Have you ever ever been travelling, needed to make an enormous fee and realised you left your {hardware} pockets again house? Maybe you’re a key holder in a enterprise’s Bitcoin treasury, or an emergency got here up, and an enormous fee needs to be made, some chilly storage Bitcoin has to maneuver, however the keys are elsewhere.
Key Teleport, a function developed by the {hardware} pockets producer Coinkite, often is the most safe technique to deal with key materials at a distance. The function is barely obtainable to the Coldcard Q, the premium, feature-rich Bitcoin {hardware} pockets developed by the corporate.
Earlier than Key Teleport, essentially the most paranoid, safe technique to transfer a personal key over the web was to not ship it over WhatsApp or Sign. These apps, whereas end-to-end encrypted on the floor, are operating on high of very advanced {hardware} and working programs, in lots of circumstances with very intrusive firmware embedded deeply by producers. Smartphones in the present day, as with most of mainstream expertise, are merely not designed to safe extremely helpful secrets and techniques that may switch irreversible cash like Bitcoin.
Had you requested me how I’d go about sending a personal key with life-changing cash on it, throughout the wire, I’d have instructed you this: It is advisable boot Tails OS, a slim, extremely paranoid Linux distribution, into {hardware} you recognize to be safe, ideally a burner laptop computer. You then must generate a contemporary set of PGP keys to encrypt the key with the ability of uneven cryptography. The recipient must do the identical, Tails-OS and PGP. Then, a basic encrypted message is made to the recipient’s public key, and the encrypted secret is shipped over Tor, most likely wrapped by one other VPN simply in case. Having accomplished this as soon as, I can let you know, it’s a mission.
This Tails-OS plus PGP combo is the type of setup that Edward Snowden used to get in touch with journalist Greenwald initially, to leak the 2014 NSA surveillance secrets and techniques. If the 90’s cypherpunks had some type of secret society, by which they coordinated the creation of applied sciences like Bitcoin or Wikileaks, that is the type of setup they could have used.
The Key Teleport by Coldcard Q makes duties of this kind far simpler. Now you can simply ship encrypted messages throughout the web with out having to fret about your {hardware} or what different software program could be put in on it that might spy. It additionally solves key administration dilemmas; {a partially} signed Bitcoin multisig transaction will be transmitted as an encrypted notice to the recipient Coldcard Q, for instance. Or an entire pockets arrange, with its metadata, key materials and customized settings, backed up, encrypted and despatched the world over to its distinctive recipient. I received a few these gadgets just lately for a check run of the function, and never even Opus 4.8 Excessive might determine the way to crack the encrypted blurb.
The Hardware

The Coldcard Q — which now is available in a variety of coloured circumstances — has a really particular set of instruments essential to allow this sort of airgapped communication. To start with, it inherits the twin safe factor mannequin developed within the Mk4 sequence of Coinkite gadgets. The place two closed supply chips made by completely different producers are utilized in mixture with an open supply MCU chip to generate keys, encrypt, decrypt and retailer delicate information. A mixture of the elements would have to be compromised by an attacker with bodily entry to get the pockets. These chips are, after all, utilized by the Key Teleport function, dealing with the encryption and decryption of no matter message the person is coping with.
The display screen is a 3.2-inch LCD display screen with sufficient decision to point out the BBQr code. BBQr is a QR code customary developed by Coinkite that has no dependencies or third-party libraries, is backwards appropriate with customary QR code readers, and may include bigger messages than conventional QR codes.
The Coldcard Q can be in a position to learn QR codes. It has a devoted QR code scanner with a crimson strobe indicator gentle that guides the person as to what the scanner is pointed, and a small flash gentle that may be activated with a button to assist in low gentle environments. This optimised {hardware} set solves frequent issues with QR code funds, the place variation in display screen resolutions, digital camera high quality and lighting could make scanning a fee QR code tough.
The Cryptography
TWO OR THREE IMAGES SIDE BY SIDE, QR CODE, PIN SHARING, SCANNING.


A multi-layer cryptographic protocol is used to encrypt the information to be transmitted by Key Teleport. A single-use ‘ephemeral’ public-private key pair is generated for every information switch utilizing the secp256k1 curve. The general public key of the receiver is encrypted with an 8-digit pin, by way of the AES-256-CTR algorithm. That encrypted public secret is displayed by the receiver in a QR code, with the 8-digit pin meant to be despatched by way of a separate communication channel.
For example, the recipient would do a video name with the sender, present them the QR code, and use Zoom. Then ship the 8-digit PIN code utilizing Sign. This operational safety follow implies that devoted attackers must compromise two separate communication channels to get the recipient’s public key.
Sender scans the QR code, enters the pin code and within the again finish, the sender gadget derives a shared session key by way of ECDH, utilizing the receiver’s public key and its personal ephemeral keypair. The person was requested to pick what information they wish to switch, from three choices: “Quick Text Message”, “Master Seed Words” and “Full COLDCARD Backup”. As soon as the person chooses, the information is encrypted by the recipient’s public key, and that encrypted blurb is encrypted as soon as extra with a brand new PIN code. Customers would scan the QR code once more by way of Zoom, for instance, and the sender would transmit the brand new PIN to the recipient by way of Sign.
There’s a deep set of cautious cryptographic particulars concerned in how this Key Teleport is built-in that’s effectively documented within the Coinkite GitHub repository, however so far as the person expertise is anxious, the method is now full. After the recipient scans the QR code again and inputs the second pin code, they are going to get entry to the information. Each Coldcard Q gadgets would have been fully airgapped, not linked to computer systems by way of USB cables, as QR codes and scanners have been used to transmit information, powered by three AAA batteries.
Final however not least, customers may also share the encrypted information by way of NFC, which creates a particular hyperlink at keyteleport.com for customers to simply scan the QR code and get the encrypted information, changing the hypothetical Zoom name.
Opus 4.8’s Conclusion
In my check of the Key Teleport function, I tasked Opus 4.8 Excessive, one of the crucial highly effective AI coding fashions from Anthropic, to attempt to decrypt the message. First I gave it the encrypted blurb, after desirous about it for a few minutes, it gave up, saying there have to be some info lacking.
I then gave it one of many pins, which helped, however finally was not enough for it to crack the cryptography. I then gave it the second pin, which led to a brute forcing try that, by Opus’s personal admission, would solely work if the ephemeral key pairs have been generated with deliberately low entropy. Finally, it gave up attempting to interrupt the encrypted information, even with each pin codes, saying it was securely sealed.
I requested the mannequin to jot down one paragraph about its conclusions. Right here’s what it wrote:
“I’m Claude Opus 4.8 (Anthropic), running in Cursor.
We took a scrambled QR code from COLDCARD’s Key Teleport feature — the kind meant to move a secret like a seed phrase between two wallets — and tried hard to break it open without the missing piece. The QR itself is designed to be safe to share publicly; you also need a short password and a number that are supposed to be sent separately. Even with that password and number in hand, we still couldn’t read the secret, because the real lock is a one-time random key that only exists on the receiving device and was never published anywhere.
We threw dictionary guesses, math tricks, and large-scale computer searches at it; a few things looked promising at first but turned out to be false alarms, which is actually a good sign that the checks work. Bottom line: Key Teleport did what it’s supposed to do — the QR plus the side-channel codes are not enough to steal the secret without the receiver’s private key. For a real transfer, you’d scan the code on the receiving COLDCARD and type in the password there; that’s the intended, secure path.”
Last Ideas
The Coldcard Q’s Key Teleport function opens the door to an in any other case very tough to realize degree of safe communication over the web. The scrutiny devoted to the {hardware} and firmware course of seemingly outmatches that of even high-security cell phone working programs like Graphene OS. The bodily keyboard, QR code scanner and NFC antenna make this paranoid system fairly snug to make use of. And the $249 worth goal for the entire {hardware} pockets makes it accessible to on a regular basis, critical bitcoiners and cypherpunks, delivering a self-custody instrument worthy of an expert industrial setup.
Disclaimer: Coinkite offered Bitcoin Journal with a few free Coldcard Q gadgets to make use of for the aim of testing their product for overview.


