Skip to main content

Using SafeSeed Offline: Air-Gapped Security Guide

The strongest security measure you can take when generating seed phrases and private keys is to do it on a computer that has never been and will never be connected to the internet. This is called an "air-gapped" setup — there is literally an air gap between your sensitive cryptographic material and any network. SafeSeed tools are designed to work fully offline, and this guide walks you through setting up and using an air-gapped environment.

Try It Now

All SafeSeed tools at safeseed.app work offline. Download the page while online, then disconnect before generating any keys.

Why Go Offline?

When you generate a seed phrase or private key on an internet-connected computer, several attack vectors exist even when the tool itself is trustworthy:

Threats on Connected Computers

ThreatDescriptionLikelihood
Malware/KeyloggerSoftware that captures screen content, clipboard, or keystrokesMedium
Browser extensionsMalicious or compromised extensions that read page contentMedium
DNS hijackingRedirecting you to a fake version of the toolLow
Man-in-the-middleIntercepting and modifying the page content in transitLow (with HTTPS)
Remote accessScreen sharing, remote desktop, or RAT softwareLow
Supply chain attackCompromised CDN or dependency serving malicious codeVery low
Hardware implantPhysical devices that intercept data before it reaches the networkVery low

An air-gapped computer eliminates every network-based threat. Even if malware exists on the machine, it has no way to exfiltrate the generated keys without a network connection or physical access.

The Security Spectrum

Not everyone needs the same level of security. Here is a practical framework:

Security LevelSetupSuitable For
BasicRegular computer, internet connectedLearning, testing, very small amounts
EnhancedRegular computer, disconnect internet before generatingModerate holdings ($100-$10,000)
HighDedicated offline computer, never connectedSignificant holdings ($10,000+)
MaximumAir-gapped live USB, dedicated printer, Faraday bagLarge holdings, institutional use

This guide covers the "High" and "Maximum" levels.

Option 1: Save the Web Page (Simplest)

The simplest way to use SafeSeed offline is to save the web page while connected, then disconnect and use it.

Steps

  1. While online, navigate to the SafeSeed tool you want to use:

  2. Save the complete page:

    • Chrome/Edge: Ctrl+S (Windows/Linux) or Cmd+S (Mac), select "Webpage, Complete"
    • Firefox: Ctrl+S or Cmd+S, select "Web Page, complete"
    • Safari: Cmd+S, select "Web Archive"

  3. Save to a USB drive (not your hard drive, for maximum security)

  4. Disconnect from the internet:

    • Disable Wi-Fi (turn off the hardware switch if your laptop has one)
    • Unplug Ethernet cables
    • Disable Bluetooth
    • Enable Airplane Mode if available

  5. Open the saved file from the USB drive in your browser

  6. Verify it works: Generate a test seed phrase. If the tool functions, you are ready.

  7. Generate your real seed phrase or perform your key derivation

  8. Record the result on paper or metal

  9. Close the browser and clear all browser data

  10. For maximum security, shut down the computer and do not reconnect to the internet until you have cleared browser data and temporary files

Limitations of This Approach

  • Some saved pages may not include all JavaScript dependencies (rare with SafeSeed, but possible)
  • Your regular computer's hard drive may cache the saved page
  • If your computer was already compromised before you disconnected, the malware could store the generated keys and exfiltrate them when you reconnect

For significant holdings, use a dedicated computer that is never connected to the internet.

What You Need

  • A computer: This can be an old laptop or a cheap used device. It does not need to be powerful — generating keys requires minimal computation.
  • A USB drive: To transfer the SafeSeed tool files to the offline computer.
  • A printer (optional): USB-connected, not networked. For paper wallet creation.

Setup Steps

Step 1: Prepare the Offline Computer

If using an existing computer:

  1. Perform a fresh operating system installation (remove any existing OS that may contain malware)
  2. Do not connect to the internet during or after installation
  3. If the computer has a Wi-Fi card, physically disconnect it (remove the Wi-Fi module if possible, or disable it in BIOS)
  4. Disable Bluetooth in BIOS

If purchasing a new computer:

  1. Complete initial setup without connecting to any network
  2. Skip all "connect to Wi-Fi" prompts during OS setup

Step 2: Transfer SafeSeed Files

On your regular (internet-connected) computer:

  1. Navigate to each SafeSeed tool and save the complete page
  2. Copy all saved files to a USB drive
  3. Optional but recommended: Calculate SHA-256 checksums of the saved files

On the offline computer:

  1. Insert the USB drive
  2. Copy the files to the local hard drive
  3. Optional: Verify checksums if you have a way to do so
  4. Eject the USB drive

Step 3: Test the Tools

  1. Open each saved tool in the offline computer's browser
  2. Generate a test seed phrase
  3. Derive test addresses
  4. Verify all functionality works as expected
  5. Discard the test data (these are not your real keys)

Step 4: Generate Your Real Keys

  1. Open the Seed Phrase Generator
  2. Generate your seed phrase
  3. Record it on paper or metal (see Seed Phrase Generator Tutorial)
  4. If needed, open the Address Generator and derive addresses to verify with your wallet later
  5. Close the browser
  6. Shut down the computer

Ongoing Use

  • Keep this computer powered off and stored securely when not in use
  • Only power it on when you need to perform key generation or derivation
  • Never connect it to any network, ever
  • Periodically update the SafeSeed tool files via USB from a trusted source

Option 3: Live USB / Tails (Maximum Security)

For the highest level of security, boot from a live USB operating system that runs entirely in RAM and leaves no trace on the host computer.

Using Tails OS

Tails is a privacy-focused Linux distribution designed to leave no trace. It boots from a USB drive, runs entirely in RAM, and wipes all memory when shut down.

Setup

  1. On your regular computer, download Tails from tails.net and verify the download signature
  2. Flash Tails onto a USB drive using the official Tails installer or Etcher
  3. On a separate USB drive, save the SafeSeed tool files (as described in Option 1)

Using Tails for Key Generation

  1. Boot from the Tails USB:

    • Insert the Tails USB and restart the computer
    • Access the boot menu (usually F12, F2, or Del during startup)
    • Select the USB drive
    • At the Tails welcome screen, do not configure any network settings

  2. Disable all networking (Tails makes this easy — simply do not connect to any network)

  3. Insert the second USB drive with SafeSeed tool files

  4. Open the SafeSeed tools in the Tor Browser (which comes with Tails)

    • Despite using Tor Browser, you will be working entirely offline
    • Open the saved HTML files from the USB drive

  5. Generate your seed phrase and/or derive addresses

  6. Record the results on physical media

  7. Shut down Tails:

    • Remove the USB drive
    • Tails automatically wipes all RAM on shutdown
    • No trace remains on the host computer

Advantages of Tails

  • Runs entirely in RAM — no data written to disk
  • Designed to leave no forensic traces
  • Even if the host computer has malware on its hard drive, Tails boots its own clean operating system
  • Automatic memory wipe on shutdown
  • Well-audited, open-source

Considerations

  • Tails requires some technical comfort with Linux
  • Not all hardware is compatible (especially very new laptops)
  • The Tor Browser in Tails has strict security settings that should not affect local file operations but may require adjusting preferences

Using Ubuntu Live USB

If Tails feels too complex, a standard Ubuntu live USB is a simpler alternative:

  1. Download Ubuntu Desktop ISO from ubuntu.com
  2. Flash it onto a USB drive using Etcher or Rufus
  3. Boot from the USB and select "Try Ubuntu" (do not install)
  4. Do not configure any networking
  5. Open the SafeSeed tool files in Firefox
  6. Generate keys, record them, and shut down

Ubuntu live does not have Tails' memory-wiping feature, so power off the computer and leave it off for a few minutes to allow RAM to decay naturally (or remove and reinsert the battery on laptops that allow it).

Printer Security for Offline Use

If you are creating paper wallets on your air-gapped computer, the printer is part of the security perimeter.

  • Use a USB-connected printer only (no Wi-Fi, no Bluetooth, no network capability)
  • Ideally, use a dumb printer: Basic inkjet or laser printers without smart features, cloud connectivity, or internal storage
  • Avoid printers with persistent storage: Some modern printers store print jobs on internal flash memory. Look for printers that process jobs from RAM only.
  • Keep the printer dedicated: Use it only for cryptographic material printing, nothing else
  • After printing: Power cycle the printer (turn it off and on) to clear any volatile memory

Budget-Friendly Printer Options

For occasional paper wallet printing, a basic USB inkjet printer costs $30-50 and has no persistent storage. Avoid printers from manufacturers that require cloud accounts (HP+, Epson EcoTank with cloud features, etc.).

Verification Checklist

Before generating any keys intended for real use, verify your air-gapped setup:

Network Isolation

  • Wi-Fi is disabled (hardware level, not just software)
  • Ethernet cable is physically unplugged
  • Bluetooth is disabled
  • Airplane mode is on (if available)
  • No cellular modem (remove SIM card if applicable)
  • Verify: open a browser and confirm you cannot reach any website

Environment

  • No security cameras pointed at your screen
  • No other people can see your screen
  • No screen recording or sharing software is running
  • No voice assistants or smart speakers in the room (they could potentially hear you read words aloud)
  • Windows are covered if visible from outside

Software

  • Browser extensions are disabled (or using a fresh browser profile)
  • No unnecessary applications are running
  • The operating system is freshly installed or is a live USB environment
  • The saved SafeSeed tool files open and function correctly

After Key Generation

  • Seed phrase/private key is recorded on physical media
  • Physical media is immediately secured (not left out in the open)
  • Browser tab is closed
  • Browser history and cache are cleared
  • Computer is shut down (or live USB is removed and computer powered off)
  • If using Tails, RAM wipe has completed
  • USB drive with SafeSeed files is stored securely (not discarded in the trash where it could be recovered)

Transferring Addresses (Not Keys) Back Online

After generating keys offline, you may need to transfer public addresses back to your internet-connected devices (for example, to set up a watch-only wallet or to receive funds).

Safe Methods

  • Type the address manually: Look at the physical record and type the address into your online wallet or blockchain explorer. This is the most secure method.
  • QR code scanning: If you created a paper wallet, scan the public address QR code with your phone. Only scan the PUBLIC address QR code, never the private key QR code.
  • Extended public key via USB: If you need to transfer an xpub/ypub/zpub for a watch-only wallet, save it to a USB drive on the air-gapped machine and transfer it. The extended public key cannot be used to spend funds.

Methods to Avoid

  • Do not transfer private keys or seed phrases via USB, network, or any digital medium to an internet-connected device
  • Do not photograph the seed phrase with a smartphone
  • Do not scan the private key QR code with an internet-connected device
  • Do not type the seed phrase into any internet-connected device

Advanced: Verifying SafeSeed Source Code

For the most security-conscious users, you can verify the SafeSeed tool source code before using it offline.

Verification Steps

  1. Download the source code from the public repository (while online)
  2. Review the JavaScript code for any network calls (fetch, XMLHttpRequest, WebSocket, navigator.sendBeacon)
  3. Verify the cryptographic library is a known, audited implementation (e.g., bitcoinjs-lib, ethers.js, or direct Web Crypto API usage)
  4. Check for data exfiltration: Search for any code that writes to localStorage, sessionStorage, document.cookie, or IndexedDB
  5. Run the code locally after review, without any modifications

What to Look For

// Red flags in source code:
fetch(...)            // Any network request
XMLHttpRequest        // Any network request
WebSocket             // Any persistent connection
navigator.sendBeacon  // Analytics/tracking beacon
localStorage.setItem  // Persistent storage
document.cookie       // Cookie manipulation
new Image().src       // Potential data exfiltration via image pixel

SafeSeed tools should contain none of these in the key generation and derivation code paths.

Frequently Encountered Issues

Problem: Saved Page Doesn't Work Offline

Cause: The browser's "Save As" feature may not capture all JavaScript files or Web Worker scripts.

Solution:

  • Try a different browser for saving (Chrome tends to work best with "Webpage, Complete")
  • Use a browser extension like "SingleFile" that saves the entire page as one self-contained HTML file
  • Use wget --mirror --convert-links --page-requisites on the command line to capture all assets

Problem: QR Codes Don't Generate Offline

Cause: The QR code library may not have been included in the saved page.

Solution:

  • Ensure you selected "Webpage, Complete" (not "Webpage, HTML only") when saving
  • As a workaround, manually type the address/key instead of scanning QR codes

Problem: Live USB Won't Boot

Cause: Secure Boot, UEFI settings, or incompatible hardware.

Solution:

  • Disable Secure Boot in BIOS (usually under Security settings)
  • Try both UEFI and Legacy boot modes
  • Use a different USB port (USB 2.0 ports are more compatible than USB 3.0)
  • Try a different brand of USB drive

Problem: Printer Won't Work from Live USB

Cause: The live USB environment may lack printer drivers.

Solution:

  • Most basic USB printers work with generic drivers in Linux
  • If the printer is not recognized, try a different (simpler) printer model
  • As an alternative, record the data by hand and create paper wallets on the air-gapped dedicated computer instead

FAQ

How often should I update the SafeSeed files on my air-gapped machine?

Update whenever a new version of SafeSeed is released that fixes bugs or adds features you need. Since the tool is standards-based (BIP-39, BIP-32, BIP-44), the core functionality rarely changes. Transfer updated files via a freshly formatted USB drive.

Can I use a smartphone as an air-gapped device?

Smartphones are not ideal for air-gapped key generation because: (1) they have multiple radios (cellular, Wi-Fi, Bluetooth, NFC) that are hard to fully disable at the hardware level, (2) they have many background processes that may store or transmit data, (3) they are harder to verify as clean. If you must use a phone, enable airplane mode, disable all radios individually, and use a factory-reset device.

Is it safe to use a virtual machine instead of a dedicated computer?

A virtual machine (VM) on an internet-connected host does not provide true air-gapping. The host operating system can access the VM's memory, and if the host is compromised, the VM provides no protection. VMs are useful for isolation but not as a substitute for physical air-gapping.

What if I need to look up a BIP-39 word while offline?

If you need to verify that a word is on the BIP-39 wordlist, you can save a copy of the wordlist beforehand. The complete list of 2,048 English BIP-39 words is publicly available. Save it as a text file on your air-gapped USB drive alongside the SafeSeed tools.

How do I securely destroy an air-gapped computer when I am done with it?

If you are decommissioning a dedicated air-gapped computer: (1) Wipe the hard drive using a secure erase utility (DBAN or similar), (2) Remove the hard drive and physically destroy it if the stored key value warrants it, (3) The computer itself (without the drive) can be repurposed or recycled safely.

Can malware on a USB drive compromise my air-gapped computer?

Theoretically, yes. USB-based attacks (like BadUSB) exist but are extremely rare in practice and require targeted, sophisticated attacks. To mitigate: (1) Use a brand-new USB drive, (2) Only transfer known files (the saved SafeSeed HTML/JS), (3) Format the USB drive before transferring files, (4) Consider using a USB data blocker or a write-protected SD card.

Is it necessary to use Tails, or is a regular offline computer sufficient?

A regular offline computer that has never been connected to the internet is sufficient for most users. Tails adds the benefit of automatic memory wiping and running entirely in RAM, which prevents any trace from persisting on the hardware. For institutional or high-value use cases, Tails provides a measurable security improvement over a standard offline computer.

What about electromagnetic emanations (TEMPEST attacks)?

TEMPEST attacks involve intercepting electromagnetic signals emitted by computers to reconstruct displayed data. These attacks require specialized equipment, physical proximity, and significant expertise. They are relevant only for nation-state level threats. For virtually all cryptocurrency users, TEMPEST protection is unnecessary. If it concerns you, use a Faraday bag or cage around your air-gapped setup.