BlogInsights
What Is an Air-Gapped Hardware Wallet? (QR Signing Explained)

What Is an Air-Gapped Hardware Wallet? (QR Signing Explained)

K
Kamila
on 14 Jul 2026
An air gapped hardware wallet protects assets by eliminating all wireless and physical network connections.

An air-gapped hardware wallet is a signing device that has no wired or wireless data connection to the internet, ever. Instead of USB cables or Bluetooth, it exchanges transaction data through QR codes, scanned by a built-in camera and displayed on its own screen. This physical separation between the signer and any networked computer is the "air gap," and it exists to prevent remote attackers from ever reaching the private keys.

Most hardware wallets communicate with a host computer over USB or Bluetooth. An air-gapped device eliminates both. It carries no Wi-Fi radio, no Bluetooth module, and no cellular modem. The only data path is optical: a camera reads QR codes shown on a phone or laptop screen, and a built-in display renders QR codes for the host to scan back.

The signing flow breaks down into discrete, verifiable steps:

  1. 1
    Host prepares a transaction. A software wallet (Sparrow, Nunchuk, MetaMask, or similar) constructs an unsigned transaction and encodes it as a QR code using a standard like ERC-4527 for Ethereum/EVM, UR2.0 for bitcoin).
  2. 2
    Device scans the QR. The air-gapped device's camera captures the QR. For large payloads (a complex Bitcoin PSBT, for example), animated multi-part QR sequences split the data across dozens of frames.
  3. 3
    On-device review. The device decodes the transaction and displays human-readable details (recipient address, amount, fee) on its own trusted screen. The user confirms with a physical button press.
  4. 4
    Secure element signs. The transaction hash is passed to a secure element or secure microcontroller, which performs the ECDSA signature internally. The raw private key never exits the chip.
  5. 5
    Signed QR returned. The device displays a new QR code containing only the signature. The host wallet scans it, attaches the signature, and broadcasts the complete transaction.

Because photons carry the data rather than an electrical or radio link, there is no channel for malware to traverse from the host to the signing device.

QR signing is slower than a connected USB device or scanning an NFC tag. Large transactions may require scanning dozens of animated QR frames, and ambient lighting can affect camera reliability. The benefit is concrete: the device has zero remotely exploitable network interfaces, which removes entire categories of attack (man-in-the-middle over USB, Bluetooth relay, firmware injection over a data link).

An air gap protects the communication channel. It does not protect against a compromised supply chain that tampers with the device before it reaches you, nor against a user who blindly confirms a malicious transaction displayed on screen. Address verification, firmware authenticity checks, and seed backup discipline remain the user's responsibility regardless of the air-gap model.

The Keycard system separates key storage from the signing interface. The Keycard itself is a credit-card-sized NFC smartcard built on an NXP JCOP4 P71 secure element (EAL6+ certified at the chip level, the highest widely used Common Criteria assurance class). Private keys are generated and stored inside this chip. They are non-extractable: the card accepts a transaction hash over ISO 7816 APDU commands, signs on-card using secp256k1 ECDSA, and returns only the signature bytes.

The Keycard Shell is the air-gapped companion. It provides a 2.0-inch TFT IPS display, a 12-key keypad, and a global-shutter CMOS camera optimized for reading animated QR sequences. The Shell contains no Wi-Fi, Bluetooth, or cellular hardware, and a software toggle can disable USB data transfer entirely so the device charges without exposing a data channel.

When a Keycard is inserted into the Shell's ISO 7816 contact reader, the Shell reads the card, facilitates transaction review on its trusted screen, and forwards the hash to the Keycard for signing. When the card is removed, the Shell retains no keys and no user data. It is stateless by design.

Key architectural details worth noting:

  • QR standard: ERC-4527 with BC-UR / UR2.0 encoding, supporting animated multi-part QR up to 64 segments.
  • Shell MCU: STM32H573, independently certified at PSA Level 3 and SESIP3 (distinct from the Keycard's EAL6+ chip certification).
  • Battery: Removable Nokia BL-4C (800 mAh), user-replaceable without tools, offering 18+ hours of operation.
  • Firmware: 100% open source under MIT, with reproducible builds. The Shell firmware can be updated (signature-verified by the bootloader with physical approval), but the Keycard applet itself cannot be updated, a deliberate supply-chain defense.

The standalone Keycard used over NFC is not air-gapped (NFC is still a radio interface at 13.56 MHz). It is accurately described as a hardware signer with no network connectivity. The air-gap property belongs to the Shell and its QR path.

AttributeKeycard (Shell)Coldcard Mk4JadeLedger Nano XTrezor Model T
Air-gap methodCamera + QR (ERC-4527)MicroSD sneakernetCamera + QRNone (USB / Bluetooth)None (USB)
Secure elementEAL6+ NXP JCOP4 P71 (card)Dual SE (Microchip)None (virtual SE model)Secure element (ST)None
Source modelFully open source (MIT)Partly openFully open sourcePartly closed firmwareOpen source
Key storage locationRemovable smartcardOn-deviceOn-deviceOn-deviceOn-device
Stateless designYes (card removed, Shell forgets)NoNoNoNo
USB data disableSoftware toggleMicroSD only modeQR-only modeN/AN/A

Keycard's architecture is unique in separating the secure element (the card) from the signing interface (the Shell). Other air-gapped devices store keys and render QR codes in the same enclosure. The removable-card model means a user can carry the Keycard in a physical wallet and leave the Shell at home, or use one card across multiple Shells without re-pairing.

Remote/network attacker. An air-gapped device has no network stack to exploit. No open ports, no Bluetooth pairing vulnerabilities, no USB descriptor attacks. This is the strongest mitigation an air gap provides.

Malware on the host computer. Malware can still craft a deceptive transaction and encode it as a QR. The defense shifts to the device's trusted display. The Shell decodes and shows recipient, amount, network, and fee before signing. ERC-20 transfers display token ticker and amount from an on-device database, and EIP-712 typed data is decoded with type labels. Users must verify details on the device screen, not on the potentially compromised host.

Supply-chain tampering. The Keycard includes a factory-signed ECDSA certificate in its Ident applet for challenge-response authenticity checks. The Shell carries its own per-device key in the STM32, verified at shell.keycard.tech/verify with a verification counter and first-verification date to flag cloning attempts. Firmware is fully open source with reproducible builds, so independent auditors can compile and compare binaries.

Physical theft. A stolen Keycard is protected by a 6-digit PIN with a configurable retry limit (2 to 10 attempts, default 3). After exhaustion, a 12-digit PUK allows recovery (3 to 12 attempts). An optional duress PIN unlocks a cryptographically distinct decoy wallet derived via SHA-256 of the master chain code, with no on-card indication of which PIN was used.

Blind signing. No air gap eliminates this risk. The Shell mitigates it with ABI decoding via an on-device function-selector database, clear-signing for common contract interactions, and calldata-digest display (an early adopter of ERC-8213). Complex or unknown contract calls still require the user to understand what they are approving.

What makes a hardware wallet "air-gapped" versus just "offline"?

An air-gapped device has no physical or wireless data interface to a networked computer. "Offline" often means the device is not connected to the internet at a given moment but still has USB or Bluetooth hardware that could be exploited. A true air gap uses an optical channel (QR codes) or a physical medium (MicroSD) with no bidirectional electronic link.

Is QR code signing slower than USB or NFC?

Yes, noticeably. A simple Ethereum transfer may take only a single QR scan in each direction, completing in a few seconds. A complex Bitcoin PSBT can require scanning dozens of animated QR frames, adding 10 to 30 seconds depending on payload size and lighting conditions. The trade-off is a dramatically smaller attack surface.

Can malware hide a malicious transaction inside a QR code?

Malware on the host can encode any transaction it wants into a QR code. The defense is the air-gapped device's own screen. The Keycard Shell decodes and displays the full transaction details (recipient, amount, fee, token, network) before signing. Users must verify these details on the Shell's display rather than trusting the host computer's screen.

Does the Keycard Shell store private keys?

No. The Shell is stateless. Private keys live exclusively inside the Keycard's NXP JCOP4 P71 secure element. When the card is removed, the Shell retains no key material, no seed, and no user data. The Shell provides only the display, camera, and keypad for the air-gapped signing workflow.

Can I use a Keycard without the Shell?

Yes. The Keycard works as a standalone NFC hardware signer with compatible mobile and desktop wallets (Status, Sparrow, WallETH, and others). Over NFC, it is not air-gapped since NFC is a radio interface, but it still offers on-card signing with no internet, Wi-Fi, or Bluetooth connectivity. The Shell adds the air-gapped QR path.

How does ERC-4527 handle large transactions that do not fit in one QR code?

ERC-4527 uses the BC-UR (Uniform Resources) encoding scheme, which supports animated multi-part QR sequences. The data is split into multiple frames displayed in a loop, and the Shell's global-shutter camera captures them sequentially, reassembling the full payload. The Shell supports up to 64 segments per sequence.

Is the Keycard Shell's firmware open source?

Yes. The Shell firmware, bootloader, hardware schematics, BOM, and 3D enclosure files are all published under the MIT license on GitHub. Reproducible build tooling (CMake plus Python) lets anyone compile the firmware and verify it matches the shipped binary. Firmware updates are signature-verified by the bootloader and require physical approval on the device.

What happens if my Keycard Shell is lost or broken?

Because keys live on the Keycard (not the Shell), losing the Shell does not compromise your keys. You can insert the same Keycard into a new Shell and resume signing immediately. Alternatively, you can fall back to NFC-based signing with a compatible phone wallet. The same Keycard works across multiple Shells without re-pairing, and unlimited Keycards can serve as backups by loading the same seed.

Does an air gap protect against a compromised seed phrase?

No. The air gap protects the signing channel, not the seed. A seed phrase that has been photographed, stored in a cloud note, or entered on a compromised computer is vulnerable regardless of which hardware wallet signs with it. Generating the seed on-card (using the Keycard's AIS-31 PTG.2 compliant hardware TRNG) and backing it up on physical media kept offline addresses this separate risk.