I do not have $1 billion in Bitcoin.
If I did, I would not be writing about it on a blog. I would also not be testing ideas on production funds. That said, Bitcoin has been in the news, and after recently writing about data diodes, I found myself wondering what you would actually do if you did need to store that much BTC without losing sleep or accidentally destroying your keys.
This is entirely hypothetical. It is not advice. It is not a recommendation. It is a thought experiment that assumes a slightly paranoid mindset and a background in locking down systems that most people are happy to just plug into the internet.
With that out of the way, here is how I would theoretically think about securing $1 billion in Bitcoin while still being able to move coins when required.
The Basic Idea
The core principle is simple. Separate risk, reduce connectivity, and make sure nothing important ever needs to touch the internet directly.
This setup uses Bitcoin Core throughout. There are almost certainly hardware wallets that solve parts of this problem more elegantly, but that is not the point here. This is about architecture, not convenience.
The design is based around three isolated networks, connected only by data diodes
The Three Network Architecture
The system is split into three distinct networks, each with a very specific job.
- Ingest Network: This network contains a node with internet access whose only role is to download and maintain a copy of the Bitcoin blockchain. The wallet on this node does not matter. It exists purely to ingest data.
- Wallet Network: This is the secure environment where the Bitcoin wallet actually lives. It is completely air-gapped. No internet access. No inbound connectivity. This is the vault where the hypothetical $1 billion sits.
- Transmit Network: This network contains a node with internet access that is responsible for broadcasting transactions to the Bitcoin network.
Between each network is a data diode. Data can flow one way and one way only. There is no return path and no opportunity for a compromised system to reach back upstream.
Step One: Ingest Network
The ingest network is responsible for keeping the wallet network up to date with the blockchain.
A Bitcoin Core node on this network continuously downloads blocks from the public network. Those blocks are then transferred through a data diode into the wallet network.
This does not require anything exotic. A simple script can package blocks and move them across. On the wallet side, Bitcoin Core verifies the blocks before accepting them.
The result is that the wallet network has a fully validated, up to date view of the blockchain without ever being connected to the internet.
If I were dealing with very large sums, I would want this extra assurance before doing anything involving funds.
Step Two: Wallet Network
This is where the interesting part happens.
The wallet network is fully air-gapped. There is no internet access and no inbound connectivity beyond the one way data feed from the ingest network. All interaction with Bitcoin Core is manual. Physical access is controlled. Logins are locked down. Change control is boring and strict.
The wallet file, wallet.dat, lives here. This is where the Bitcoin actually is.
When you want to send Bitcoin, the process starts in this network. Using Bitcoin Core, you construct a Partially Signed Bitcoin Transaction, or PSBT. This file contains the details of the transaction but is not broadcast and does not require internet access.
Once the PSBT is created and signed, it is transferred out of the wallet network through a second data diode into the transmit network.
At no point does the wallet node ever need to touch the internet. The keys never leave this environment.
Step Three: Transmit Network
The transmit network exists for one reason only: to broadcast transactions.
A Bitcoin Core node on this network receives the signed PSBT from the wallet network. The file is verified to ensure it has not been altered and that the transaction details are correct.
Once verified, the transaction is finalized and broadcast to the Bitcoin network.
This node can be compromised, rebuilt, or wiped without risking the wallet. It never holds private keys. It only ever sees transactions that are already signed.
This separation keeps the blast radius small and predictable.
Operational Considerations
If this were anything other than a thought experiment, I would separate responsibility further.
Ideally, each network would be managed by different teams with no overlap. The ingest team does not manage the wallet. The wallet team does not manage the transmit network.
The ingest network is technically optional. You could skip it and just transfer PSBT files out. Personally, if I were dealing with $1 billion, I would want to see balances line up perfectly before doing anything irreversible.
Is this overkill? Absolutely.
Is it practical for most people? Not even slightly.
But it is a useful exercise in thinking about how security patterns from critical infrastructure apply surprisingly well to Bitcoin.