Build your own stateless air-gapped Bitcoin signer for ~$50. Fully open-source, camera QR signing, keys never stored.
SeedSigner is a community-built, open-source Bitcoin signing device assembled from off-the-shelf Raspberry Pi components for roughly $50. It is stateless by design: your private keys never persist on the device. They live in volatile RAM during a signing session and vanish the instant you power off. An attacker who steals a powered-off SeedSigner gets a generic Raspberry Pi with zero key material. No encrypted seed waiting to be unlocked. Nothing.
The DIY nature is upfront and not apologized for. You source the parts, flash the firmware, verify the build, and assemble the device yourself. That process is the point: when you build it from generic hardware, there is no supply chain to trust, no manufacturer to backdoor it, and no proprietary chip whose internals you cannot verify. This review is honest about what that means in practice, including who should build one and who should not.
Quick Verdict
Best stateless air-gap signer for paranoid DIY Bitcoiners
| Category | Score | Notes |
|---|---|---|
| Open Source | 10/10 | Full hardware + firmware + OS, reproducible builds on GitHub |
| Air-Gap Security | 9.5/10 | Stateless + QR-only = cleanest possible air-gap model |
| Cost | 10/10 | $40-60 DIY is the cheapest capable signing device available |
| Ease of Use | 5/10 | Assembly required, 45-60 second boot, no guided setup |
| Beginner-Friendly | 3/10 | Requires electronics assembly, firmware verification, self-support |
| Overall | 8.5/10 | Best for paranoid DIYers, not for beginners |
| Main Board | Raspberry Pi Zero 1.3 (no WiFi) or Zero 2W (WiFi disabled in firmware) |
| Camera Module | OV5647 camera for QR code scanning |
| Display | Waveshare 1.3-inch 240x240 LCD HAT |
| Storage | MicroSD card (8GB minimum) for SeedSigner OS |
| Case | 3D-printed enclosure (optional but recommended) |
| OS | SeedSigner OS: custom minimal Linux, open source on GitHub |
| Assembly | Required: attaching camera ribbon, display HAT, and case |
| Cost | $40-60 USD for all components |
| Firmware | Fully open source, reproducible builds, verifiable on GitHub |
| Community | Active: GitHub, Telegram, and Bitcoin forums |
SeedSigner is a community Bitcoin project, not a commercial product. There is no company behind it, no support team to call, and no warranty. The project originated in 2021 as an open-source effort to build a maximally trustworthy Bitcoin signing device from generic, widely available hardware. The premise: if you source every component yourself from generic consumer electronics suppliers and verify every line of firmware code from a public GitHub repository, you eliminate the trust assumptions that come with any commercial hardware wallet.
The device runs on a Raspberry Pi Zero, a $15 single-board computer used in millions of non-Bitcoin applications worldwide. There is no proprietary Secure Element chip with unknown internals. No custom firmware blob you have to trust without reading. No manufacturer who could theoretically insert a backdoor. The camera module and display are equally generic. Everything is commodity hardware running fully auditable software. For someone with a deep skepticism of commercial hardware wallet trust models, SeedSigner is the logical conclusion of that skepticism.
What makes SeedSigner distinctive beyond its open-source philosophy is the stateless design. Commercial hardware wallets store your encrypted private keys on the device between uses. SeedSigner does not. When you power it off, there are no keys on it. An attacker who takes your SeedSigner gets a bare Raspberry Pi. Your keys exist only in volatile RAM during an active signing session, and they disappear the moment power is removed. This is a meaningful and unusual security property that no commercial wallet offers.
Most hardware wallets encrypt your seed and store it on the device. That encrypted blob sits there between uses, protected by your PIN. The security model relies on the encryption being strong and the PIN being hard to bypass. History shows that PIN bypass vulnerabilities are occasionally discovered in commercial hardware wallets, creating windows where stored encrypted keys could be extracted with the right equipment.
SeedSigner eliminates this entire attack surface by storing nothing. Every time you power up the device, it starts completely blank. You load your seed phrase at the beginning of each session by typing the 24 words, scanning a SeedQR card, or generating a new seed from camera entropy or dice rolls. The signing session proceeds entirely in volatile RAM. When you power off, RAM clears and nothing persists. An attacker who steals your SeedSigner at any time when it is powered off has exactly nothing. Not encrypted keys. Not partial data. A bare Raspberry Pi.
The tradeoff is operational. Stateless signing means you need your seed phrase available (physically, in backup form) every time you want to sign a transaction. If you sign transactions frequently, this becomes tedious. SeedQR mitigates this by letting you scan the seed in about two seconds instead of typing 24 words, but you still need to retrieve and handle your physical seed backup on each session. For occasional cold storage signing (a few times a year), this is a minor inconvenience. For daily use, it is impractical.
The security upside is that your seed backup and your signing device are always physically separate. The device can never be a single point of failure. Even if someone steals both the device and your physical backup simultaneously, they have to know to look for both and piece them together. If they just steal the device, they get nothing.
Building a SeedSigner is a beginner electronics project. You do not need soldering skills. The main assembly steps are connecting the camera module ribbon cable to the Pi Zero, attaching the Waveshare display HAT to the GPIO pins, and optionally printing or purchasing a case. The whole build takes 30 to 60 minutes on a first attempt.
Source the parts
Order a Raspberry Pi Zero 1.3 or Zero 2W, an OV5647 camera module, and a Waveshare 1.3-inch LCD HAT. Add an 8GB or larger microSD card. Total cost is $40-60 from Amazon, Adafruit, or component suppliers.
Download and verify the firmware
Download the latest SeedSigner OS release from the official GitHub repository. Verify the SHA-256 checksum and GPG signature before flashing. This step is critical and should not be skipped.
Flash the microSD
Use Balena Etcher or Raspberry Pi Imager to flash the verified SeedSigner OS image onto your microSD card. The process takes about 5 minutes.
Assemble the hardware
Connect the camera ribbon cable to the Pi Zero camera port. Seat the Waveshare display HAT onto the GPIO pins. Insert the flashed microSD. Attach a case if you have one. Power on via USB.
Test with a practice seed
Before using any real Bitcoin, practice the full workflow with a test seed phrase. Generate a seed, create a SeedQR card, sign a test transaction in Sparrow using a watch-only wallet. Only move real funds after you are comfortable with every step.
The official SeedSigner documentation at seedsigner.com includes detailed build guides, parts lists with specific model numbers, and troubleshooting advice. The community on GitHub and Telegram is active and helpful.
SeedSigner signs transactions using animated QR codes as the communication channel. There are no cables, no wireless protocols, and no data storage on the device. Here is the complete workflow when paired with Sparrow Wallet:
Load your seed
Power on the SeedSigner. Either type your 24-word seed phrase manually, scan your SeedQR card (loads in ~2 seconds), or generate a new seed from dice rolls or camera entropy.
Export the watch-only wallet
In Sparrow, you import your extended public key from SeedSigner via QR code. Sparrow uses this to generate your receiving addresses and build transactions. The signing keys never leave SeedSigner.
Build the transaction in Sparrow
In Sparrow on your computer, construct the transaction: set the destination address, amount, and fee. Click the option to show the unsigned transaction as animated QR codes on your monitor.
Scan into SeedSigner
Hold your SeedSigner camera up to your computer monitor. The device reads all the animated QR frames and reconstructs the full unsigned transaction. Review the details on the SeedSigner display.
Sign and broadcast
Confirm the signing on SeedSigner. The device displays the signed transaction as animated QR codes on its own screen. Point your computer webcam or phone camera at the SeedSigner screen. Sparrow reads the signed transaction and broadcasts it to the Bitcoin network.
The entire process takes about 3 to 5 minutes including boot time. After you have done it a few times, it feels natural. The QR code channel is particularly reassuring because it is a visual, one-directional communication method: the SeedSigner camera reads from your screen, and then the SeedSigner screen shows QR codes to your camera. There is no bidirectional wireless channel and no hidden data flows.
Typing a 24-word seed phrase every time you want to sign a transaction takes two to three minutes and introduces transcription error risk. SeedQR solves this by encoding your seed phrase as a compact QR code. You print or carefully hand-draw this QR code onto a backup card and store it like any other seed backup. When you need to sign, you power on SeedSigner, select "Scan SeedQR", and hold the card up to the camera. Your seed loads in about two seconds.
The SeedQR encodes the same BIP-39 seed data as a written word list. It is just a more convenient representation of the same recovery information. You need to protect a SeedQR card with the same physical security as a written seed backup, because it contains identical information. Store it in a metal sleeve, a fireproof safe, or alongside your other critical documents.
SeedQR is one of the features that makes stateless signing practical for real use. Without it, every signing session requires minutes of careful word entry. With it, the session overhead is nearly negligible. If you are building a SeedSigner for regular use, creating a SeedQR card for your seed should be part of your initial setup process.
The security of your SeedSigner depends entirely on the firmware you flash. If you download and flash a compromised image, the device could be manipulated to extract your keys or generate predictable seeds. Firmware verification is not optional for security-conscious users.
The SeedSigner project provides SHA-256 checksums and GPG signatures for every release. Verification works as follows: after downloading the OS image, compute the SHA-256 hash of the downloaded file and compare it to the checksum published in the GitHub release. They must match exactly. Additionally, verify the GPG signature using the SeedSigner project's public key to confirm the release was signed by the actual developers, not a third party hosting a malicious version.
SeedSigner also supports reproducible builds. This means technically skilled users can compile the firmware from source code and verify that the compiled output matches the published binary exactly. No commercial hardware wallet offers this level of build transparency. You are trusting code you can read and rebuild yourself, not a compiled blob from a manufacturer.
Always download from the official SeedSigner GitHub repository. Never use firmware from a third-party site, even if it claims to offer a "patched" or "improved" version. The official repository is the only trustworthy source.
Multisig Bitcoin storage requires multiple independent signing devices, each holding a different key in your quorum. The cost of commercial hardware wallets makes this expensive. A 2-of-3 multisig setup with three Foundation Passports costs $597. Three Coldcards cost $471. Three SeedSigners cost approximately $150.
For a paranoid Bitcoiner who wants three signing devices stored in three separate physical locations, SeedSigner makes multisig economically accessible. Build three identical devices from the same component list, verify firmware independently on each, and store them separately. When you need to sign, retrieve one device, load the relevant key for that signing slot, complete the partial signature, and combine the signatures in Sparrow Wallet from the separate devices.
The stateless design is particularly well-suited to multisig cold storage. Each device sits powered off with zero stored keys. The key for each signing slot exists only in your secure physical seed backups, not on the devices. An attacker who steals all three devices gets three generic Raspberry Pi boards. They would also need to steal all three separate seed backups stored at different locations, and they would need to know to look for those backups and combine them correctly. The attack surface is dramatically reduced.
Sparrow Wallet has excellent SeedSigner multisig support. The QR-based PSBT workflow handles multi-signer coordination cleanly. Building a 2-of-3 multisig with three SeedSigners and Sparrow is a well-documented setup in the Bitcoin self-custody community, with multiple detailed guides available.
SeedSigner occupies a different category from commercial wallets. This comparison highlights the key tradeoffs honestly.
| Feature | SeedSigner (~$50) | Coldcard Mk4 ($157) | Passport ($199) | BitBox02 ($149) |
|---|---|---|---|---|
| Air-gapped | Yes (QR camera) | Yes (microSD) | Yes (QR + microSD) | No (USB) |
| Stateless | Yes (keys never stored) | No (encrypted on device) | No (encrypted on device) | No (encrypted on device) |
| Open source | Full (HW + SW + builds) | Firmware + hardware | Full stack | Firmware only |
| Cost | ~$50 DIY | $157 | $199 | $149 |
| Secure Element | None (by design) | Dual SE chips | EAL6+ single | ATECC608B |
| Assembly required | Yes | No | No | No |
| Beginner-friendly | No | No | Moderate | Yes |
| Customer support | Community only | Coinkite team | Foundation team | Shift Crypto team |
| Multisig cost (2-of-3) | ~$150 total | ~$471 total | ~$597 total | ~$447 total |
| Best for | Paranoid DIYers | Security maximalists | BTC self-custody | Privacy + simplicity |
You are comfortable with basic electronics assembly. You have already used at least one commercial hardware wallet and understand seed phrases, derivation paths, and why address verification matters. You have a specific reason to want stateless signing, whether that is the cleanest possible air-gap model, zero on-device key storage, or the maximum open-source transparency of fully generic hardware. If those three things describe you, SeedSigner is an excellent choice.
The cost argument is compelling for multisig use. If you want a 2-of-3 multisig cold storage setup and do not want to spend $450-600 on three commercial devices, three SeedSigners for $150 total is a serious alternative that does not require compromising on security principles. Many experienced Bitcoiners use SeedSigner as one key in a mixed-vendor multisig quorum alongside a Coldcard or Foundation Passport.
You should not build a SeedSigner if you have never used a hardware wallet before, are not comfortable troubleshooting technical problems without support, or want a device that is ready to use immediately out of the box. If those descriptions apply, start with a Trezor Safe 3 at $79 or a BitBox02 at $149. Both have guided setup flows, customer support, and polished apps. Come back to SeedSigner after six months when you understand the deeper concepts.
The right user for SeedSigner knows exactly why they want it. If you are asking whether you should build one, the honest answer is: probably try a commercial wallet first. If you already know you want a stateless, fully open-source, camera-QR signing device from generic hardware, the answer is yes.
SeedSigner earns an 8.5/10 because the security model is genuinely excellent and the open-source implementation is the best available in any signing device at any price. Stateless operation, fully auditable hardware and software, reproducible builds, camera QR air-gap, and a build cost under $50 make it the most trustworthy option for users who want to eliminate manufacturer trust entirely. For multisig setups, the cost advantage is decisive.
It earns 8.5 rather than a perfect score because the user experience is genuinely demanding. Assembly is required. Boot times are slow. The small display makes address verification less comfortable than a large-screen commercial device. There is no customer support. And the stateless model, while a security strength, makes frequent signing sessions cumbersome for ordinary use.
For paranoid DIY Bitcoiners who understand the security model and are comfortable with the operational overhead, SeedSigner is one of the best signing devices you can use. The combination of stateless operation and fully open-source generic hardware is not available from any commercial wallet at any price.
Not for beginners. Best in class for the people it is built for.
~$50 in components. Fully open-source. Stateless air-gap signing from generic hardware.
SeedSigner is a community project. No affiliate relationship exists. Links go to the official project site.
For experienced users who understand the security model, yes. SeedSigner never stores your private keys. They exist only in volatile RAM during a signing session and vanish the moment you power off. The firmware is fully open source and auditable on GitHub. The hardware is generic, off-the-shelf components with no proprietary chips. Your safety depends on verifying the firmware you flash and properly securing your seed phrase backup. If you skip firmware verification or lose your seed backup, the security model breaks. This isn't the right device for someone who's never used a hardware wallet before.
Three main components: a Raspberry Pi Zero (version 1.3 without WiFi, or a Zero 2W with WiFi disabled in firmware), an OV5647 camera module for QR scanning, and a Waveshare 1.3-inch LCD HAT for the display. You'll also need a microSD card (8GB minimum) to flash the SeedSigner OS onto. A 3D-printed case is optional but recommended. Total cost runs $40 to $60 depending on where you source parts. All components are available on Amazon, Adafruit, or direct from component suppliers.
Stateless operation is a deliberate design choice, not a limitation. Every time you power up a SeedSigner, it starts completely fresh. You load your seed phrase at the beginning of each session, either by typing the words manually, scanning a SeedQR code, or generating a new seed from dice rolls or camera entropy. When you power off, nothing is retained. An attacker who steals a powered-off SeedSigner gets a generic Raspberry Pi with zero key material on it. Compare that to commercial wallets where encrypted keys sit on the device between uses, waiting for a PIN bypass vulnerability.
Yes. The SeedSigner firmware now supports the Pi Zero 2W, and it disables WiFi and Bluetooth at the firmware level. The 2W is actually easier to find in stock and boots faster thanks to its quad-core processor. The original recommendation for the Pi Zero 1.3 (which has no wireless hardware at all) was the safest option since you can't enable what doesn't exist. But with WiFi disabled in software, the 2W works fine for most users. If you're extremely paranoid, stick with the 1.3. For everyone else, the 2W is a practical choice.
You create an unsigned transaction in Sparrow Wallet (or another compatible wallet) on your computer. Sparrow displays the transaction as a series of animated QR codes on screen. You point your SeedSigner's camera at those codes. The device reads the transaction data, shows you the details for verification, and after you confirm, signs it offline. Then SeedSigner displays the signed transaction as its own set of QR codes. Your computer's webcam (or phone camera) scans those back into Sparrow, which broadcasts the signed transaction to the Bitcoin network. No cables. No wireless. Just QR codes you can see and verify.
SeedQR is a compact QR code representation of your seed phrase. Instead of manually typing 12 or 24 words every time you want to sign (which is slow and error-prone), you print or hand-draw a SeedQR card and scan it with the device's camera. Loading your seed takes about two seconds instead of two minutes. You still need to physically secure the SeedQR card exactly like a written seed backup, because it encodes the same recovery information. The benefit is speed and fewer transcription mistakes during session setup.
It's one of the best options for multisig, specifically because of cost. Building three SeedSigners for a 2-of-3 multisig setup costs about $150 total. That's less than a single Foundation Passport or Coldcard. Each device holds a different key, ideally stored in a different physical location. Sparrow Wallet coordinates the multisig workflow through QR codes. The stateless design is actually an advantage here: each device sits powered off with zero stored keys until you need it for signing.
About 45 to 60 seconds on the Pi Zero 1.3, and roughly 30 to 40 seconds on the faster Pi Zero 2W. The device boots a full Linux OS from the microSD card, which takes time. Compare that to commercial hardware wallets that power on in 2 to 5 seconds. For occasional signing sessions (a few times per month), the boot time is a minor inconvenience. If you're signing daily, it gets tedious. Not a dealbreaker, but worth knowing about before you build one.
Several vendors sell pre-assembled SeedSigners, typically for $90 to $120. This saves you the assembly work and often includes a printed case. But it partially defeats the trust model. The whole point of SeedSigner is that you source generic parts yourself, verify the firmware, and don't trust any single vendor with your signing device. A pre-assembled unit reintroduces supply chain trust. If you're going that route anyway, consider whether a commercial wallet like the BitBox02 ($149) might be a better fit, since it comes with customer support and a polished experience.
Anyone who isn't comfortable with: assembling small electronics, flashing and verifying firmware from GitHub, understanding what stateless signing means for key management, and troubleshooting problems without customer support. If you're new to Bitcoin hardware wallets and want something that works out of the box, start with a Trezor Safe 3 ($79) or BitBox02 ($149). Those have guided setup flows, customer support teams, and forgiving user experiences. Come back to SeedSigner after you've used a commercial wallet and understand why someone would want to go deeper.
Maximum Bitcoin security with full air-gap and open firmware
Open hardware, QR air-gap, polished Bitcoin-only experience
Minimalist open-source wallet with clean USB-C design
Affordable open-source entry point for beginners
Complete decision framework for securing your Bitcoin
Metal backups, storage strategies, and common mistakes