Monero Çevrimdışı İşlem İmzalama: Hava Boşluklu Soğuk Harcama Rehberi

What Is Offline Transaction Signing?

Offline transaction signing is a security technique that keeps your private spending keys on a device that never connects to the internet while still allowing you to send transactions. The concept is straightforward: you create the transaction on an internet-connected watch-only wallet, transfer the unsigned transaction data to an air-gapped device that holds the private keys, sign it there, and then transfer the signed transaction back to the online device for broadcasting to the Monero network.

This approach provides the highest level of security for Monero holdings because the private spend key never exists on any device that has network access. Even if the online computer is completely compromised by malware, keyloggers, or remote access trojans, the attacker cannot steal your funds because the spend key is physically isolated on a separate device.

When Do You Need This Level of Security?

Offline transaction signing introduces significant complexity to the spending process. It is not necessary for everyday small transactions but becomes increasingly justified as the value of your Monero holdings grows. Consider implementing this approach if:

• You hold substantial XMR savings that would represent a significant financial loss if stolen.
• You operate in a high-threat environment where targeted attacks against your devices are plausible.
• You manage funds for others and have a fiduciary responsibility to maintain the highest security standards.
• You want cold storage that remains spendable without importing the seed phrase into a hot wallet each time.

Setup Requirements

The Two-Device Architecture

You need two separate devices. The first is your online device, which runs a watch-only wallet connected to the Monero network. This device can see your balance and incoming transactions but cannot spend funds because it does not have the private spend key. The second is your air-gapped device, which holds the full wallet with both view and spend keys but has no network connectivity whatsoever.

The air-gapped device should ideally be a dedicated computer or laptop with its wireless card physically removed or disabled at the firmware level. Simply turning off WiFi in software is not sufficient because malware can re-enable it. For the highest security, use a device that has never been connected to the internet or has been freshly installed from verified media.

Data Transfer Medium

Since the air-gapped device has no network connection, you need a physical medium to transfer data between the two devices. The two most common options are:

• USB flash drive: Simple and universally supported. Use a dedicated drive that is only used for this purpose. Format it before each use to minimize the risk of malware transfer. Some security-conscious users prefer write-once media or hardware write-blocked drives.
• QR codes: The most secure transfer method because it is completely unidirectional and cannot carry executable code. The online device displays the unsigned transaction as a QR code, and the air-gapped device scans it with a camera. The signed transaction is then displayed as a QR code on the air-gapped device and scanned back. This method requires camera and QR code software on the air-gapped device.

Step-by-Step Offline Signing Process

Step 1: Create the Watch-Only Wallet

On the air-gapped device where your full wallet exists, you need to export the information necessary to create a watch-only counterpart. The watch-only wallet requires your public address and the private view key. In the Monero CLI wallet, use the viewkey command to display the private view key, then record it securely.

On the online device, create a new wallet using the watch-only restore option. Provide the public address and the private view key. This wallet will synchronize with the blockchain and show your balance and transaction history, but the spend key field will be zeroed out, making it impossible to sign transactions.

Step 2: Export Outputs From the Watch-Only Wallet

Before the air-gapped wallet can create a valid transaction, it needs to know about the outputs (incoming funds) that the watch-only wallet has detected on the blockchain. On the online watch-only wallet, run the export_outputs command, which creates a file containing all detected outputs. Transfer this file to the air-gapped device via your chosen medium.

This outputs file contains only public blockchain data combined with your view key's interpretation of it. It does not contain any spending capability, so even if the USB drive is intercepted, no funds are at risk.

Step 3: Import Outputs on the Air-Gapped Wallet

On the air-gapped device, open the full wallet and run the import_outputs command with the file from the previous step. This updates the cold wallet's understanding of which outputs are available for spending. The wallet will process the imported data and update its internal state to reflect the current available balance.

Step 4: Create the Unsigned Transaction

With the outputs imported, you can now create a transaction on the air-gapped wallet. However, there is an additional step first. The air-gapped wallet needs to export its key images so the watch-only wallet knows which outputs have already been spent. Run export_key_images on the air-gapped wallet and transfer the resulting file to the online device, where you run import_key_images.

Now, on the watch-only wallet, create the transaction using the standard transfer command. Because the wallet is watch-only, instead of signing and broadcasting the transaction, it will save an unsigned transaction file. Transfer this file to the air-gapped device.

Step 5: Sign the Transaction on the Air-Gapped Device

On the air-gapped wallet, run the sign_transfer command with the unsigned transaction file. The wallet will use the private spend key to cryptographically sign the transaction, creating a signed transaction file. Review the transaction details displayed by the wallet, including the destination address, amount, and fee, to confirm everything is correct before proceeding.

This is the critical security moment. The spend key is used here on a device with no network access, ensuring it cannot be exfiltrated by any remote attacker.

Step 6: Submit the Signed Transaction

Transfer the signed transaction file back to the online device. On the watch-only wallet, run the submit_transfer command with the signed transaction file. The wallet will broadcast the fully signed transaction to the Monero network through its connected daemon. The transaction is now in the mempool and will be confirmed in the next block.

Using QR Codes for Air-Gapped Transfer

QR code transfer eliminates the USB drive from the process entirely, removing a potential attack vector. The Monero community has developed tools that encode transaction data into sequences of QR codes that can be displayed on one device's screen and scanned by the other device's camera.

Because Monero transactions can be larger than what fits in a single QR code, the data is typically split across multiple animated QR codes displayed in sequence. The scanning device captures the full sequence and reassembles the data. This process is slower than USB transfer but provides a stronger security guarantee because there is no physical medium that could carry malware between devices.

Feather Wallet, a popular Monero desktop wallet, has integrated QR code-based offline transaction signing into its interface, making the process more accessible to non-technical users.

The Security Model in Detail

Understanding exactly what is protected and what is not helps you assess whether offline signing meets your threat model:

• Protected: The private spend key never touches a networked device, so remote theft of funds is impossible even if the online device is fully compromised.
• Protected: Malware on the online device cannot sign unauthorized transactions because it does not have access to the spend key.
• Not protected: A compromised online device could display a modified destination address, tricking you into signing a transaction to the attacker's address. Always verify the destination address on the air-gapped device's screen during signing.
• Not protected: Physical theft of the air-gapped device gives the attacker access to the spend key. Encrypt the air-gapped wallet with a strong password and secure the device physically.
• Not protected: A compromised USB drive could potentially deliver malware to the air-gapped device if its operating system processes the drive contents in an unsafe way. This is why QR code transfer is preferred by security purists.

Practical Tips for Smooth Operation

• Label your files clearly to avoid confusion about which file needs to go where. The process involves multiple file transfers in both directions.
• Keep the air-gapped wallet synchronized by regularly importing outputs even when you do not plan to spend. This makes the spending process faster when you do need it.
• Test the entire process with a small amount before committing significant funds to this workflow. Verify that you can complete a full spend cycle successfully.
• Document your process in detail so you can follow it reliably even after months of not using it. Include file names, commands, and the sequence of operations.
• Keep the Monero software versions synchronized on both devices to avoid compatibility issues with transaction formats.

Conclusion

Offline transaction signing represents the pinnacle of Monero operational security. By keeping your spend key permanently air-gapped, you create a system where no remote attacker can steal your funds regardless of how thoroughly they compromise your internet-connected devices. The trade-off is a multi-step process for each transaction that requires patience and careful attention to detail. For securing significant Monero holdings, this trade-off is well worth making.

When you need to convert other cryptocurrencies to Monero for your cold storage, MoneroSwapper provides private, no-KYC instant swaps that keep your acquisition history confidential.