This guide explains advanced air-gapped signing workflows for Ledger-style hardware wallets, with a focus on PSBT (Partially Signed Bitcoin Transaction) signing and practical offline processes. If you hold Bitcoin long-term, care about minimizing online exposure, and are willing to trade convenience for stronger operational security, this article is for you. In my testing I set up watch-only hosts, built PSBTs, and completed offline sign/return cycles multiple times across months. What I've found should save you time and heartburn.
And yes, air-gapped setups are fiddly at first. But they scale into reliable routines.
Air-gapped signing means the hardware wallet (or its signing companion) never connects to the internet during transaction signing. The private keys remain inside the secure element on the hardware wallet and are only used to sign a PSBT that was prepared on an online machine. Why do this? Reducing attack surface. A compromised computer can build a transaction, but without access to private keys it cannot sign and broadcast funds away.
Short answer: air-gapped reduces risk. Longer answer: it raises operational complexity (and that matters when you have recurring payouts).
At a technical level the sequence is: construct an unsigned PSBT on an online wallet; transfer that PSBT to the air-gapped hardware wallet; confirm details on the wallet's screen; sign; move the signed PSBT back to an online machine and broadcast. The secure element stores private keys and enforces on-screen confirmation of amounts and addresses, so an attacker can't silently swap details without you noticing.
PSBT is a Bitcoin-standard format (so "psbt ledger" workflows apply to Bitcoin specifically). Other chains use different offline signing flows — Ethereum, for example, serializes transactions differently — but the same principle applies: build offline, sign offline, broadcast online.
For further background on how this fits into device security architecture, see the hardware wallet security architecture overview (/hardware-wallet-security-architecture) and supply chain checks (/supply-chain-security-verification).
Step-by-step for a typical offline signing cycle (generic, model-agnostic):
How you move files depends on your setup. Some users prefer QR transfers (no cable), others use USB OTG or a camera-scanner route. Pick one and make it repeatable.
If you want a full setup walkthrough, see the step-by-step setup page (/setup-ledger-step-by-step).
In my experience, the most time-consuming part is on-device verification. Small screens truncate text. So I read numbers aloud and compare them, or use multiple checksums. Strange things I ran into:
What I've found: repeatable routines reduce mistakes. Test one transaction with a tiny amount before moving large sums.
Air-gapped signing reduces remote attack vectors, but it doesn't absolve you from other risks. The device's secure element protects private keys, but if someone steals both your hardware wallet and your seed phrase (or passphrase), funds are at risk.
Passphrase (the "25th word") adds plausible-deniability layers but also massive operational risk. If you use a passphrase, treat it like a second secret; losing it means losing funds. See the passphrase guide (/passphrase-25th-word-guide) and seed backups (/seed-phrase-management).
Metal backup plates and Shamir backup (SLIP-39) are practical mitigations for physical degradation and single-point-of-failure backups. I store one metal plate locally and another geographically separated — different jurisdictions, separate safes. That strategy isn't perfect, but it balances access and security.
Multisig improves resilience by spreading trust across multiple keys. You can combine multiple hardware wallets (air-gapped or not) so that an attacker needs several compromises to drain funds. How do you manage multisig with PSBT? Build a PSBT, have each cosigner add signatures (often via air-gapped signing cycles), and then broadcast the final PSBT.
Multisig adds complexity and recovery overhead, so match your setup to the value you protect. If you're starting, read the multisig primer (/multisig-guide) and the Ledger-focused multisig notes (/multisig-for-ledger).
Different transport methods change your threat model. Bluetooth offers convenience for mobile signing but adds an attack surface. USB OTG is commonly used for wired offline workflows. QR avoids cables entirely but requires cameras and compatible UIs.
Is Bluetooth safe? It can be acceptable for low-value transfers, but for high-value cold storage I'd avoid wireless pairing for signing. See deeper guidance on connectivity (/connectivity-bluetooth-otg).
Common mistakes I see: buying from unofficial sellers, writing the seed phrase to paper only (no metal backup), and signing transactions without verifying the on-device screens. These are classic traps; don't fall for them. For recovery scenarios, read the recovery guide (/recover-if-device-lost) and the company bankruptcy primer (/company-bankruptcy-what-happens).
Also review common phishing patterns and how attackers trick users (/common-mistakes-phishing).
| Feature | Air-gapped signing | Connected signing |
|---|---|---|
| Attack surface | Low | Higher (network-exposed) |
| Convenience | Lower (more steps) | Higher (fast UX) |
| Multisig support | Full (PSBT-based) | Full (depending on wallet) |
| Firmware update complexity | Higher (may require verified transfer) | Lower (online checks) |
| Best use case | Long-term cold storage | Daily spending or DeFi interactions |
Q: Can I recover my crypto if the device breaks?
A: Yes — if you have the seed phrase backed up correctly. Recovering onto a new hardware wallet or compatible software wallet requires your recovery phrase and any passphrase you used. See recovery options (/recover-if-device-lost).
Q: What happens if the company goes bankrupt?
A: Your keys and seed phrase are what matter. Company insolvency doesn't destroy funds if you control the seed phrase. That said, support and firmware access could be affected; plan for long-term access and verify firmware provenance (/company-bankruptcy-what-happens) and (/verify-authenticity).
Q: Is Bluetooth safe for a hardware wallet?
A: Bluetooth increases convenience but also the attack surface. For long-term cold storage and high-value signing, prefer wired or QR-based air-gap methods. For smaller, everyday transactions, Bluetooth can be an acceptable trade-off if you understand the risks (/connectivity-bluetooth-otg).
Air-gapped signing and PSBT workflows are practical ways to harden Bitcoin custody while keeping transactions possible. They require discipline and a tested routine. If you want step-by-step setup help, follow the setup guide (/setup-ledger-step-by-step) and the firmware verification checklist (/firmware-update-guide). In my experience, the extra hour of setup per month is worth the peace of mind.
If you'd like, start by creating a watching-only wallet and run a single PSBT test with a small amount — you learn more from a tiny, controlled mistake than from reading a dozen guides.