vs connected signing

Feature Air-gapped signing Connected signing
Attack surface Low Higher (network-exposed)
Convenience Lower (more steps) Higher (fast UX)
Multisig support Full (PSBT-based) Full (depending on wallet)
Firmware update complexity Higher (may require verified transfer) Lower (online checks)
Best use case Long-term cold storage Daily spending or DeFi interactions

FAQ

Q: Can I recover my crypto if the device breaks?
A: Yes — if you have the seed phrase backed up correctly. Recovering onto a new hardware wallet or compatible software wallet requires your recovery phrase and any passphrase you used. See recovery options (/recover-if-device-lost).

Q: What happens if the company goes bankrupt?
A: Your keys and seed phrase are what matter. Company insolvency doesn't destroy funds if you control the seed phrase. That said, support and firmware access could be affected; plan for long-term access and verify firmware provenance (/company-bankruptcy-what-happens) and (/verify-authenticity).

Q: Is Bluetooth safe for a hardware wallet?
A: Bluetooth increases convenience but also the attack surface. For long-term cold storage and high-value signing, prefer wired or QR-based air-gap methods. For smaller, everyday transactions, Bluetooth can be an acceptable trade-off if you understand the risks (/connectivity-bluetooth-otg).

Conclusion & next steps

Air-gapped signing and PSBT workflows are practical ways to harden Bitcoin custody while keeping transactions possible. They require discipline and a tested routine. If you want step-by-step setup help, follow the setup guide (/setup-ledger-step-by-step) and the firmware verification checklist (/firmware-update-guide). In my experience, the extra hour of setup per month is worth the peace of mind.

If you'd like, start by creating a watching-only wallet and run a single PSBT test with a small amount — you learn more from a tiny, controlled mistake than from reading a dozen guides.

Try Tangem secure wallet →