Coldcard Guide: Complete Air-Gapped Configuration with Sparrow Wallet

Step-by-step tutorial to secure your Bitcoin with the most paranoid hardware wallet on the market

December 2025 | Technical Tutorial | Category: Security

Table of Contents

1. Introduction: Why Air-Gapped Mode?
2. Receiving and Verifying the Coldcard
3. Generating the Seed Phrase
4. Configuring Sparrow Wallet
5. Exporting the Wallet to Sparrow
6. Signing a Transaction
7. Advanced Features
8. Security Best Practices
9. Troubleshooting
10. Final Checklist

1. Introduction: Why Air-Gapped Mode?

Eliminate every network attack surface for maximum Bitcoin security

1.1 What Is Air-Gapped Mode?

The term "air-gapped" (literally "separated by air") refers to a device that has no connection with any other system — no USB, no WiFi, no Bluetooth. The only way to communicate with it is through a removable physical medium, typically a MicroSD card.

In the context of the Coldcard, air-gapped mode means that your private key never touches a computer connected to the Internet. Transactions are signed offline, then transferred via SD card.

1.2 Difference from USB Connection

Risks of USB mode:

• BadUSB attacks (malicious firmware)
• Malware on the computer intercepting data
• Exploitation of USB protocol vulnerabilities

Advantages of air-gapped mode:

• Zero network attack surface
• Private key physically isolated
• Even a compromised computer cannot steal your keys

1.3 Process Overview

+-------------------+         +-------------------+
|    COLDCARD        |         |    SPARROW         |
|   (offline)        |         |   (online)         |
+--------+----------+         +--------+----------+
         |                             |
         |  1. Export wallet.json      |
         |  ----------------------->   |
         |       (SD card)             |
         |                             |
         |  2. Create PSBT             |
         |  <-----------------------   |
         |       (SD card)             |
         |                             |
         |  3. Signing                 |
         |  (on Coldcard)              |
         |                             |
         |  4. Signed PSBT             |
         |  ----------------------->   |
         |       (SD card)             |
         |                             |
         |  5. Broadcast               |
         |                      -------+---> Bitcoin Network
         |                             |

1.4 Prerequisites

Required hardware:

• Coldcard Mk4 or Coldcard Q (purchase only from coinkite.com)
• MicroSD card (8-32 GB, reliable quality)
• MicroSD to SD or USB adapter (for your computer)
• Computer with Sparrow Wallet installed
• Optional: USB-C power bank (for fully disconnected operation)

Software:

• Sparrow Wallet (latest version) — sparrowwallet.com

2. Receiving and Verifying the Coldcard

Make sure your device has not been compromised during shipping

2.1 Packaging Verification

When you receive your Coldcard, carefully inspect the packaging:

Step 2.1.1: Anti-tamper bag

The Coldcard ships in a special plastic bag with a unique number printed on it.

WARNING: If the bag is open, punctured, or if the number appears altered, do not use the Coldcard. Contact Coinkite immediately.

Step 2.1.2: Box and contents

Open the bag and verify the contents:

• 1x Coldcard Mk4 (or Q)
• 1x MicroSD card (sometimes included)
• 1x Coinkite sticker
• Paper documentation

2.2 First Boot

Step 2.2.1: Power supply

Plug in the Coldcard via USB (for power only) or use an external battery.

Tip: For a 100% air-gapped setup from the start, use a USB-C power bank. The Coldcard will not transmit any data over USB unless you configure it to do so.

Step 2.2.2: Welcome screen

On first boot, you will see:

Welcome to Coldcard!
Press OK to continue

Press OK (checkmark key).

2.3 Firmware Verification

Before any use, verify that the firmware is authentic and up to date.

Step 2.3.1: Check the current version

Menu: Advanced/Tools -> Upgrade Firmware -> Show Version

Note the displayed version (e.g., 5.2.0).

Step 2.3.2: Download the official firmware

On your computer, go to: coldcard.com/docs/upgrade

Download:

• The firmware file (.dfu)
• The signature file (.txt or .asc)

Step 2.3.3: Verify the signature (optional but recommended)

# Import the Coinkite public key
gpg --keyserver keyserver.ubuntu.com --recv-keys 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10

# Verify the signature
gpg --verify firmware-*.txt

You should see: Good signature from "Coinkite Inc."

Step 2.3.4: Update via SD card

1. Copy the .dfu file to the MicroSD card
2. Insert the card into the Coldcard
3. Menu: Advanced/Tools -> Upgrade Firmware -> From MicroSD
4. Select the file
5. Confirm the update

The Coldcard will restart with the new firmware.

3. Generating the Seed Phrase

Create the 24 words that control your entire Bitcoin holdings

3.1 Option 1: Device Generation (Recommended)

This is the simplest and most secure method for most users.

Step 3.1.1: Start generation

Menu: New Seed Words -> 24 Words

Step 3.1.2: Add entropy (optional)

The Coldcard prompts you to add entropy by pressing random keys. Do this for 30-60 seconds.

Step 3.1.3: Write down the 24 words

The Coldcard displays the words 4 at a time. Write them down on paper (never on an electronic device).

Words 1-4:    abandon  ability  able     about
Words 5-8:    above    absent   absorb   abstract
...
Words 21-24:  zero     zone     zoo      [checksum]

CRITICAL: These 24 words are the only way to recover your Bitcoin. Lose them = lose everything. Do not photograph them. Do not store them digitally.

Step 3.1.4: Verification

The Coldcard asks you to confirm certain words to verify that you have written them down correctly.

3.2 Option 2: Import an Existing Seed

If you already have a seed phrase (e.g., migrating from another wallet):

Step 3.2.1: Import

Menu: Import Existing -> 24 Words

Enter each word using the keys. The Coldcard offers auto-completion after the first few letters.

3.3 Option 3: Dice Roll Generation (Paranoid Level)

For users who do not trust any electronic random number generator.

Step 3.3.1: Prepare the dice

You will need:

• Casino-quality 6-sided dice (unloaded)
• Paper and pen
• Approximately 30 minutes

Step 3.3.2: Start the procedure

Menu: New Seed Words -> Dice Rolls

Step 3.3.3: Perform 99 rolls

Roll the die 99 times and enter each result (1-6) on the Coldcard.

Why 99? The formula: log2(6^99) ~ 256 bits of entropy, equivalent to a 24-word seed.

Step 3.3.4: Seed generation

After the 99 rolls, the Coldcard computes the corresponding 24 words. The last word includes the checksum.

3.4 PIN Configuration

Step 3.4.1: Main PIN

The Coldcard requires a two-part PIN:

• Prefix: 2-6 digits
• Suffix: 2-6 digits

Example: 1234 - 5678 (full PIN: 1234-5678)

Tip: Use a PIN of at least 4+4 digits. Avoid birth dates or obvious sequences.

Step 3.4.2: Anti-phishing

Between the prefix and the suffix, the Coldcard displays two anti-phishing words. These words are unique to your device and your prefix.

Write down these words! If they ever change, it means the device has been compromised.

Step 3.4.3: Confirmation

Enter the full PIN a second time to confirm.

4. Configuring Sparrow Wallet

Install the software companion that will orchestrate your transactions securely

4.1 Installation

Step 4.1.1: Download

Go to sparrowwallet.com and download the version matching your OS:

• Windows: .exe
• macOS: .dmg
• Linux: .deb or .tar.gz

Step 4.1.2: Signature verification (recommended)

# Import Craig Raw's key (Sparrow developer)
gpg --keyserver keyserver.ubuntu.com --recv-keys E946 1833 4C67 4B40

# Verify
gpg --verify sparrow-*.asc

Step 4.1.3: Installation

Install normally according to your operating system.

4.2 First Configuration

Step 4.2.1: Launch

On first launch, Sparrow asks you to configure a Bitcoin server.

Step 4.2.2: Server choice

To get started: Use a public server, then migrate to a personal solution.

Public server configuration:

Type: Electrum Server
URL: electrum.blockstream.info
Port: 50002
SSL: Yes

Step 4.2.3: Connection test

Click "Test Connection". You should see "Connected" with the current block number.

5. Exporting the Wallet to Sparrow

Connect your offline wallet to the world by sharing only your public keys

5.1 Export from the Coldcard

Step 5.1.1: Insert the SD card

Insert a formatted MicroSD card into the Coldcard.

Step 5.1.2: Export the wallet file

Menu: Advanced/Tools -> Export Wallet -> Generic JSON

The Coldcard creates a coldcard-export.json file on the SD card.

Note: This file contains only the extended public key (xpub), NOT the private key. It is safe to transfer it to an online computer.

Step 5.1.3: Choose the address type

Select the desired address type:

5.2 Import into Sparrow

Step 5.2.1: Create a new wallet

In Sparrow: File -> New Wallet

Give it a name (e.g., "Coldcard Main").

Step 5.2.2: Import the file

• Select Airgapped Hardware Wallet
• Click Import File...
• Navigate to the SD card and select coldcard-export.json

Step 5.2.3: Verification

Sparrow displays the wallet information:

• Fingerprint
• Derivation path
• xpub

Click Apply to finalize.

5.3 Receive Address Verification

Step 5.3.1: Generate an address in Sparrow

Receive tab -> Copy the displayed address.

Step 5.3.2: Verify on the Coldcard

Menu: Address Explorer

Navigate to index 0 and verify that the address matches exactly the one displayed in Sparrow.

CRITICAL: If the addresses do not match, do not send funds. There is a configuration problem.

6. Signing a Transaction

Master the air-gapped workflow to send your Bitcoin securely

6.1 Creating the Transaction in Sparrow

Step 6.1.1: Go to the Send tab

Send tab in Sparrow.

Step 6.1.2: Fill in the details

Step 6.1.3: Create the transaction

Click Create Transaction.

Sparrow displays a summary. Verify:

• Destination address
• Amount being sent
• Transaction fee
• Change address (if applicable)

Step 6.1.4: Finalize for signing

Click Finalize Transaction for Signing.

6.2 Exporting the PSBT

Step 6.2.1: Save the PSBT

Click Save Transaction and save the .psbt file to the SD card.

Step 6.2.2: Eject the card

Safely eject the SD card from the computer.

6.3 Signing on the Coldcard

Step 6.3.1: Insert the SD card

Insert the card into the Coldcard.

Step 6.3.2: Load the transaction

Menu: Ready To Sign

The Coldcard automatically detects the PSBT file.

Step 6.3.3: Verify the details

The Coldcard displays:

TXID: abc123...
Sending: 0.05000000 BTC
To: bc1q...xyz
Fee: 0.00001234 BTC (5.2 sat/vB)

Press OK to sign
Press X to cancel

VERIFY EVERYTHING: Destination address (character by character for large amounts), amount, fees. This is your last line of defense.

Step 6.3.4: Sign

Press OK to sign.

The Coldcard creates a signed file: xxx-signed.psbt

6.4 Broadcasting the Transaction

Step 6.4.1: Return to the computer

Insert the SD card into the computer.

Step 6.4.2: Load the signed transaction

In Sparrow: Load Transaction -> Select the signed file.

Step 6.4.3: Broadcast

Click Broadcast Transaction.

Sparrow sends the transaction to the Bitcoin network. You receive a confirmation TXID.

7. Advanced Features

Leverage protection mechanisms against physical coercion and sophisticated attacks

7.1 Duress PIN (Coercion PIN)

The Duress PIN opens a decoy wallet containing a small balance, in case of physical threat.

Configuration:

Menu: Settings -> Login Settings -> Duress PIN

Set a PIN different from your main PIN. This PIN will unlock a secondary wallet derived differently.

Usage:

• Put a few satoshis on the decoy wallet
• Under duress ("give me your PIN!"), provide the Duress PIN
• The attacker will see a wallet with minimal funds

7.2 Brick Me PIN (Self-Destruct)

The Brick Me PIN permanently destroys the keys stored in the Coldcard.

Configuration:

Menu: Settings -> Login Settings -> Brick Me PIN

DANGER: Only use if you have a secure backup of your seed. The Brick Me PIN is irreversible.

7.3 BIP39 Passphrase (25th Word)

The passphrase adds a "25th word" to your seed, creating an entirely different wallet.

Configuration:

Menu: Passphrase -> Enter your passphrase

Advantages:

• Even if someone finds your 24 words, they are missing the passphrase
• Enables plausible deniability (hidden wallet)
• Multiple wallets with a single seed (different passphrase = different wallet)

WARNING: Losing the passphrase = losing access to the associated wallet. Back it up separately from the seed.

7.4 Encrypted SD Card Backup

Creating a backup:

Menu: Advanced/Tools -> Backup System -> Backup

The Coldcard creates a .7z file encrypted with your PIN on the SD card.

Restoration:

If needed, this backup can restore the entire Coldcard configuration (seed, settings, etc.).

7.5 Address Verification on the Device

For important transactions, always verify the address on the Coldcard:

Menu: Address Explorer -> Navigate to the desired index

Compare character by character with the address displayed by Sparrow.

8. Security Best Practices

Protect your hardware investment and your backups with a thoughtful strategy

8.1 Coldcard Storage

8.2 Seed Phrase Storage

Recommended media:

Geographic distribution:

Do not keep all your backups in the same place. Example:

• Copy 1: At your home (safe)
• Copy 2: At a trusted family member's home
• Copy 3: Bank safe deposit box

8.3 Recovery Procedure (Mandatory Test)

Before sending significant amounts, test the recovery:

1. Create the wallet with the seed
2. Send a small amount (e.g., 10,000 sats)
3. Reset the Coldcard (Destroy Seed)
4. Restore from the written seed
5. Verify that you can see the balance

If the test succeeds, you can be confident that your backup works.

8.4 Firmware Updates

When to update:

• Critical security patches: Immediately
• New features: Wait 1-2 weeks (community feedback)
• Minor updates: At your convenience

How to update:

1. Download the firmware from coldcard.com
2. Verify the GPG signature
3. Copy to the SD card
4. Menu: Advanced/Tools -> Upgrade Firmware -> From MicroSD

Never enable automatic updates (they do not exist on Coldcard, but this is a general principle).

9. Troubleshooting

Resolve common issues to restore optimal operation of your setup

9.1 Coldcard Won't Power On

9.2 Transaction Not Recognized by the Coldcard

Symptom: The Coldcard displays "No PSBT found" or ignores the file.

Solutions:

• Verify that the file is indeed .psbt (not .txt)
• Verify that the wallet matches (same xpub)
• Re-create the transaction in Sparrow
• Format the SD card as FAT32

9.3 Different Addresses Between Sparrow and Coldcard

Probable cause: Wrong derivation type.

Solution:

1. Check the derivation path in Sparrow
2. For Native Segwit: m/84'/0'/0'
3. Re-import the wallet with the correct path

9.4 "Invalid PSBT" Error

Possible causes:

• PSBT created for a different wallet
• File corrupted during transfer
• Incompatible version

Solution:

• Verify that you are using the correct wallet in Sparrow
• Re-create and re-export the PSBT
• Update Sparrow and/or the Coldcard firmware

9.5 Forgotten PIN

Bad news: After 13 incorrect attempts, the Coldcard wipes the seed.

Solution:

• Try to remember (you have 13 attempts)
• If unsuccessful: restore from your seed backup on a new Coldcard

10. Final Checklist

Validate all critical points before entrusting your wealth to this system

Before Sending Significant Funds

• Seed phrase written on a durable medium (paper or metal)
• Seed phrase tested (successful recovery)
• Seed phrase stored in a safe location (not only at your home)
• PIN memorized (and anti-phishing words noted)
• Address verified on the Coldcard (not only in Sparrow)
• Small test amount sent and recovered
• Firmware verified and up to date
• Passphrase backed up separately (if used)

Secure Transaction Procedure

1. Create the transaction in Sparrow
2. Export the PSBT to the SD card
3. Verify the details on the Coldcard (address, amount, fees)
4. Sign on the Coldcard
5. Import the signed transaction into Sparrow
6. Broadcast
7. Verify confirmation on an independent block explorer

Regular Maintenance

• Check for firmware updates (monthly)
• Test backup access (annually)
• Check the physical condition of seed storage (annually)

Related Articles -- Technical Security

• Multisig 2-of-3 Bitcoin Tutorial
• Verify Hardware Wallet Firmware
• SeedSigner DIY Complete Tutorial
• Passphrase 25th Word Bitcoin

Additional Resources

Official documentation:

• Coldcard Docs
• Sparrow Wallet Docs

Technical standards:

• BIP39 (Mnemonic phrases)
• BIP84 (Native Segwit derivation)
• PSBT (BIP174 - Partially Signed Bitcoin Transactions)

Recommended videos:

• Ministry of Nodes - Coldcard Tutorials
• BTC Sessions - Coldcard Setup Guide

Document written in December 2025

This tutorial is provided for educational purposes. The security of your funds depends on your rigor in applying these procedures.

Recommended internal links:

• France 2026: The End of Financial Sovereignty -- Why self-custody is essential
• Multisig 2-of-3: Practical Configuration -- Higher security level
• The Passphrase (25th Word) -- Advanced strategies
• Verify Your Hardware Wallet Firmware -- In-depth security