How to Set Up an Air-Gapped Monero Cold Wallet

When Binance pulled Monero from its order books in February 2024 and Kraken followed for EU and UK customers later that year under MiCA, thousands of holders learned an uncomfortable lesson: leaving XMR on an exchange means trusting someone who can delist, freeze, or seize it overnight. The natural response was a rush toward self-custody, and the most paranoid corner of that migration landed on a single idea — keep the keys on a device that has never touched a network. An air-gapped cold wallet is exactly that: a machine that signs Monero transactions in total isolation, so even a fully compromised internet connection can never reach your spend key.

This guide walks through building one from scratch, using the hot/cold split that Monero has supported natively since 2017. You will end with two wallets — an online "watch-only" view that tracks your balance, and an offline vault that holds the secrets. If you are funding that vault privately in the first place, swapping into XMR through a no-log service like MoneroSwapper avoids the exchange paper trail that air-gapping is meant to protect. Let's build it properly.

Why an Air Gap Matters for Monero Specifically

Monero already hides your transaction graph at the protocol level. RingCT conceals amounts, stealth address technology hides the recipient, and ring signatures (soon to be replaced by FCMP++) obscure the true spend among decoys. But none of that protects the private keys sitting on a daily-driver laptop that also runs a browser, a torrent client, and last week's questionable PDF.

The threat is the endpoint, not the chain. Clipboard hijackers, infostealer malware like Lumma and RedLine, and malicious wallet clones harvested hundreds of millions in crypto across 2024–2025. An air gap removes the entire remote-attack surface because the signing device has no path to an attacker.

• Key isolation: Your spend key and mnemonic seed never exist on an internet-connected machine, so they cannot be exfiltrated by remote malware.
• Tamper-evident signing: You inspect every outgoing transaction's destination and amount on the offline device before it is signed, defeating clipboard-swap attacks.
• Regulatory resilience: With delistings accelerating under MiCA and FATF travel-rule pressure, self-custody is the only durable way to hold XMR — and cold storage is its strongest form.
• Fungibility preserved: Coins you control directly keep Monero's fungibility intact, with no exchange-applied "tainted" labels following them around.

What You Need Before You Start

An air-gapped setup needs two devices and a one-way method of shuttling files between them. The online machine talks to the Monero network; the offline machine never does. Get this division right and the rest is mechanical.

Choosing the Offline Device

The cheapest reliable option is an old laptop with its Wi-Fi card physically removed or disabled and its Ethernet port left unplugged. A Raspberry Pi with no networking peripherals works too, as does a dedicated machine booting Tails from USB. Tails is amnesic by default — it forgets everything at shutdown — so you pair it with persistent encrypted storage only for the wallet files, or you restore from your seed each session.

Whatever you pick, the rule is absolute: that device connects to no network, ever, for the rest of its life. The moment it does, the air gap is broken and you should treat the keys as potentially exposed.

Software Options

Three Monero clients handle cold signing well. The official Monero GUI and CLI ship with the full cold-wallet workflow. Feather Wallet, a lightweight community client, adds a polished offline-signing flow and is excellent for users who do not want to run a full node. All three are open source and reproducible.

For the rest of this guide I'll assume the DIY air-gapped approach with the official client, because it teaches the underlying model that every other method abstracts away. Once you understand the hot/cold split, the hardware-wallet flow is the same idea with the secrets sealed in a chip.

How the Hot/Cold Split Actually Works

Monero's cold-signing design separates the ability to see funds from the ability to spend them. This maps directly onto the two keys every Monero wallet derives from its mnemonic seed: the view key, which lets software detect incoming outputs belonging to you, and the spend key, which is required to authorize spending them.

The online machine holds a watch-only wallet built from your address and private view key alone. It scans the blockchain, recognizes your stealth address outputs, and shows your balance — but it physically cannot move a coin. The offline machine holds the complete wallet, including the spend key, and is the only thing that can produce a valid signature.

If your watch-only wallet is ever compromised, an attacker learns your balance and incoming transactions — but they can never spend a single piConero, because the spend key never left the air-gapped device.

Spending therefore becomes a relay between the two. The online wallet drafts an unsigned transaction, the offline wallet inspects and signs it, and the online wallet broadcasts the signed result to the mempool. Key images — the cryptographic markers that prevent double-spends — are computed offline and synced back so the watch-only wallet knows which outputs are already spent. Nothing secret crosses the gap; only transaction artifacts do.

Step-by-Step: Building Your Air-Gapped Cold Wallet

Set aside an hour for your first run. Work slowly — every mistake here is recoverable except a leaked seed or a broken air gap. Have a clean USB stick (or a QR-capable webcam on each device) ready for transfers.

1. Verify your binaries. On the online machine, download the Monero client from getmonero.org, then check the SHA-256 hashes and verify the GPG signature against the maintainer's key. Reproducible builds mean the binary should match what the community has independently compiled. Never skip this — a backdoored wallet defeats every other step.
2. Create the wallet offline. Move the verified binary to the air-gapped device by USB. Generate a brand-new wallet there with monero-wallet-cli. Write the 25-word mnemonic seed on paper — never a photo, never a text file. This offline wallet holds both the spend key and view key.
3. Export the view-only credentials. On the offline wallet, note the primary address and run the command to reveal the private view key. These two values are all the online side ever needs.
4. Build the watch-only wallet online. On the internet-connected machine, choose "Create wallet from keys" (view-only) and enter the address, private view key, and a restore height matching when the wallet was created. Let it sync against your own node or a trusted remote node over Tor.
5. Fund it and confirm. Send XMR to your new address. The watch-only wallet will detect the incoming output once it confirms. If you are acquiring the Monero privately, route the purchase through a no-KYC swap so the funding transaction carries no identity link.
6. Sync outputs and key images. To spend, export outputs from the watch-only wallet, carry the file to the offline device, import them, then export key images back to the online side and import those. This makes the watch-only balance accurate and spendable-aware.
7. Draft, sign, and broadcast. On the online wallet, create an unsigned transaction to your destination. Move the unsigned_monero_tx file to the offline device, review the recipient and amount on-screen, and sign it. Carry the resulting signed_monero_tx back and submit it to the network.

For small, frequent spends you can replace the USB shuttle with animated QR codes — Feather and the GUI can both encode the unsigned and signed transactions as QR sequences scanned by each device's camera, keeping the offline machine completely portless.

A Practical Example: Long-Term Holding Done Right

Consider a US-based holder accumulating XMR as a privacy reserve. They buy in small batches over several months, each time swapping BTC or USDT to Monero and sending it straight to their air-gapped cold wallet's address. The online watch-only wallet tracks the growing balance; the seed sits in a fireproof safe, with a steel backup in a second location.

Tax compliance and privacy are not opposites here. The IRS treats crypto as property, and self-custody does not exempt anyone from reporting disposals — but holding in cold storage simply means there is no third-party custodian and no exchange that can be subpoenaed for the wallet's full history. When the holder eventually spends, they sign offline, broadcast through a Tor-routed node, and the Dandelion++ propagation layer obscures which node first relayed the transaction.

If that holder had instead left the stack on a centralized exchange, a single MiCA-driven delisting could have forced a fire-sale or a frozen withdrawal. The air gap turned a custodial liability into a private, sovereign reserve — which is the entire point.

FAQ

Is an air-gapped wallet overkill for small amounts of Monero?

For pocket-money sums you spend weekly, a hot mobile wallet is fine and far more convenient. The air-gapped approach earns its complexity once you are storing an amount you would genuinely hate to lose to malware. Many people run both: a hot wallet for spending and an air-gapped vault for savings.

What happens if my offline device dies?

Nothing is lost, because the wallet lives in the 25-word mnemonic seed, not the hardware. Restore it onto any new offline machine and you regain full control of the spend key. This is precisely why the seed backup matters more than the device itself — guard the words, replace the hardware freely.

Can I use a hardware wallet instead of building this?

Yes. A Ledger holds your spend key in a secure element and signs transactions while the keys never leave the chip, which achieves a similar isolation goal with less manual work. The trade-offs are closed firmware, vendor dependency, and historically slower support for Monero-specific features, so power users often prefer the DIY air gap for full transparency.

Do I need to run my own node for the online wallet?

Not strictly, but it is the most private option. Connecting your watch-only wallet to a public remote node leaks your view key activity and IP to that node operator unless you route over Tor or I2P. Running your own node — or at minimum using a trusted node behind Tor — keeps that metadata in your hands.

Will FCMP++ change how cold wallets work?

The upgrade replaces ring signatures with Full-Chain Membership Proofs++ for a vastly larger anonymity set, alongside the Seraphis and Jamtis address overhaul on the roadmap. The hot/cold signing model itself stays the same — you will still draft online and sign offline — so an air-gapped setup built today carries forward cleanly.

Conclusion

An air-gapped Monero cold wallet is the difference between owning your privacy and renting it from whoever holds your keys. The setup costs an afternoon and an old laptop, and in exchange you get a vault that remote attackers simply cannot reach — your spend key isolated, every transaction inspected before signing, and your XMR insulated from the next wave of delistings. Pair it with verified binaries, a steel seed backup, and a Tor-routed node, and you have storage that rivals anything a custodian offers, without the custodian.

The last piece is funding it without re-introducing the surveillance you just engineered out. Acquire your Monero through a no-log, no-KYC swap so the coins land in cold storage with a clean history — you can buy Monero anonymously with MoneroSwapper and send it straight to your air-gapped address. Build the wallet first, fund it privately second, and your keys stay yours.