Air gap phone

How I Turned a Dead Phone Into a Private Vault

You don’t need new gear to lock down your life. This guide walks through turning an old phone into a hardened, offline crypto and privacy toolkit running Cupcake for Monero and Bitcoin cold signing, KeePassDX for password vaulting, and OpenKeychain for encryption. Build your own air gapped vault, cut every network tie, and keep your critical data where it belongs: under your control.

Now that Cake Wallet‘s Cupcake app supports both monero and bitcoin I really wanted to take it for a spin. I liked the idea of taking something you proabably already having laying around and turning it into a air gapped crypto wallet. Many of you might not know this but I am the king of taking decade old computer equipment and repurposing it for servers, nodes, and tools. Intrigued I wondered what else I could use an old phone for other than just a wallet. I did some brainstorming. I did some testing. And here is what happened.

I turned a tired old Pixel 3 into a private, offline toolbox. No accounts. No clouds. No snitching. This is exactly what I ran, how I used it, what worked, and what issues I ran into.

What I built

A purpose built air gapped device that lives offline and holds a small, hardened stack:

OpenKeychain for OpenPGP keys and file encryption.
Cupcake as an offline signing tool for monero and bitcoin cold wallets.
KeePassDX as the password vault and secrets store.
Aegis for 2 factor codes generated offline.
Markor for plaintext, markdown notes and short operational checklists.
• Stuck with the built in Contacts and Clock apps for address book and alarms.
All apps installed via SD card APKs, no Play Store, no accounts.

The simple checklist I followed

  1. Wipe the phone clean. Factory reset and remove every account. Leave no logged in Google account.
  2. Remove the SIM, killed bluetooth, and applied airplane mode to keep the device offline at all times.
  3. Use a trusted computer or fresh VM to download APKs from F Droid or official project pages. Verify SHA256 checksums and signatures where possible.
  4. Copy APKs to an SD card. Insert the SD card and sideload each app manually. Disable any automatic update checks.
  5. Can generate keys and databases on the device. Encrypt or export backups to an encrypted SD file. Lock everything behind a strong passphrase.
  6. Lock the bootloader if you can. Use a Faraday bag for transport when you need to move the device. Store it in a secure place when not in use.

Why each app matters and how I used it

OpenKeychain
More of a backup of my keys than anything else. In a pinch it can be used to sign files, encrypt PDFs, and verify signatures but transferring files and emails just for encryption / decryption is not ideal except in the most extreme cases.

Cupcake
Cupcake is an offline signing app for use with a watch only wallet like Cake Wallet. Sign transactions via QR codes. It’s a genius little idea to turn an old device into a air gapped cold wallet.

KeePassDX
Password vault stored locally as a KeePass database. KeePassDX lives only on the air gapped device. If you must move the database, export it encrypted and transfer by SD card.

Aegis
Store 2FA inside Aegis and offline for accounts. I can visually just read the code and type it into a online device to login. Export and import carefully. Keep a backup of the encrypted export in a separate secure storage.

Markor
Lightweight markdown editor. Everything I write in Markor stays as plaintext on the device. Use it for checklists, SOPs, and one time notes. The advantage is simplicity. Plaintext files are easy to audit, copy, and encrypt. Files can be encrypted locally with openkeychain before exported.

Contacts and Clock
I used the built in Contacts only for minimal address book needs. Just a few emergency numbers I wanted avaiable anytime. No syncing. Clock for alarms and timed routines. Keep contacts tight and manually entered only. Do not store extra metadata.

How I moved files without breaking the air gap

I transferred via SD card only. No USB networking. No ADB over network. When I needed to move a file to an online machine I used an intermediate burn method:

• Export encrypted file to SD card.
• Physically move SD card to an air gapped laptop or the online machine.
• On the online machine, decrypt as required.
• Revoke or delete temporary files after use.

If you must use USB, disable any MTP or USB debugging on the phone and treat the cable like a live channel.

Lessons learned

  • SD Logistics. You have to make sure you are using a OTG adapter unless your phone has a built in SD slot. My pixel needed a powered one to work correctly but this shouldn’t be true in every case. You will have to experement to see what works for your setup.
  • Trusting the APK source. Not every APK is safe. Use the project site or F-Droid only if that is not possible. Verify checksums. If you skip this you are back where you started.
  • Updates will be a pain. Security concerns should be minimual due to air gapping but any major security updates or new features will require manual maintenance.
  • No remote wipe. If someone steals the phone and gains access you lose. Assume physical compromise is possible and plan accordingly.

Practical operational tips

  • No biometrics. Keep phone and all apps password protected only.
  • Back up private keys and files, keep at least two offline copies in separate locations. Test restore.
  • Keep the device powered down when not in use. Store in a faraday bag for peace of mind. Turn it on only in a controlled environment.
  • Label your SD cards and never reuse SD cards for untrusted environments.

What this setup is and what it is not

This is a functional, low cost cold device for encryption, offline signing, password and token custody, and private notes. It is not a perfect vault. It does not replace hardware security modules or dedicated air gapped hardware built from the ground up. Do not romanticize it. Use it where it makes sense.

Bag gear

Personally I am using it as a backup device. I carried it for a few days and used it for passwords, 2FA, etc just to prove proof of concept. Now it sits nicely inside my faraday go bag with the rest of my gear. If I have to move quickly I do not have to choose between taking a phone that is tracked and having access to all my keys, codes, and sign ins.

Final thought

You do not need money or new and shiny to take back control. You need simple systems that survive mistakes. This Pixel 3 is clunky but honest. It does only a few things I need and does them without calling home. That is enough for many people. Not perfect. Just better.

Claw it back. Lock down. Keep improving.

-GHOST
Written by GHOST, creator of the Untraceable Digital Dissident project.

This is part of the Untraceable Digital Dissident series — tactical privacy for creators and rebels.
Explore more privacy tactics at untraceabledigitaldissident.com.