Documentation

Getting Started

Everything you need to go from a blank USB flash drive to signing your first transaction, start to finish.

Critical Precautions: Read Before Proceeding

Your 12- or 24-word seed phrase is the only unconditional backup of your private key.

Physical Backups are Mandatory — Write your seed phrase and BIP-39 passphrase onto physical media and store them in separate, secure locations. Never store these records digitally. If your flash drive fails, is lost, or is wiped, your physical backup is the only path to recovering your Bitcoin.

The Passphrase is Integral — A BIP-39 passphrase is not just a password; it is a permanent extension of your seed phrase. Without it, your seed phrase alone cannot recover your funds. Treat the passphrase with the same level of security as the seed phrase itself.

Active Development NoticeSafeKeepVault is currently in active development. We strongly recommend beginning with a nominal balance while you familiarize yourself with the tools. Ensure your physical backups are verified and current before securing significant funds.

System Requirements & Components

SafeKeepVault creates a secure, offline environment without you needing to take your computer apart or buy extra gear. The moment it starts up, it automatically disables all outside connections—like Ethernet, Wi-Fi and storage devices—to keep your data completely isolated.

System Requirements

  • A Boot Drive — A standard USB flash drive flashed with the SafeKeepVault image. Once you boot your computer from this drive, the system runs in total isolation. Your internal storage remains unmounted and entirely untouched throughout the session.
  • A Host Computer — Any x86-based laptop or desktop with at least 4GB of RAM. SafeKeepVault is engineered to run on a wide range of hardware, regardless of age or performance specifications. No permanent modifications to your hardware or settings are required.
  • Webcam — While not strictly required, an integrated or USB-connected webcam is highly recommended. This enables the use of the Courier Tool, our high-density QR transfer tool, allowing you to sign transactions and verify data without ever physically connecting the vault to another device. It is the most seamless way to maintain a true air-gap.
  • A Password Manager — Strongly recommended for generating and storing the high-entropy password that protects your encrypted vault partition. A password manager lets you use a truly unbreakable credential without the risk of forgetting it, and pairs seamlessly with the QR unlock workflow described in Step 1 below.

Components

  • The Transfer Drive — The USB flash drive creates a dedicated partition for moving data in and out of the vault. This is the only point of contact between SafeKeepVault and external storage. When combined with the Courier Tool—our high-density QR tool—this creates a secure, bidirectional data flow.
    • Seamless QR Unlocking: By storing your vault password in a manager on your mobile device, you can generate a QR code from that password (see Step 1). Simply display your phone to the host’s webcam to unlock your encrypted vault instantly—combining elite cryptographic strength with a streamlined, convenient way to unlock your wallet.
    • Port Security: Note that for maximum hardware isolation, USB ports are restricted once the vault is active. File-based transfers should be managed by moving the drive between machines while the vault is powered down.

Step 1: Vault Password & QR Generation

Before you boot SafeKeepVault for the first time, you need a vault password ready to go. This password will encrypt the persistent partition of your flash drive—the storage layer where your keys and vault data live between sessions. It is the primary cryptographic barrier protecting everything inside the vault.

Your Password is the Primary Defense

The strength of your vault password is the single most critical security decision you will make during setup. If an unauthorized party gains physical access to your drive, this password is the only barrier protecting your keys. There is no “forgot password” reset and no remote wipe. The password is the absolute lock.

Generate a High-Entropy Password

Open your password manager and generate a new credential for SafeKeepVault. Use a fully random string of at least 20 characters. Do not use a memorable phrase or a password you have used anywhere else. Human-chosen passwords follow predictable patterns that modern brute-force tools can exploit. A randomly generated credential cannot be guessed — only lost. Your password manager is its permanent home; do not write it down in plaintext anywhere.

Generate Your Unlock QR Code

Typing a 20+ character random password on every boot is impractical. Instead, convert it to a QR code using the widget below. Save the QR image to your phone’s secure photo library or an encrypted note in your password manager. On every subsequent boot, simply hold your phone up to the vault’s webcam — the system reads the QR and unlocks the vault instantly, with no typing required. This converter run entirely in your browser - safekeepbitcoin.com does not store your password.

Vault Password → QR Code

Save this image to your phone’s secure photo library or a locked note in your password manager. Display it to the vault’s webcam on every boot to unlock instantly.

Step 2: Download & Image Creation

Download the Software — Visit the Download page to obtain the latest release. The software is provided as a .zip archive; once extracted, you will find the .img disk image required for the installation.

Flash to USB — To write the image to your flash drive, we recommend using BalenaEtcher, which is available for Windows, macOS, and Linux.

  1. Open BalenaEtcher and select the extracted .img file.
  2. Select your target flash drive.
  3. Click Flash to begin the process.

While BalenaEtcher provides the most straightforward experience across all platforms, advanced users may also utilize the dd utility on macOS/Linux or Rufus on Windows.

Verify the Release — A developer signature is provided to verify software integrity and authenticity. Our Verification Guide contains the public keys and checksums required to validate the release across Windows, macOS, and Linux.

Step 3: Initialization & Encryption

Insert the USB flash drive, then power on or restart your computer. During startup, most systems allow you to choose a temporary boot device by pressing a function key such as F12, F11, ESC, or sometimes F8 immediately after powering on. On Macs with Intel processors, hold the Option key during startup. SafeKeepVault skips the usual desktop screen, booting straight into a clean, secure space built only for running the software.

One-Time Configuration: The Encrypted Vault

Upon your initial boot, SafeKeepVault will guide you through the creation of your Encrypted Storage Partition. This persistent volume is where your keys and vault data reside between sessions. When prompted to set your vault password, select the scan QR option and display the QR code you saved in Step 1 to the webcam. The scanner will read it instantly and use it to encrypt the partition. Every subsequent boot works the same way — just scan and you’re in.

Alternatively, at the decryption prompt you may choose to bypass the encrypted vault entirely and boot into a Temporary Session. This launches a volatile session without writing any data to the physical drive. Manually enter your seed, perform the necessary operations, and shut down to purge all traces instantly. This mode is ideal for users who prefer to keep their keys exclusively on physical media and need no persistent storage on the drive.

Initial Configuration Options

Once the vault is initialized, you are presented with five methods to manage your seed phrase:

SafeKeepVault initial boot screen showing the password entry interface on first startup
  1. Generate New Seed — Access the Entropy Generator, SafeKeepVault's entropy-driven seed generator. By combining dice rolls, erratic mouse movement, and camera sensor noise, you can generate a master seed with maximum cryptographic randomness. A mandatory verification sequence ensures your physical backup is accurate before any data is committed to the vault.
  2. Restore from Words — Securely import an existing 12- or 24-word recovery seed phrase. This will be stored securely within the vault and restored each time you reboot and enable the vault.
  3. Restore via Seed XOR — Reconstruct a seed phrase by combining multiple backup shares previously split with any Seed XOR tool. The shares are merged exclusively in memory; the individual components are never stored on the drive, maintaining the integrity of your distributed backup scheme.
  4. Restore Shamir Backup — Utilize the Shamir Backup tool to reconstruct a seed from Shamir’s Secret Sharing (SLIP-39) shares. Simply input the required number of shares to meet your designated threshold, and your seed phrase will be restored into the vault.
  5. Unlock .7z Backup — Import a previously encrypted vault archive created using the Encrypted Backup toool. This restores your entire environment—including all stored keys, passphrases, and custom configurations—onto a new or freshly flashed boot drive.

Step 4: Mounting the Transfer Drive

Once your seed phrase is loaded and you land on the Dashboard, your next step is to mount the Transfer Drive. This is the dedicated partition on your flash drive used to move files in and out of the vault — signed transactions, PSBT files, encrypted backups, and exported reports all pass through here. When the flash drive is inserted into your everyday Mac or Windows computer, this partition mounts like a normal drive, giving your wallet software direct access to any files the vault has written to it — this is how sneakernet file transfer works. Note that removing the drive from a live vault session is a one-way action: as a security precaution, you cannot hot-swap it back in without rebooting the vault.

Do this on every boot

The Transfer Drive is not mounted automatically. You must mount it manually at the start of each session. Tools that require file access will not function until it is mounted.

How to Mount

  1. Click “Mount Transfer Drive” — On the Dashboard, you will see a prominent Mount Transfer Drive button. Click it. This opens the system file explorer automatically.
  2. Select the Transfer Partition — In the file explorer, you will see your flash drive listed with two partitions. Select the one labelled Transfer (not the system partition).
  3. Click Allow — A permission prompt will appear asking whether to allow access to the partition. Click Allow. The Transfer Drive will mount and become available to all tools immediately.
SafeKeepVault Dashboard showing the Mount Transfer Drive button and status indicator
The Mount Transfer Drive button on the SafeKeepVault Dashboard. After clicking Allow in the file explorer, the status indicator confirms the drive is live.

Once mounted, every tool in the vault can read from and write to the Transfer Drive automatically. The status indicator in the toolbar will confirm when it is live. You only need to mount it once per session.

Watch Wallet Creation

Your vault holds the private keys; a watch-only wallet on your everyday device holds the public keys. The watch wallet tracks your balances, generates receive addresses, and builds unsigned transactions — all without ever touching a private key. When it’s time to spend, the watch wallet hands off an unsigned PSBT to the vault for signing, then broadcasts the result.

To set up a watch wallet, you first need to export your public key or output descriptor from the vault. Open the Seed Management tool and select your desired script type (Native SegWit, Taproot, etc.), then export the extended public key. The export lands on your Transfer Drive as a file, or can be transmitted directly via QR. Transfer it to your online device and follow the setup steps for your chosen wallet below.

SafeKeepVault Seed Management tool showing key format and wallet type export options
The Seed Management tool. Choose your Key Format and Wallet Type to match the callout boxes in each wallet's setup section below, then export to your Transfer Drive or transmit via QR.
SafeKeepVault address type and wallet type selection panel showing script type and single-sig or multisig options
Address type and wallet type selection. Match these settings to the export settings listed for your chosen wallet below.

Blue Wallet (Mobile — iOS & Android)

Use these settings and steps for Blue Wallet. Keys are transferred directly via QR code — no file transfer required.

Single Signature

SafeKeepVault — Seed Management export settings Wallet Type: Single-Sig Key Format: SLIP-380
  1. Tap Add Wallet and choose type Bitcoin.
  2. Tap Import Wallet.
  3. Tap Scan or import a file.
  4. Click Show QR on SafeKeepVault and scan the QR code with your phone. Blue Wallet imports the xpub and fingerprint automatically and creates your watch wallet.

Multisig

SafeKeepVault — Seed Management export settings (repeat for each co-signer key) Wallet Type: Multi-Sig (BIP-48) Key Format: SLIP-380
  1. Tap Add Wallet and choose type Multisig Vault.
  2. Tap Create, then Let’s Start.
  3. Tap Import vault key 1Scan or import a file.
  4. Scan the first key QR from SafeKeepVault.
  5. Repeat steps 3–4 for each additional co-signer key.
  6. Tap Create to finalize the multisig vault.

Nunchuk (Mobile — iOS & Android)

Use these settings and steps for Nunchuk. This workflow is file-based — use the Courier Tool to transmit the JSON file from the vault to your phone.

Single Signature

SafeKeepVault — Seed Management export settings Wallet Type: Single-Sig Key Format: Hardware Wallet JSON
  1. In SafeKeepVault, open Seed Management, configure the settings above, and click Download JSON. The file saves to your Transfer Drive.
  2. Open the Transfer Hub in the vault and locate the JSON file you just downloaded.
  3. On your phone, open the Courier Tool and select Receive, then tap Open camera and scan.
  4. On SafeKeepVault, select the JSON file and click TransmitCourier Tool→Start Transmission. The vault displays an animated QR sequence.
  5. Hold your phone to the vault’s screen. The Courier Tool will scan and reconstruct the file. Save it to your phone when prompted.
  6. In Nunchuk, tap Add KeyColdcardAdd COLDCARD via file (advanced)Continue.
  7. Navigate to the JSON file you transferred and select it.
  8. Name your key and tap Add Key. Your signing key is now registered.
  9. Return to the Nunchuk home screen and tap + to add a wallet.
  10. Select Custom Wallet, name it, choose the address type you used in step 1, and tap Continue.
  11. Select the key you created in step 8, tap Continue, then Create Wallet.

Multisig

SafeKeepVault — Seed Management export settings (repeat for each co-signer key) Wallet Type: Multi-Sig (BIP-48) Key Format: Hardware Wallet JSON
  1. Follow the same key creation steps as Single Signature above, selecting Multi-Sig (BIP-48) as the Wallet Type in SafeKeepVault. Repeat for each co-signer key.
  2. In Nunchuk, tap + and select Group Wallet.
  3. Select the appropriate co-signer keys you created, configure the signing threshold (e.g., 2-of-3), and tap Create Wallet.

Sparrow (Desktop — Windows, macOS, Linux)

Use these settings and steps for Sparrow. This workflow is file-based — use the Courier Tool to transmit the JSON file from the vault to your phone, then share it to your computer via a cloud service, or move the flash drive directly to your online machine (sneakernet).

Single Signature

SafeKeepVault — Seed Management export settings Wallet Type: Single-Sig Key Format: Hardware Wallet JSON
  1. In SafeKeepVault, open Seed Management, configure the settings above, and click Download JSON. The file saves to your Transfer Drive.
  2. Transfer the JSON file to your online computer using sneakernet or the phone → cloud method described above.
  3. Open Sparrow and go to File → Open Wallet.
  4. Navigate to and select the JSON file you transferred. Sparrow reads the key data and populates the wallet configuration automatically.
  5. Click Create Wallet to save.
  6. Sparrow will sync and display your balance and transaction history.

Multisig

SafeKeepVault — Seed Management export settings (repeat for each co-signer key) Wallet Type: Multi-Sig (BIP-48) Key Format: SLIP-132
  1. In SafeKeepVault, open Seed Management, configure the settings above, and click Download JSON. Repeat for each co-signer key. Transfer all files to your online computer using sneakernet or the phone → cloud method described above.
  2. Open Sparrow and go to File → New Wallet. Give your wallet a name.
  3. Select Multi Signature and configure your cosigner quorum (e.g., 2-of-3).
  4. For the first keystore, click xPub / Watch Only Wallet, then click ImportAirgapped Hardware WalletImport FileColdcard Multisig. Navigate to and select the first key file.
  5. Repeat step 4 for each remaining keystore, selecting the corresponding key file each time.
  6. Once all keys are loaded, click Apply to complete the wallet.

Specter Desktop (Desktop — Windows, macOS, Linux)

Use these settings and steps for Specter Desktop. This workflow is file-based — use the Courier Tool to transmit the JSON file from the vault to your phone, then share it to your computer via a cloud service, or move the flash drive directly to your online machine (sneakernet).

Single Signature

SafeKeepVault — Seed Management export settings Wallet Type: Single-Sig Key Format: BIP-32 Watch-Only JSON
  1. In SafeKeepVault, open Seed Management, configure the settings above, and click Download JSON. The file saves to your Transfer Drive.
  2. Transfer the JSON file to your online computer using sneakernet or the phone → cloud method described above.
  3. Open Specter Desktop and click Add Device.
  4. Select device type Other, then click Upload from SD to import your xpub. Navigate to and select the JSON file, then click Continue.
  5. Specter confirms the device has been added. Click Create Single Key Wallet.
  6. Give your wallet a name and click Continue to complete setup.

Multisig

SafeKeepVault — Seed Management export settings Wallet Type: Multisig Key Format: BIP-32 Watch-Only JSON
  1. Follow the same key creation steps as Single Signature above, selecting Multi-Sig (BIP-48) as the Wallet Type in SafeKeepVault. Repeat for each co-signer key
  2. Click Add Wallet and select Multiple Signature.
  3. Select the devices you want in your multisig quorum and click Continue. Give your wallet a name and click Create Wallet to complete setup.

Electrum (Desktop — Windows, macOS, Linux)

Use these settings and steps for Electrum. This workflow is file-based — use the Courier Tool to transmit the JSON file from the vault to your phone, then share it to your computer via a cloud service, or move the flash drive directly to your online machine (sneakernet).

Single Signature

SafeKeepVault — Seed Management export settings Wallet Type: Single-Sig Key Format: Electrum Compatible JSON
  1. In SafeKeepVault, open Seed Management, configure the settings above, and click Download JSON. The file saves to your Transfer Drive.
  2. Transfer the file to your online machine and open Electrum.
  3. Go to File → Open and select the exported JSON file. Electrum will load it as a watch-only wallet. Electrum will identify the JSON as a Coldcard and ask you to connect it. Just click No.

Multisig

SafeKeepVault — Seed Management export settings Wallet Type: N/A Key Format: N/A
    Multisig with Electrum is not currently supported. In the meantime, you can set up your multisig wallet in Sparrow or Specter Desktop using the instructions above.

Signing a Transaction

Once your watch wallet has built a transaction and exported it as a PSBT, bring it into SafeKeepVault to sign. The vault reviews the details — you inspect and verify the destination address and amount before signing is unlocked. The signed result is then returned to your watch wallet to broadcast.

Loading the PSBT

From the Dashboard, click PSBT Signer to open the tool. You are given two options for loading the unsigned transaction: scan a QR code displayed by your watch wallet, or load a .psbt file directly from the Transfer Drive.

PSBT Signer Review tab showing the loaded transaction before the destination verification audit begins
The PSBT Signer ingest screen. Choose to scan a QR code from your watch wallet or load a .psbt file from the Transfer Drive.
Signing screen showing Vault Seed and Temporary Seed tabs, passphrase field, and the Sign Transaction button
Select Scan Unsigned PSBT to activate the webcam and scan the QR code displayed by your watch wallet, or choose Load PSBT from Transfer Drive to import the file directly.
Signing screen showing Vault Seed and Temporary Seed tabs, passphrase field, and the Sign Transaction button
Select PSBT Signer from the Dashboard to begin the signing workflow.

If you select Load PSBT from Transfer Drive, the vault lists every .psbt file currently on the partition. Click the file to load it.

PSBT Signer showing a list of .psbt files available on the Transfer Drive for selection
The Transfer Drive file picker lists all available .psbt files. Select the unsigned transaction to proceed.

Reviewing the Transaction

Display the QR code generated by your wallet software and hold it up to SafeKeepVault’s webcam. Once scanned, the vault moves to the Review tab and presents a full transaction audit — every destination address displayed in full, the amount in BTC and satoshis, a generated QR of the address for independent verification on a second device, and the mining fee and fee rate.

Check the box confirming you have independently verified the destination address and amount. The Sign Transaction button remains locked until this confirmation is complete.

Transaction Audit screen showing destination address, BTC and satoshi amounts, fee, and the independent verification checkbox
The Transaction Audit screen. Verify the destination address against an independent device, confirm the amount and fee, and check the verification box to unlock signing.

Signing

Exporting the Result

Once signed, the Export tab offers several ways to return the result to your watch wallet. The primary method is a QR code — choose the format that matches your coordinator: Standard Base64 for Sparrow and Blue Wallet, Nunchuk Raw Hex, or Electrum Raw Hex. You can also copy or save the raw transaction hex for direct broadcast, or save the signed .psbt file back to the Transfer Drive for sneakernet handoff.

Transaction finalized export screen showing QR code export, raw transaction hex, and fallback Transfer Drive export options
The Export screen. Point your watch wallet’s camera at the QR code to import the signed transaction, or use the Transfer Drive fallback for sneakernet handoff. Once broadcast, you’re done.
Export format selection screen showing QR format options for different wallet coordinators
Choose the export format that matches your watch wallet. Different coordinators expect different formats — select the one for yours to ensure the signed transaction imports correctly.

Exporting via the Transfer Hub

If your workflow is file-based rather than QR-based, the Transfer Hub is where you retrieve the signed .psbt file after signing. Open the Transfer Hub from the Dashboard, locate the signed file on the partition, and use the Transmit button to send it via animated QR to the Courier Tool on your phone, or simply move the flash drive to your online machine and collect the file directly from the Transfer partition. Files transmitted via QR can be received directly on your computer at safekeepbitcoin.com/Courier Tool.

SafeKeepVault Transfer Hub showing a list of files on the Transfer Drive including signed PSBT files ready for export
The Transfer Hub lists all files on the Transfer partition. Locate your signed .psbt file and transmit it via QR or collect it via sneakernet to complete the workflow.

The Tool Arsenal

Beyond the core signing workflow, SafeKeepVault includes a broad suite of tools covering the full range of Bitcoin self-custody tasks — from seed generation and address verification to backup management, multisig coordination, and inheritance planning. Every tool runs completely offline and works with any Bitcoin wallet that supports standard formats.

Primary Tools

  • PSBT Signer — Reviews, decodes, and signs PSBTs entirely offline. Transaction details are displayed for inspection before you sign.
  • Passphrase Library — Manages BIP-39 passphrases (the “25th word”) inside the encrypted vault. Loads directly into the PSBT Signer when signing requires a passphrase-protected wallet.
  • Seed Management — Exports your public key and output descriptor for watch-only wallet setup in Sparrow, Electrum, Nunchuk, Blue Wallet, Specter, or any compatible coordinator. Your private keys never leave.

Advanced Tools

  • Transfer Hub — File browser for the Transfer Drive. View, rename, or delete backup archives, transactions, and PDFs.
  • Courier Tool — Transfers files between air-gapped devices via animated QR codes. No USB, no network — light and a camera lens only.
  • Output Descriptor — Builds wallet configurations for single-signature and multisig setups. Export and import directly into any compatible wallet.
  • Entropy Generator — Generates your master seed using multiple sources of randomness: dice rolls, mouse movement, camera noise, and the system’s built-in random number generator.
  • BIP-85 Child Seeds — Generates separate child wallets from your master seed — isolated wallets for different purposes, all recoverable from one backup.
  • Seed XOR Splitter — Splits your seed into XOR shares for distributed cold storage. Reconstructs your master seed by combining these shares.
  • Shamir Backup — Splits your seed into Shamir shares for distributed backup. Recovery requires only a portion of the shares (2-of-3, 3-of-5, etc.) to restore.
  • Seed QR Code — Displays a QR encoded version of a seed as a compact SeedQR for steel stamping or paper backup. Hand-drawn or engraved copies can be verified by scanning them back in. Blank templates are also available for printing.
  • Message Signer — BIP-322 message signing. Proves address ownership with a verifiable proof without moving any coins.
  • Encrypted Notes — Encrypted notes stored inside the vault. Keep recovery instructions, multisig details, and setup notes sealed within the vault. For your eyes only.
  • Encrypted Backup — Exports a fully encrypted backup of your vault to the transfer drive. Everything inside is sealed — file names included — until the correct password is entered.
  • Wallet Record — Generates a clean, single-page PDF summary of your wallet configuration — descriptor, derivation path, key fingerprint, and first receive address — formatted for long-term offline storage and inheritance planning.
Download ♡ Donate