Build an Air-Gapped Raspberry Pi PSBT Signer: A Low-Cost Cold Signing Station for Canadian Bitcoin Holders

If you hold Bitcoin, moving to a layered cold storage strategy dramatically reduces custody risk. A practical, affordable way to do this is to build an air-gapped signing station using a Raspberry Pi and your hardware wallet. This guide walks you through the why and how, with Canadian context, security best practices, and step-by-step instructions so you can sign Partially Signed Bitcoin Transactions - PSBTs - offline and keep your private keys isolated.

Why an air-gapped PSBT signer matters

A hardware wallet is strong, but combining it with an air-gapped signing station adds extra protection against network-based attacks, supply chain problems, and compromised desktop environments. The signer sits offline, signs PSBT files, and never exposes private keys to an internet-connected machine. For Canadians who use local exchanges like Bitbuy or Coinsquare, or who buy peer-to-peer with Interac e-transfer, this approach helps separate custody and signing operations and makes secure withdrawals and multisig workflows easier.

Who should build this

  • Individuals with meaningful Bitcoin holdings who want stronger cold storage without enterprise costs.
  • Users running a Bitcoin full node or using watch-only wallets who want a signing device for PSBT workflows.
  • Canadian hobby miners, small business owners, and privacy-conscious users who need offline signing.

What you will need

Hardware

  • Raspberry Pi 4 or Raspberry Pi Zero 2 W (Raspberry Pi 4 recommended for speed).
  • MicroSD card 16GB or larger for the OS. Buy from a reputable Canadian retailer.
  • Battery-backed power or a reliable PSU - avoid untrusted chargers.
  • USB OTG adapter or USB-A hub depending on model so the Pi can attach to a hardware wallet.
  • Hardware wallet you already own (Ledger, Trezor, Coldcard, etc). Coldcard and some others support PSBT well, but many popular wallets can be used with this flow.
  • Camera or phone to move PSBT files via QR, or a USB flash drive you control to transfer files. Prefer read-only microSD or USB devices you fully control.

Software and tools

  • A minimal, up-to-date OS image for the Raspberry Pi - install and then fully update before air-gapping.
  • Electrum or a dedicated signing tool that supports PSBT. Specter Desktop and Electrum are common choices for PSBT workflows.
  • Basic tools: qrencode, zbar-tools if you plan to use QR for PSBT transport.

Design choices and tradeoffs

There are choices to make based on cost, convenience, and threat model. A Pi Zero 2 W is cheap and compact. A Pi 4 is faster and more flexible. Using QR for PSBTs removes the need for USB mass storage but limits transaction size. Using a hardware wallet that supports direct signing on the device reduces the attack surface. Choose the option that matches your security needs.

Step-by-step build and hardening

1. Prepare the Raspberry Pi while online

  • Flash a minimal, well-supported OS to the microSD card and boot the Pi while connected to a trusted network. Perform all OS and package updates and install the signing software you intend to use. This minimizes the chance you need to connect the Pi to the internet after air-gapping.
  • Create a dedicated user account and disable unnecessary services. Remove SSH or change the port and set a strong password. Better yet, disable SSH before you disconnect the Pi permanently.
  • Verify software integrity where possible by checking signatures or checksums. For critical components, verify with independent sources before going offline.

2. Configure the signing environment

  • Install Electrum or your chosen PSBT signer. Configure it for an offline signing workflow. Create or import an empty watch-only wallet for testing.
  • If you plan to use QR for PSBT transport, install qrencode for generating QR codes and zbar-tools for scanning. Test end-to-end with small testnet transactions first.
  • Set up local time and locale. Avoid network time protocol after air-gapping, but ensure correct system time before going offline because timestamp mismatches can confuse tools.

3. Create your signing wallet securely

  • Create or import the same wallet type and derivation used by your watch-only setup on an online machine you control, then export the wallet xpubs or descriptors to the offline Pi. Alternatively, if you already have a hardware wallet, configure it to work with the offline signer by importing the extended public keys only.
  • Never import private keys or seed words into the Pi. The Pi is the signing host for PSBTs, not the private key holder unless you plan to use a software-only signer, which carries more risk.

4. Air-gap the device

  • Remove network connectivity. Unplug Ethernet and disconnect Wi-Fi. For stronger isolation, physically remove the Wi-Fi chip or block the antenna.
  • Disable or uninstall network services such as SSH and Bluetooth.
  • Power down, move the Pi to your secure signing location, and boot it without network connection.

Signing a transaction - PSBT workflow

A common PSBT workflow separates the online wallet and the offline signer. The online machine prepares a PSBT, the offline signer signs it, and the online machine broadcasts the final transaction. Below is a secure workflow you can adopt.

Step 1 - Prepare PSBT on an online machine

  • On your online watch-only wallet or full node, create a PSBT that spends the desired UTXOs. Verify fees and outputs carefully.
  • Export the PSBT to a file. Use a filename convention that avoids confusion, such as psbt-to-sign-YYYYMMDD.psbt.

Step 2 - Transfer PSBT to the air-gapped Pi

  • Use a trusted USB flash drive formatted by you, or transfer via QR if both devices support it. If using USB, consider setting filesystem to read-only before connecting to the Pi to reduce risk of malware transfer.
  • Scan the PSBT on the Pi and verify the transaction details displayed by your signing software - amounts, outputs, and fee rate.

Step 3 - Sign while offline

  • Connect your hardware wallet to the offline Pi. Confirm the device firmware is genuine and that the wallet presents the expected addresses and paths.
  • Sign the PSBT. The Pi will create a signed PSBT or a final transaction depending on your tool and hardware wallet combination. Verify the signatures and transaction structure before exporting.

Step 4 - Return the signed PSBT to the online machine and broadcast

  • Move the signed PSBT back via the same trusted medium and import it on the online machine.
  • Verify final transaction details on the online machine and broadcast. Keep records of the PSBT and final TXID for accounting and tax reporting.

Operational security and Canadian considerations

Good OPSEC reduces accidental loss. Some practical Canadian notes:

  • Keep firmware and device receipts. In Canada, exchanges and regulators such as FINTRAC require records for larger transfers and business activity. Good documentation helps with compliance and audits.
  • If you transact with Interac e-transfer or local buyers, insist on moving coins to cold storage before meeting or completing trades. Avoid carrying private keys or seeds when traveling or meeting strangers.
  • Consider customs and legal rules if traveling internationally with hardware wallets. In some jurisdictions border agents may ask to inspect devices. Ensure you understand your rights and have backup plans.

Testing, backups, and recovery drills

Never assume a cold storage process works until you test it. Run a rehearsal using testnet or with a small mainnet amount. Practice restoring watch-only states and signing workflows. Document the process and store the Pi, your hardware wallet, and backups in separate secure locations where appropriate.

Common pitfalls and how to avoid them

  • Mixing seed words with the Pi. Never store mnemonic seeds on the signing host.
  • Using untrusted USB drives. Use new, known-good drives and consider write-protect mechanisms.
  • Failing to verify addresses and amounts on the hardware wallet screen. The device display is the last line of defense.
  • Neglecting to test restores. A backup is only useful if it has been verified by a restore test.

Key takeaway: An air-gapped Raspberry Pi PSBT signer gives you a low-cost, high-security signing environment that complements hardware wallets and watch-only setups. Treat the system as part of a layered approach to custody and test it before trust.

Next steps and scaling

Once comfortable with a single Pi signer, you can scale to multisig workflows, use multiple air-gapped signers for redundancy, or integrate this station with a full node watch-only setup. Businesses can formalize the process into a treasury policy with separated duties for transaction creation, signing, and broadcasting.

Conclusion

Building an air-gapped Raspberry Pi PSBT signer is an accessible upgrade for Canadian and global Bitcoin holders who want stronger self-custody. It reduces exposure to network threats, supports advanced PSBT workflows, and pairs well with hardware wallets and full nodes. Follow the hardening steps, test thoroughly, and document your process. With a little setup time and disciplined OPSEC, you can achieve enterprise-grade signing security on an affordable budget.

If you want, I can provide a checklist for purchasing components from Canadian retailers, or a sample command list to configure a Pi with Electrum for offline signing. Tell me which Pi model you plan to use and I will tailor the commands and checklist.