Offline transaction signing with verifiable flow control
An air-gapped wallet designed as a full security system, not just a signing gadget.
The system combines offline hardware, firmware verification, QR-based transfer flow, and companion software that keeps private key handling isolated while preserving usable transaction review.
What this system solves
A secure offline transaction-signing system using QR-based transfer, protected key handling, and device-side verification.
Security hardware often protects private keys but still leaves users exposed to poor transaction review, fragile transfer steps, or confusing companion flows. Secure signing needs a broader system design that covers the entire path from transaction creation to device-side approval.
Complete system overview
Hardware, firmware, software, and workflow working as one delivery surface.
Creative Factory positions the wallet as a complete signing system. The air-gapped device isolates keys and approval logic. Firmware handles transaction parsing, human-readable verification, and signature generation. The companion layer prepares unsigned payloads, encodes QR transfers, and receives signed payloads without ever touching secret material.
Offline approval with QR-based transfer boundaries
Unsigned transactions cross the air gap through structured visual transfer. The device verifies critical details locally before signing and exporting only the approved result.
Step 1
Prepare unsigned transaction
The companion app assembles the unsigned payload and converts it into QR-transferable chunks.
Step 2
Verify on the air-gapped device
Firmware parses the payload and presents destination, amount, and critical security checks locally.
Step 3
Sign without exposing keys
Keys remain isolated on-device while the approved transaction is signed internally.
Step 4
Export signed transaction
The signed payload returns to the online environment through QR transfer for broadcast.
System summary
Unsigned transactions cross the air gap through structured visual transfer. The device verifies critical details locally before signing and exporting only the approved result.
Hardware and software layers
Each system is presented as an integrated stack, not a standalone device shell.
Hardware components
Air-gapped signing device
Dedicated secure hardware with screen, camera, and local input controls.
Protected key storage
Secret material remains inside device-side storage boundaries for the full signing lifecycle.
QR transfer interface
Visual data transfer maintains the isolation boundary between online and offline environments.
Software and firmware components
Transaction parser and verifier
Firmware decodes incoming payloads and surfaces critical details for confirmation.
Companion transaction builder
Online software prepares unsigned payloads and reconstructs signed results for broadcast.
Security policy layer
Rules can enforce address review, signing limits, or workflow checkpoints before approval.
Key system features
Capabilities designed across device behavior, data handling, and operator experience.
QR-only transfer boundary
Transactions cross the air gap visually rather than through direct cable or radio sessions.
Device-side human verification
Critical transaction details are reviewed on the secure device before signing.
Protected key handling
Secret material never leaves the isolated hardware environment.
User journey and operational flow
The sequence that turns the device into a complete working system.
Flow 1
Initiate transfer from companion software
Users create the intended transaction in a connected interface without exposing signing keys.
Flow 2
Review on-device
Human-readable verification happens on the secure device before approval.
Flow 3
Broadcast only the signed result
The online environment receives a signed payload that can be sent to the network.
Who uses it and where it fits
Target teams, deployment contexts, and practical scenarios this system supports.
High-security personal custody
Support users who prioritize offline key control and explicit transaction review.
Institutional approval workflows
Map secure signing into more formal review and authorization flows.
Education and security demos
Demonstrate air-gapped transaction flow in training, workshops, or pilot product reviews.
Target users
Technical highlights
Design choices, implementation strengths, and productization considerations.
Strict trust-boundary design
Key storage, signing logic, and review UI remain inside the protected device environment.
Readable on-device verification
Security is paired with workflow clarity so users can verify what they are signing.
Transfer-channel minimization
QR encoding keeps the online and offline systems decoupled without sacrificing usability.
Common questions
Answers for teams evaluating fit, readiness, and customization scope.
Why is the companion app still necessary in an air-gapped setup?
The companion prepares unsigned transactions and broadcasts signed results, while the secure device remains responsible for verification and signing.
Does the device ever expose private keys?
No. The system is structured so keys remain inside the isolated hardware boundary for the entire lifecycle.
Can the approval flow be customized?
Yes. Policy checks, review steps, and supported payload patterns can be adapted for different wallet products or custody workflows.
Next step
Discuss this system with Creative Factory
Request a demo, review implementation scope, or discuss a custom variant for your workflow.