What an Air Gap Actually Means
An air gap, in the strictest sense, is a complete physical separation between a device and any network, including Wi-Fi, Bluetooth, cellular, and wired Ethernet. The name comes from the literal air between a device and the nearest network connection. No data enters or leaves except through deliberate, controlled physical media like a USB drive or optical disc.
For crypto wallet seed phrase backup, an air gap means the device used to encrypt and store the backup has never touched the internet and never will. This is a fundamentally different security posture from turning off Wi-Fi while typing it. Turning off Wi-Fi is a network disconnection. An air gap is a permanent architectural decision about a dedicated device.
The reason this matters for seed phrases specifically is the nature of the data. Your 12 or 24 BIP39 words represent complete, irrevocable control over your funds. Any software on a connected machine (a browser extension, a background sync service, a keylogger, an auto-screenshot tool) has the technical capability to capture and exfiltrate that data. An air-gapped machine eliminates the entire category of remote exfiltration threats by removing the transmission vector entirely.
The Real Threats an Air Gap Defends Against
Understanding why an air gap is valuable requires understanding which specific attacks it prevents. The threat landscape for seed phrase exposure is dominated by a few attack categories that are remarkably common in practice.
Keyloggers are among the most widespread. Both hardware keyloggers (small devices inserted between a keyboard and computer) and software keyloggers installed by malware record every keystroke typed on a machine. If you type your seed phrase into any field on an infected computer, the keylogger captures it in milliseconds and queues it for transmission the next time the machine connects to the internet. A machine that never connects to the internet can have a keylogger installed and it will never be able to transmit what it captures.
Automatic screenshot tools represent a subtler risk. Several categories of software take periodic screenshots in the background: employee monitoring software, certain parental control applications, some cloud backup services that capture screen state, and various categories of malware. A seed phrase displayed or typed on screen on a connected machine may be captured without any user action at all.
Cloud synchronization is the most insidious threat because it is built into modern operating systems and presents itself as a feature. On Windows, files saved to the Desktop or Documents folder are silently synced to OneDrive unless explicitly disabled. On macOS, iCloud Drive performs the same function. Any seed phrase saved as a text file in a default location on a connected machine is instantly uploaded to a remote server, where it can be accessed through account credentials or a cloud provider breach. Many users who believe they have a local-only backup do not.
Creating a Genuinely Air-Gapped Backup
The process begins before any seed phrase is involved. Acquire a dedicated device (this can be an inexpensive refurbished laptop or a Raspberry Pi) and ensure it has never been connected to any network. If the device was previously network-connected, perform a clean operating system installation from offline media and never connect it to a network afterward. Disable Wi-Fi at the hardware level if possible, as many laptops have a physical switch or the card can be removed. The goal is a machine where a network connection is architecturally impossible, not merely disabled in software.
Once the offline machine is prepared, install your encryption software on it using a USB drive that was loaded on a clean, trusted computer and then transferred. SeedCrypt is designed to run entirely offline (no license check, no telemetry, no network calls of any kind), which makes it appropriate for this purpose. Transfer the installer via USB, install it on the air-gapped machine, and then set that USB drive aside. It should not be reused for data transfers going forward.
With the offline machine running and SeedCrypt installed, you can now encrypt your seed phrase with confidence that no remote exfiltration vector exists. Type the seed phrase, apply AES-256-GCM encryption with a strong password, and save the resulting ciphertext file. The encrypted output is what you will transfer and store; it is safe to copy widely, because without the decryption password it is computationally useless.
For the transfer step, use a dedicated USB drive that you designate exclusively for this purpose. Copy the encrypted ciphertext file to it. This USB drive now carries your encrypted backup and can be stored safely in a physical location: a fireproof safe, a safety deposit box, or a trusted secondary location. Because the contents are encrypted, the USB drive's physical security determines convenience of access, not the security of your funds. Multiple copies should be made and distributed across independent locations.
The transfer USB drive occupies a critical role in the air gap architecture. Once it has carried data from the offline machine to its storage location, it should not be reconnected to any internet-connected computer unless you are making a deliberate, verified copy. Every time a USB drive crosses the boundary between an online and offline machine, it is a potential vector for malware to bridge the air gap, a technique known as a USB-based air gap bridge. Keep the transfer USB dedicated to its purpose.
Mistakes That Break the Air Gap Without You Knowing
The most common way an air gap fails is through a USB drive used for multiple purposes. A drive used to transfer files at work, carry personal documents, or plug into various machines around the house is not a dedicated air gap transfer medium; it is a potential malware carrier. Stuxnet, the most famous air gap attack in history, propagated precisely this way, through USB drives shared between isolated industrial systems and general-purpose computers. The solution is simple: one dedicated USB drive, used only for the seed phrase backup transfer, stored with the encrypted backup itself.
Another silent air gap failure is an offline machine that was previously online and never had its operating system reinstalled. Software already present on the machine, including any malware that arrived before the machine was isolated, persists indefinitely. An air-gapped machine is only as trustworthy as its installation history. If there is any doubt about what software was on the machine before isolation, a clean OS install is mandatory before any seed phrase is handled on it.
Cloud sync that was not fully disabled before the machine was used is a third common failure mode. On a machine that was previously connected, cloud sync services may have captured files in the brief window before the network was disabled. Disabling a sync service after the fact does not delete what was already uploaded. If your seed phrase was ever typed or saved on a machine with active cloud sync, even for seconds, it should be treated as potentially compromised and the wallet rotated to a fresh seed.
Finally, taking the encrypted output file and immediately opening or copying it to a connected machine for convenience defeats the purpose. The ciphertext should be transferred to the dedicated storage USB and stored physically. If you need to verify the backup, do so on the air-gapped machine itself, where decryption happens in an isolated environment with no transmission path.
The Relationship Between Air Gaps and Encryption
An air gap and encryption address different parts of the threat model and work best together. An air gap prevents remote exfiltration during the encryption and backup creation process. Encryption protects the backup after it leaves the air-gapped machine. Neither is sufficient alone.
A perfectly air-gapped machine with an unencrypted backup produces a USB drive that, if physically found, gives the finder complete access to your funds. The air gap protected the creation process but left the output unprotected. Conversely, strong encryption applied on a connected machine protects the backup file but does not prevent a keylogger from capturing the seed phrase before it was encrypted. Both protections are needed for both the creation and the storage phases of the backup lifecycle.
Read our guide to paper backup vs encrypted backup to understand why encryption is the correct foundation regardless of your air gap approach, and our complete encryption walkthrough for the exact steps to apply AES-256-GCM encryption to your seed phrase on an offline machine.
SeedCrypt
Encrypt your seed phrases. Offline. Forever.
AES-256-GCM · PBKDF2-SHA512 · No cloud · Windows & Android
Get SeedCrypt from €29Conclusion
A true air gap for seed phrase backup requires a dedicated offline device that has never touched a network, encryption software that operates entirely locally, a dedicated USB drive used only for this purpose, and physical storage in one or more secure independent locations. Most implementations that claim to be air-gapped fail on at least one of these criteria, usually the dedicated USB requirement or the installation history of the offline machine.
The standard of care is straightforward once you understand what each step is defending against. Keyloggers and screenshot malware are defeated by the offline machine. Cloud sync is defeated by the machine never having network access. Physical theft of the USB is defeated by the encryption. Together these measures produce a backup that is simultaneously resilient to remote attack and safe to store in multiple locations without increasing exposure risk.