You can use an hardware wallet, protected by a HSM, on a computer which is itself airgapped. I've written a decoder which decode Ethereum transactions and verify that at least it's what the hardware wallet says it is signing that it is actually signing (amount / fees / destination address).
So you take your hardware wallet, you connect it to a fully airgapped computer (one without any WiFi capability and without any ethernet whatsoever) (btw let's please not get carried away with exfiltration through "fan rotating speed" or the like and hence that not being a really "airgapped computer" and the very concept of "airgapped" being non-existent).
You then sign a tx on your hardware wallet, which generates a text file. You copy that text file to a USB stick. You check that USB stick from another airgapped computer running the tx decoder software. You can see what's signed.
If it's what you wanted, you broadcast the transaction.
This is reasonably secure.
I'm talking about security for people protecting millions in assets, not $1 K, not $1 billion.
There are still several issues. For example the Ledger hardware wallets, often regarded as the be-all / end-all of hardware wallets require constant updating, needing the wallet to be connected to a computer connected to the Internet to download updates.
You can update the firmware before entering your key (for example on a new wallet), but you cannot install the "Nano apps" before entering your keys. Which is an issue in itself.
Data exfiltration through non-deterministic signatures is another very serious issue.
I haven't looked into using the same seed from different hardware wallet vendors and verifying that you get the transaction signature: if that can be done, I'm all ears.
The Ledger CTO and Ledger overall will constantly dodge questions on these issues.
The answer is basically: "Trust us, we won't exfiltrate your seed through non-deterministic transactions" and "Trust us, we won't exfiltrate your seed during apps or firmware updates".
Firmware updates which aren't even signed with a signature people can verify: Ledger can decide to serve, if they want to, a backdoored firmware leaking seeds through non-deterministic to one person in one thousand if they want to.
And they pretend there's nothing to worry about.
What Ledger should do is let people download firmwares and Nano apps offline, put them on USB keys, and then update their hardware wallets from an airgapped computer.
This would at least allow people to crosscheck their firmware and Nano app hashes.
It still wouldn't solve all the issues.
It's very hard to have something you can really trust and the hardware wallets vendors are really trying very hard to make sure you cannot verify what they're doing.
If you use an air gapped computer, why use a hardware wallet at all? Why not just a software wallet?
Apart from that, using an air gapped computer is a good idea! I would say you need at least two of them. With different wallets. And then compare everything they do to make sure they do not play any tricks on you.
So you take your hardware wallet, you connect it to a fully airgapped computer (one without any WiFi capability and without any ethernet whatsoever) (btw let's please not get carried away with exfiltration through "fan rotating speed" or the like and hence that not being a really "airgapped computer" and the very concept of "airgapped" being non-existent).
You then sign a tx on your hardware wallet, which generates a text file. You copy that text file to a USB stick. You check that USB stick from another airgapped computer running the tx decoder software. You can see what's signed.
If it's what you wanted, you broadcast the transaction.
This is reasonably secure.
I'm talking about security for people protecting millions in assets, not $1 K, not $1 billion.
There are still several issues. For example the Ledger hardware wallets, often regarded as the be-all / end-all of hardware wallets require constant updating, needing the wallet to be connected to a computer connected to the Internet to download updates.
You can update the firmware before entering your key (for example on a new wallet), but you cannot install the "Nano apps" before entering your keys. Which is an issue in itself.
Data exfiltration through non-deterministic signatures is another very serious issue.
I haven't looked into using the same seed from different hardware wallet vendors and verifying that you get the transaction signature: if that can be done, I'm all ears.
The Ledger CTO and Ledger overall will constantly dodge questions on these issues.
The answer is basically: "Trust us, we won't exfiltrate your seed through non-deterministic transactions" and "Trust us, we won't exfiltrate your seed during apps or firmware updates".
Firmware updates which aren't even signed with a signature people can verify: Ledger can decide to serve, if they want to, a backdoored firmware leaking seeds through non-deterministic to one person in one thousand if they want to.
And they pretend there's nothing to worry about.
What Ledger should do is let people download firmwares and Nano apps offline, put them on USB keys, and then update their hardware wallets from an airgapped computer.
This would at least allow people to crosscheck their firmware and Nano app hashes.
It still wouldn't solve all the issues.
It's very hard to have something you can really trust and the hardware wallets vendors are really trying very hard to make sure you cannot verify what they're doing.