Build a Bitcoin-Only Cold Signer and Watch-Only Mobile Setup: A Canadian Guide to Air-Gapped Security

Holding Bitcoin means holding the private keys. For Canadians and global users who prioritize custody, privacy, and survivability, a dedicated Bitcoin-only cold signer plus a watch-only mobile device delivers strong protection without sacrificing daily usability. This guide walks through why the split setup matters, what hardware and software choices to consider, and step-by-step workflows to securely receive, monitor, and spend Bitcoin using air-gapped signing and PSBTs. Practical tips on backups, testing recovery, and Canadian-specific considerations are included so you can build a resilient system that fits your threat model.

Why a Bitcoin-only Cold Signer and Watch-Only Mobile Setup?

A split architecture separates signing from monitoring. The cold signer stores the private keys in an isolated, offline environment. The watch-only mobile device keeps transaction history and balances visible but never holds keys. This model combines the security of cold storage with the convenience of a mobile interface for checks and payment requests. Key benefits:

  • Reduced attack surface - keys never touch an online device.
  • Portable monitoring - check balances and prepare PSBTs on a phone.
  • Flexible signing - sign transactions offline via QR, SD, or USB.
  • Scalable - works with single-signature and multi-signature setups.

Core Components and Recommended Features

Designing the system starts with choosing devices and software that support air-gapped signing and PSBT workflows. Focus on Bitcoin-only or Bitcoin-first tools where possible to reduce extraneous code and attack vectors.

Cold Signer - What to look for

  • Hardware wallet with true air-gap options (QR signing or SD card) or a small dedicated single-purpose device.
  • Open or well-reviewed firmware with a track record of safe signing and reproducible builds.
  • PSBT support - the ability to import unsigned PSBT files and export signed PSBTs without any network connection.
  • Optional passphrase/BIP39 25th word support for plausible deniability and hidden wallets.

Watch-Only Mobile - What to look for

  • Support for importing extended public keys (xpubs) or watch-only descriptors.
  • PSBT creation - prepare unsigned PSBTs to be transferred to the cold signer.
  • Optional Tor or VPN support for improved privacy when broadcasting or fetching fee estimates.

Desktop / Air-Gap Transfer Layer

A cleanly managed desktop or laptop operating from an offline bootable medium can act as the air-gap bridge in some workflows. Use a live Linux USB or a dedicated clean machine for PSBT assembly when necessary. Alternatively, use QR or SD workflows where the mobile device and cold signer exchange PSBTs directly or via an encrypted SD card.

Step-by-Step Setup Guide

Below is a practical step-by-step approach to building a Bitcoin-only cold signer and a watch-only mobile device. Tailor the steps to your chosen hardware and threat model.

1. Acquire and Verify Hardware

  • Buy hardware from trusted retailers or directly from manufacturers to reduce tamper risk.
  • When possible, verify the device fingerprint, original packaging seals, and firmware authenticity following vendor instructions.
  • Have a secondary watch-only phone - a low-cost device dedicated to monitoring is ideal.

2. Initialize the Cold Signer Offline

  • Power up the device in an offline environment. Avoid connecting it to the internet during seed generation.
  • Generate your seed phrase using the device UI. Write down the seed on multiple backups, ideally on steel plates for fire and flood protection.
  • Record whether you are using an added passphrase. Treat the passphrase like a separate secret - losing it means losing access.

3. Create Watch-Only xpubs and Import to Mobile

  • Export the extended public key (xpub) or output descriptor from the cold signer using QR or manual entry.
  • On the watch-only mobile app, import the xpub or descriptor to set up balance monitoring and receive addresses.
  • Verify a few derived addresses on both devices to ensure they match before receiving funds.

4. Funding and Watching

Use your watch-only device to create receive addresses. Monitor incoming transactions and confirm on the cold signer that the derived address is expected. This prevents receiving to an attacker-controlled address created by a compromised mobile app.

5. Preparing and Signing a Transaction

  1. On the watch-only app create a spend, which builds an unsigned PSBT with inputs, outputs, and fees.
  2. Export the PSBT from the mobile via QR or file to be transferred to the cold signer.
  3. On the cold signer, import and review the PSBT details carefully: outputs, amounts, and change address. Confirm the transaction on the signer.
  4. Sign the PSBT offline and export the signed PSBT back to the mobile or an online machine for broadcasting.
  5. Broadcast the signed transaction only from a network-connected device you trust. Confirm transaction ID on multiple explorers if needed for verification.

Air-Gap Transfer Methods

Choose a transfer method that suits your devices and comfort level. Options include:

  • QR codes - great for small PSBTs and pure air-gap workflows between devices with cameras.
  • SD or microSD cards - reliable for larger PSBTs and batch operations; use encrypted containers if you are concerned about physical loss.
  • USB via exclusively offline machines - use read-only USB sticks or freshly booted live environments and minimize exposure.

Backups, Recovery Testing, and Long-Term Durability

Backups are the most critical part of any self-custody plan. A backup that you cannot restore is worthless. Follow a disciplined backup and testing routine:

  • Create multiple backup copies of your seed phrase using resilient media such as stamped steel plates, geographically distributed.
  • Record passphrases separately using secure storage - consider split secrets or multi-party custody for high-value holdings.
  • Perform an annual recovery drill: restore the seed on a clean device or emulator and verify you can derive expected addresses and balances.
  • Keep a written procedure and emergency contacts so executors or trusted family members can access funds with minimal friction while preserving security.
Pro tip: Treat backup testing like fire drills. Schedule and document them so you know recovery steps work before they are needed.

Canadian Context and Practical Considerations

A Canadian operator should be aware of local realities that affect custody and transfers.

  • Regulation and exchanges - Canadian exchanges must comply with FINTRAC rules. If you use Bitbuy, Coinsquare, or other regulated platforms to fund purchases, plan immediate withdrawals to your own addresses to reduce custodial risk.
  • Banking and Interac - Canadian banks have varying stances on crypto businesses and transactions. Avoid using Interac e-transfer for peer-to-peer trades without strong identity verification and prefer exchange rails that provide audit trails.
  • Tax reporting - maintain clear records of transfers into your cold wallet and any subsequent sales. Canada requires reporting of crypto disposals; accurate records make compliance easier.
  • Electricity and mining - if you also mine Bitcoin at home in Canada, segregate mining payout addresses and maintain the same cold storage hygiene for miner payouts.

Threat Models and Hardening Tips

No single setup fits everyone. Consider these common threats and mitigations.

Malware on Mobile or Desktop

Mitigation: Keep the cold signer offline and verify PSBT contents on the signer screen. Use watch-only apps that display addresses and amounts derived from xpubs so you can cross-check.

Physical Theft or Coercion

Mitigation: Use passphrases, split backups across jurisdictions, and consider multi-signature setups that require multiple geographically separated keys to spend.

Supply Chain Attacks

Mitigation: Buy hardware from trusted channels, verify firmware, and prefer open-source or auditable projects where feasible.

Advanced Options and Scaling

As your holdings and operational needs grow you can scale this architecture:

  • Multi-signature - distribute signing power across multiple cold signers and a hot signer for routine spending limits.
  • HSM or institutional-grade signers - for vaults over enterprise thresholds, consider specialized appliances and professional custody policies.
  • Automation - PSBT creation and fee estimation can be automated on the watch-only device while keeping signing manual for safety.

Conclusion

A Bitcoin-only cold signer paired with a watch-only mobile device gives Canadians and global users a practical balance between security and usability. By keeping keys air-gapped, using PSBT workflows, and committing to disciplined backups and recovery testing, you can protect your Bitcoin against a wide range of threats. Tailor the specifics to your threat model, keep devices dedicated where possible, and practice your recovery drills. Security is not a one-time task but an ongoing process that pays off when it matters most.

If you are new to air-gapped workflows, start small: set up a testnet wallet, practice PSBT exchanges, and run a mock recovery before moving mainnet funds. With a repeatable, documented process you will build confidence and a robust self-custody system tailored to the Canadian legal and operational environment.