Building an Air-Gapped PSBT Signing Workflow with ColdCard and Raspberry Pi: A Practical Canadian Guide

Keeping Bitcoin truly under your control means separating signing keys from the network. An air-gapped signing workflow uses an offline hardware signer plus a separate online computer to create and broadcast transactions. This post walks through a practical, step-by-step setup using a ColdCard hardware wallet and a Raspberry Pi as the offline signer, explains the threat model, and covers Canadian considerations such as hardware procurement, exchange custody, and regulatory awareness. The goal is an actionable, resilient self-custody routine that balances usability and strong security.

Why an Air-Gapped PSBT Workflow

An air-gapped setup protects your private keys from internet-exposed devices. By using Partially Signed Bitcoin Transactions or PSBTs, the online computer constructs transactions without having access to private keys. The offline signer then signs the PSBT and returns it for broadcast. Benefits include:

  • Reduced exposure to malware on everyday machines.
  • Compatibility with multisig or single-signer setups.
  • Use of open standards like PSBT and BIP39 to maintain portability.

High-Level Workflow Overview

The typical flow looks like this:

  1. Create seed and wallet on the ColdCard while it is offline.
  2. Export the public information or xpub to an online machine to create a watch-only wallet.
  3. When you want to spend, the online machine creates a PSBT and moves it to the offline signer via SD card or QR codes.
  4. The offline signer signs the PSBT and returns it the same way.
  5. The online machine broadcasts the signed transaction to the Bitcoin network.

Hardware and Software Checklist

You can adapt this workflow to different hardware, but here are recommended components for the ColdCard + Raspberry Pi approach:

  • ColdCard hardware wallet (or similar device that supports PSBT and air-gapped signing).
  • Raspberry Pi (dedicated, preferably without internet access) to act as an offline signing environment, or the ColdCard can be used standalone if you prefer only SD/QR transfer.
  • Online watch-only computer for transaction construction and broadcasting. This can be your daily desktop or laptop.
  • Micro SD cards for transferring PSBT files, and optionally a small camera + screen or QR code tools if you use QR for PSBT transport.
  • Open-source wallet software that supports PSBT and watch-only mode such as Electrum or similar. Ensure you are using trusted distributions installed from official sources.
  • Steel backup device or plates for long-term seed storage and fire, flood, and corrosion resistance.

Step-by-Step Setup

1. Prepare and inspect hardware

Buy hardware from trusted vendors or official resellers. When your ColdCard and Raspberry Pi arrive, inspect packaging for tampering. For Canadians, consider ordering from reputable Canadian resellers to reduce transit complexity and customs handling.

2. Initialize the ColdCard offline

Power the ColdCard using a USB power supply without exposing it to your online computer. Use the device menu to generate a new seed. Prefer a fresh entropy source from the device rather than importing a seed created on an online machine. Choose a strong, memorable policy for any passphrase or 25th word you plan to use. Write the seed on paper and then immediately transfer to steel backup plates. Do a burn-in test: verify the seed by restoring to a second, empty ColdCard or test environment before storing it away.

3. Export public keys for a watch-only wallet

From the ColdCard, export the xpub or descriptor to an SD card or display a QR code. Import that into your online wallet as watch-only. Confirm receiving addresses match what the ColdCard displays for a few addresses to verify consistency. This lets you monitor balances and create PSBTs without exposing private keys.

4. Construct a PSBT on the online computer

When spending, create a PSBT on your watch-only wallet. Populate inputs, choose fee rates responsibly, and review outputs carefully. Use coin control to avoid accidental consolidation of privacy-sensitive UTXOs. Save the PSBT to an SD card or export as a QR if supported.

5. Transfer PSBT to the offline signer and sign

Insert the SD card into your ColdCard or use QR to load the PSBT. The ColdCard will validate the PSBT structure and display the transaction details. Carefully verify every output address, amount, and fee on the device screen. Only then approve signing. The ColdCard will write the signed PSBT back to the SD card or output a signed QR.

6. Broadcast the signed transaction

Move the signed PSBT back to your online computer and import it into your watch-only wallet to finalize and broadcast. Verify the transaction ID and confirm on a block explorer from your online machine. Keep a log of signed transaction IDs for auditing.

Testing and Recovery Drills

Do practice runs with small amounts of Bitcoin before moving significant funds. A proper recovery drill involves restoring your seed to a clean device and ensuring you can recreate your wallet and recover funds. This proves backups work and the emergency process is known by family or a trusted executor, while still preserving security.

Canadian Considerations

A few practical notes for readers in Canada:

  • Hardware procurement: Buy from authorized resellers or directly from manufacturers when possible. Local resellers reduce shipping times and simplify returns.
  • Exchanges and custody: Canadian exchanges such as Bitbuy and Coinsquare are commonly used for onramps, but if you plan to move funds to self-custody, withdraw to a cold wallet as soon as possible. Remember custodial accounts are subject to their own security and regulatory controls.
  • Regulatory awareness: If you operate a business that trades or brokers crypto, FINTRAC registration and AML obligations may apply. For personal use, maintain records for tax reporting and be aware of CRA guidance on cryptocurrency gains.
  • Interac and banking: When cashing out or receiving CAD, follow bank guidelines and avoid risky person-to-person trades. Keep thorough records of provenance when moving large amounts.

Threat Model and Hardening Tips

Design your workflow based on realistic threats. Common threats include malware on online machines, supply-chain tampering, social engineering, coercion, and physical loss.

  • Supply chain: Verify device serials and firmware signatures before first use. Only update firmware from official sources and verify cryptographic signatures when possible.
  • Malware: Keep your watch-only machine hardened. Use full disk encryption, up-to-date OS patches, and consider a dedicated machine for wallet construction.
  • Physical security: Store steel backups and devices in separate secure locations. Use safe deposit boxes or trusted custody arrangements for long-term seed storage.
  • Passphrase defense: Use passphrases with caution. A passphrase adds protection but also heightens recovery complexity. Document recovery procedures for successors securely.

Backups, Inheritance, and Legal Notes

Planning for loss, incapacitation, or death is essential. Best practices include:

  • Use multiple steel backups stored in geographically separated secure locations.
  • Prepare a straightforward, securely stored recovery plan for heirs. This can include a sealed, signed envelope in a safety deposit box, or a legal will that references instructions while avoiding publishing sensitive details.
  • Consider multisig with trusted co-signers or a professional custodian for large holdings to reduce single point of failure and coercion risk.
  • Document your custody policy and test recovery annually to ensure procedures still work and designated contacts remain appropriate.

Firmware, Updates, and Supply-Chain Hygiene

Keep firmware current to benefit from security fixes, but update carefully. Recommended approach:

  • Verify firmware signatures using vendor-provided keys and instructions. If you are not comfortable verifying signatures, wait and seek help from a trusted, privacy-respecting professional.
  • Prefer offline update methods where the device owner manually transfers signed update files via SD card rather than plugging the device into an internet-exposed computer.
  • Retain original packaging and records of purchase in case you need support or to prove provenance.

Common Mistakes and Troubleshooting

Watch for these pitfalls:

  • Rushing address checks. Always verify addresses on the offline device screen, not just on the online computer.
  • Not testing backups. A backup that cannot restore is worthless. Perform periodic recovery drills with small amounts.
  • Using the same location for all backups. Physical disasters can destroy co-located backups.
  • Mixing passphrases with casual memory hints. Treat passphrases like additional private keys and keep them equally protected.

Practical Example: Signing and Broadcasting a Small Transaction

Try this dry run before moving larger sums:

  • Fund a receiving address generated by your ColdCard with a small amount of testnet or a tiny mainnet amount you are comfortable risking.
  • On your online watch-only wallet, create a PSBT to send that small amount to another of your addresses.
  • Move the PSBT to the ColdCard via SD, verify the outputs on-screen, sign, then import the signed PSBT back to the online machine and broadcast.
  • Confirm the txid on a block explorer and that the coins arrive as expected. If anything goes wrong, you have only risked a small amount while learning the steps.

Conclusion

An air-gapped PSBT signing workflow using a ColdCard and a Raspberry Pi provides a powerful balance between strong security and practical usability. For Canadian users, it pairs well with responsible exchange use, awareness of regulatory and banking contexts, and strong physical backup practices. Prioritize testing, verify every address on the offline device, and create a clear recovery plan for heirs or trusted executors. With careful setup and regular drills, you can keep Bitcoin private keys out of harm's way while retaining control and flexibility.

If you want a one-page checklist or a printable drill script tailored to your setup, mention your preferred hardware and I will generate a printable checklist you can use for rehearsals and audits.