DIY Air-Gapped Bitcoin Signing Station with Raspberry Pi: A Canadian Guide to Secure Cold Signing

This step-by-step guide explains how to build and operate an air-gapped Bitcoin signing station using a Raspberry Pi. It is written for Canadians and international readers who want a low-cost, robust cold-signing workflow that pairs modern hardware wallets with an offline signing computer. The post covers components, secure setup, PSBT workflows, recovery planning, and practical Canadian context like moving coins off Canadian exchanges and protecting transfers done with Interac e-transfer.

Why an Air-Gapped Signing Station?

Air-gapped signing stations provide a separation between the online world and the private keys used to sign Bitcoin transactions. Instead of keeping your seed or private keys on an internet-connected computer, you keep them on a device that never touches the network. This reduces attack surface from malware, remote exploits, and targeted exchange or banking attacks. For Canadians who buy Bitcoin on regulated platforms such as KYC exchanges and then want to hold their own keys, an air-gapped station is an affordable step-up in security.

Threat model and benefits

  • Protects against remote compromise of signing keys.
  • Enables signing with hardware wallets while keeping the signing environment isolated.
  • Supports PSBT workflows compatible with many wallets and multisig setups.
  • Affordable and reproducible for hobbyists and serious holders alike.
Principle: Never export your extended private keys or enter your seed on an internet-connected device. Use PSBTs (Partially Signed Bitcoin Transactions) to move unsigned transactions between online and offline environments.

What You Need - Hardware and Software

Below is a practical shopping list and software choices. In Canada you can source most components from reputable electronics retailers, authorized resellers, or local crypto shops. Avoid secondhand devices unless you can verify provenance and wipe them securely.

Hardware

  • Raspberry Pi (Model 4 recommended for performance) or Pi Zero 2 W for very small builds.
  • MicroSD card for the OS (use new, reliable brands).
  • USB hub (powered) if you plan to connect multiple devices.
  • Hardware wallet (Ledger, Trezor, or Coldcard - any reputable model). Keep firmware verified and up to date on a separate, internet-connected machine before transferring it to your signing workflow.
  • Optional: OLED screen, keyboard, small display for convenience.
  • Air-gapped transfer medium: microSD cards, USB flash drive used read-only on the Pi, or QR camera/reader if using QR-based PSBT support (Coldcard-style).
  • Steel seed backup plates for long-term storage and fire/water protection.

Software and wallet choices

  • An OS image for the Pi - a minimal, well-known distribution (use fresh image and verify checksums offline when possible).
  • Electrum, Sparrow, or other wallet software that supports PSBT and watch-only wallets. Sparrow is popular for advanced UTXO control; Electrum has broad hardware wallet support.
  • Optional: HWI (Hardware Wallet Interface) for advanced USB handling and multisig setups.
  • Tools for verification - GPG for signature checks, sha256sum for checksums.

Step-by-Step Build and Secure Setup

1. Prepare your components in a safe environment

Buy new microSD and USB drives. Keep all packaging and serial numbers for warranty and provenance. Use a separate internet-connected workstation to download OS and wallet software, verify signatures and checksums, then move verified installers to the Pi using a trusted medium.

2. Create the offline OS image

  • Flash a minimal OS image to the microSD from the verified installer.
  • Before first boot, disable networking by removing Wi-Fi country files or removing network managers so the Pi boots without any active NIC drivers. The goal is a machine that never automatically connects to the internet.

3. Install and verify wallet software

Transfer the verified wallet application files to the Pi using an air-gapped method. Install and run the wallet on the Pi, but do not generate or import any seeds on the online machine. If you plan to use a hardware wallet, test connecting the same model to an online computer first to ensure firmware is current and genuine.

4. Create or restore keys only on the air-gapped station

Prefer creating seeds on the hardware wallet itself rather than on the Pi. If you must generate a seed with the Pi, do so in a physically secure location and print or engrave the seed phrase to steel. Never photograph or store a plaintext seed on any networked device.

5. Set up a watch-only wallet on your online machine

Create a watch-only wallet on your internet-connected computer or mobile device. Export the extended public keys (xpub) or descriptor from the air-gapped station as necessary and import them into the online wallet. The online wallet builds PSBTs and broadcasts signed transactions to the network after you return signed PSBTs back to the online machine.

PSBT Workflow Examples and Transfer Methods

PSBT is the safe standard. It carries unsigned transaction data and metadata between an online PSBT-creating wallet and an offline signer. There are three common transfer approaches:

MicroSD / USB transfer

  • Export PSBT from an online wallet to a signed file on a flash drive or microSD.
  • Insert into the air-gapped Pi and sign with the hardware wallet attached to the Pi.
  • Export the signed PSBT back to the transfer medium and move it to the online machine for broadcasting.

QR-based transfer

Some hardware wallets and signing devices can display or scan PSBTs as QR codes. This removes the need for USB drives but requires a reliable camera and clean QR software. QR workflows are highly convenient for single-signer setups and for devices like Coldcard that intentionally support air-gapped QR or SD workflows.

PSBT verification and broadcasting

  • Always verify PSBT details on the offline signer before approving: outputs, amounts, destination addresses, and fees.
  • After signing, confirm the signed transaction on the online machine using the watch-only wallet before broadcasting to the network.

Operational Security and Best Practices

Hygiene and physical security

  • Keep your air-gapped Pi in a physically secure location when not in use.
  • Use steel backups for seed phrases and store them geographically separated to reduce theft or disaster risk.
  • Never share screenshots or typed copies of your seed phrase or passphrase in messages, email, or cloud storage.

Testing and drills

Practice recoveries on a testnet or with a small amount of Bitcoin first. Run a full restore drill from your steel backup to your hardware wallet and air-gapped station to verify your procedure actually works under stress.

Multisig and family vaults

Air-gapped stations pair well with multisig. You can run multiple air-gapped signers or combine a hardware wallet with an offline Pi signer. Multisig reduces single-point-of-failure risk but increases operational complexity, so document the recovery plan carefully and test it.

Canadian Considerations

For Canadians, there are a few practical notes to keep in mind when moving Bitcoin from exchanges to an air-gapped wallet. Many Canadian exchanges require KYC under FINTRAC rules, so transfers out of those platforms will often be traceable to your identity. That is expected behavior when you choose to custody coins after purchase. When using Interac e-transfer to pay a counterparty for Bitcoin, be cautious and prefer on-chain settlement to a hardware wallet or PSBT workflow rather than trusting the counterparty to send coins to your exchange address. If you receive coins to an exchange for resale, move them to cold storage as soon as possible if you plan to hold long term.

Taxes and record keeping

Keep records: transaction IDs, PSBT logs, and receipts for exchange trades. Canadian tax reporting expects you to provide transaction details for capital gains or business activities. Moving coins to cold storage does not remove your obligation to track and report taxable events.

Troubleshooting and Common Pitfalls

  • Unsigned or partially-signed PSBTs that fail verification. Always verify everything on the offline device before approving.
  • Hardware wallet firmware mismatches. Update firmware on a trusted online machine and verify vendor release signatures before use.
  • Corrupted transfer media. Use multiple transfer media and verify file integrity with hashes where possible.
  • Not testing recovery. The biggest operational risk is assuming your backups work. Test them on a different hardware wallet or virtual machine set to testnet.

Putting It All Together - Example Workflow

  1. Buy Bitcoin on a Canadian exchange and withdraw to a watch-only address you control online.
  2. On your online machine, construct a transaction and export a PSBT file.
  3. Move the PSBT to a microSD and insert it in the air-gapped Pi.
  4. Use the Pi to open and verify the PSBT, attach the hardware wallet to the Pi and sign.
  5. Export the signed PSBT back to the microSD, move to the online machine, verify, and broadcast.
  6. Record the transaction ID and store audit logs with your backups.

Conclusion

An air-gapped Raspberry Pi signing station is a practical, affordable, and powerful tool for Canadians and global Bitcoin holders who want to keep private keys offline while still benefiting from modern wallet features. The key takeaways are simple: verify software, keep signing keys offline, use PSBTs, test recovery procedures, and document your plan. With disciplined practices you can greatly reduce the most common attack vectors and hold Bitcoin with confidence. Start small, run drills on testnet, and evolve your setup as your needs grow.

Keywords: Bitcoin, cryptocurrency, Bitcoin Canada, cold wallet, self-custody, air-gapped, Raspberry Pi, PSBT, hardware wallet, FINTRAC, Interac e-transfer.