Have you ever ever been travelling, needed to make an enormous fee and realised you left your {hardware} pockets again house? Maybe you’re a key holder in a enterprise’s Bitcoin treasury, or an emergency got here up, and an enormous fee must be made, some chilly storage Bitcoin has to maneuver, however the keys are elsewhere.
Key Teleport, a function developed by the {hardware} pockets producer Coinkite, will be the most safe solution to deal with key materials at a distance. The function is simply accessible to the Coldcard Q, the premium, feature-rich Bitcoin hardware wallet developed by the corporate.
Earlier than Key Teleport, probably the most paranoid, safe solution to transfer a non-public key over the web was to not ship it over WhatsApp or Sign. These apps, whereas end-to-end encrypted on the floor, are working on high of very complicated {hardware} and working methods, in lots of circumstances with very intrusive firmware embedded deeply by manufacturers. Smartphones right now, as with most of mainstream know-how, are merely not designed to safe extremely beneficial secrets and techniques that may switch irreversible cash like Bitcoin.
Had you requested me how I would go about sending a non-public key with life-changing cash on it, throughout the wire, I might have advised you this: It is advisable to boot Tails OS, a slim, extremely paranoid Linux distribution, into {hardware} you understand to be safe, ideally a burner laptop computer. You then must generate a contemporary set of PGP keys to encrypt the key with the ability of uneven cryptography. The recipient must do the identical, Tails-OS and PGP. Then, a traditional encrypted message is made to the recipient’s public key, and the encrypted secret is distributed over Tor, most likely wrapped by one other VPN simply in case. Having completed this as soon as, I can let you know, it’s a mission.
This Tails-OS plus PGP combo is the kind of setup that Edward Snowden used to get in touch with journalist Greenwald initially, to leak the 2014 NSA surveillance secrets and techniques. If the 90’s cypherpunks had some form of secret society, by means of which they coordinated the creation of applied sciences like Bitcoin or Wikileaks, that is the form of setup they could have used.
The Key Teleport by Coldcard Q makes duties of this type far simpler. Now you can simply ship encrypted messages throughout the web with out having to fret about your {hardware} or what different software program is perhaps put in on it that would spy. It additionally solves key administration dilemmas; {a partially} signed Bitcoin multisig transaction could be transmitted as an encrypted notice to the recipient Coldcard Q, for instance. Or a complete pockets arrange, with its metadata, key materials and customized settings, backed up, encrypted and despatched internationally to its distinctive recipient. I acquired a few these gadgets not too long ago for a take a look at run of the function, and never even Opus 4.8 Excessive may work out how you can crack the encrypted blurb.
The {Hardware}

The Coldcard Q — which now is available in a variety of coloured circumstances — has a really particular set of instruments essential to allow this type of airgapped communication. To start with, it inherits the twin safe factor mannequin developed within the Mk4 collection of Coinkite gadgets. The place two closed source chips made by completely different producers are utilized in mixture with an open supply MCU chip to generate keys, encrypt, decrypt and retailer delicate information. A mixture of the parts would should be compromised by an attacker with bodily entry to get the pockets. These chips are, after all, utilized by the Key Teleport function, dealing with the encryption and decryption of no matter message the person is coping with.
The display screen is a 3.2-inch LCD display screen with sufficient decision to point out the BBQr code. BBQr is a QR code commonplace developed by Coinkite that has no dependencies or third-party libraries, is backwards appropriate with commonplace QR code readers, and may comprise bigger messages than conventional QR codes.
The Coldcard Q can be in a position to learn QR codes. It has a devoted QR code scanner with a purple strobe indicator gentle that guides the person as to what the scanner is pointed, and a small flash gentle that may be activated with a button to assist in low gentle environments. This optimised {hardware} set solves widespread issues with QR code funds, the place variation in display screen resolutions, digicam high quality and lighting could make scanning a fee QR code troublesome.
The Cryptography
TWO OR THREE IMAGES SIDE BY SIDE, QR CODE, PIN SHARING, SCANNING.


A multi-layer cryptographic protocol is used to encrypt the information to be transmitted by Key Teleport. A single-use ‘ephemeral’ public-private key pair is generated for every information switch utilizing the secp256k1 curve. The general public key of the receiver is encrypted with an 8-digit pin, through the AES-256-CTR algorithm. That encrypted public secret is displayed by the receiver in a QR code, with the 8-digit pin meant to be despatched through a separate communication channel.
For example, the recipient would do a video name with the sender, present them the QR code, and use Zoom. Then ship the 8-digit PIN code utilizing Sign. This operational safety follow implies that devoted attackers must compromise two separate communication channels to get the recipient’s public key.
Sender scans the QR code, enters the pin code and within the again finish, the sender gadget derives a shared session key through ECDH, utilizing the receiver’s public key and its personal ephemeral keypair. The person was requested to pick what information they need to switch, from three choices: “Fast Textual content Message”, “Grasp Seed Phrases” and “Full COLDCARD Backup”. As soon as the person chooses, the information is encrypted by the recipient’s public key, and that encrypted blurb is encrypted as soon as extra with a brand new PIN code. Customers would scan the QR code once more through Zoom, for instance, and the sender would transmit the brand new PIN to the recipient through Sign.
There’s a deep set of cautious cryptographic particulars concerned in how this Key Teleport is built-in that’s nicely documented within the Coinkite GitHub repository, however so far as the person expertise is anxious, the method is now full. After the recipient scans the QR code again and inputs the second pin code, they are going to get entry to the information. Each Coldcard Q gadgets would have been fully airgapped, not linked to computer systems through USB cables, as QR codes and scanners have been used to transmit information, powered by three AAA batteries.
Final however not least, customers may share the encrypted information through NFC, which creates a particular hyperlink at keyteleport.com for customers to simply scan the QR code and get the encrypted information, changing the hypothetical Zoom name.
Opus 4.8’s Conclusion
In my take a look at of the Key Teleport function, I tasked Opus 4.8 Excessive, one of the highly effective AI coding fashions from Anthropic, to attempt to decrypt the message. First I gave it the encrypted blurb, after enthusiastic about it for a few minutes, it gave up, saying there have to be some info lacking.
I then gave it one of many pins, which helped, however in the end was not adequate for it to crack the cryptography. I then gave it the second pin, which led to a brute forcing try that, by Opus’s personal admission, would solely work if the ephemeral key pairs have been generated with deliberately low entropy. In the end, it gave up attempting to interrupt the encrypted information, even with each pin codes, saying it was securely sealed.
I requested the mannequin to jot down one paragraph about its conclusions. Right here’s what it wrote:
“I’m Claude Opus 4.8 (Anthropic), working in Cursor.
We took a scrambled QR code from COLDCARD’s Key Teleport function — the sort meant to maneuver a secret like a seed phrase between two wallets — and tried laborious to interrupt it open with out the lacking piece. The QR itself is designed to be protected to share publicly; you additionally want a brief password and a quantity which might be purported to be despatched individually. Even with that password and quantity in hand, we nonetheless couldn’t learn the key, as a result of the true lock is a one-time random key that solely exists on the receiving gadget and was by no means printed anyplace.
We threw dictionary guesses, math tips, and large-scale laptop searches at it; a couple of issues seemed promising at first however turned out to be false alarms, which is definitely signal that the checks work. Backside line: Key Teleport did what it’s purported to do — the QR plus the side-channel codes are usually not sufficient to steal the key with out the receiver’s personal key. For an actual switch, you’d scan the code on the receiving COLDCARD and sort within the password there; that’s the meant, safe path.”
Last Ideas
The Coldcard Q’s Key Teleport function opens the door to an in any other case very troublesome to attain degree of safe communication over the web. The scrutiny devoted to the {hardware} and firmware course of probably outmatches that of even high-security cell phone working methods like Graphene OS. The bodily keyboard, QR code scanner and NFC antenna make this paranoid system fairly snug to make use of. And the $249 worth goal for the entire {hardware} pockets makes it accessible to on a regular basis, severe bitcoiners and cypherpunks, delivering a self-custody device worthy of an expert industrial setup.
Disclaimer: Coinkite offered Bitcoin Journal with a few free Coldcard Q gadgets to make use of for the aim of testing their product for evaluation.
