Coldcard Q's Key Teleport: A Year In — The Most Secure Way to Manage Bitcoin Keys Remotely
Coldcard Q's Key Teleport feature offers Bitcoin keyholders a practical, cryptographically robust method for transmitting private keys and signed transactions remotely — no Tails OS or PGP expertise required.
Imagine you're traveling abroad, a critical payment needs to go out, and your hardware wallet is sitting on your desk at home. Or you're a keyholder in a corporate Bitcoin treasury, an emergency surfaces, and cold storage funds must move — but the signing device is thousands of miles away. This is exactly the problem Coinkite set out to solve with Key Teleport, an advanced feature exclusive to the Coldcard Q hardware wallet.
One year after its debut, Key Teleport has proven itself as arguably the most secure method available for transmitting key material across the internet. But to appreciate why it matters, it helps to understand what came before it.
Before this feature existed, moving a private key remotely in a truly secure manner was a serious undertaking. Messaging apps like WhatsApp or Signal — despite their end-to-end encryption branding — run on top of extraordinarily complex smartphone hardware and operating systems, often embedded with intrusive manufacturer firmware at the lowest levels. Consumer smartphones were simply never designed to safeguard secrets of the magnitude that Bitcoin private keys represent.
The gold standard for paranoid key transmission used to look something like this: boot Tails OS — a minimal, security-hardened Linux distribution — on a clean or dedicated laptop. Generate a fresh PGP key pair using asymmetric cryptography. Have the recipient do exactly the same. Compose an encrypted message to the recipient's public key, then transmit it over Tor, potentially layered behind a VPN for additional cover. It works. It's also exhausting. This is essentially the operational security setup that Edward Snowden used when he first made contact with journalist Glenn Greenwald to leak classified NSA surveillance documents in 2013. The 90s cypherpunk underground — the intellectual ancestors of Bitcoin and WikiLeaks — likely coordinated using similar methods.
Key Teleport condenses this entire workflow into the Coldcard Q's interface, removing the dependency on secure external hardware or specialized software knowledge. Users can now transmit encrypted messages over the internet without worrying about what else might be running on their computers or phones. The applications go beyond simple key delivery: a partially signed Bitcoin multisig transaction can be packaged and sent as an encrypted payload to a recipient Coldcard Q. An entire wallet configuration — including metadata, key material, and custom settings — can be backed up, encrypted, and transmitted securely to its intended recipient device anywhere in the world.
The Hardware Behind It
The Coldcard Q — now available in a variety of colored enclosures — incorporates a specific set of hardware components that make airgapped communication viable at this level. It inherits the dual secure element architecture introduced in the Mk4 series: two closed-source security chips from different manufacturers working alongside an open-source MCU. Compromising the wallet would require an attacker to physically breach multiple independent components simultaneously. These same chips handle all encryption and decryption operations within Key Teleport.
The device features a 3.2-inch LCD display with sufficient resolution to render BBQr codes — a QR standard developed by Coinkite that carries larger data payloads than conventional QR codes, requires no third-party libraries, and remains backward compatible with standard readers. A dedicated QR scanner with a red strobe aiming indicator and a built-in flash button for low-light environments rounds out the hardware, eliminating the scanning reliability issues common with smartphone cameras and variable screen brightness.
The Cryptography
Key Teleport employs a multi-layer encryption protocol for every transmission. Each data transfer generates a single-use ephemeral public-private key pair derived from the secp256k1 elliptic curve — the same curve Bitcoin itself uses. The receiver's public key is then encrypted with an 8-digit PIN via AES-256, creating a layered security model where interception alone is insufficient to compromise the payload. The result is a system that brings cypherpunk-grade operational security to a device that fits in a shirt pocket — and after a full year in the field, it's holding up exactly as designed.
