This steps can be done with 2 PCs (recommended), or if you only have one PC you can use a linux distribution like tails.
The first step will be to download Bitcoin Core, verify signatures and transfer to a USB Flash Drive (since the second PC or when booting with tails will never be connected to the internet).
-----------------------------------------
Offline PC or with tails-----------------------------------------
Open Bitcoin-qt with double click which is located in bitcoin-22.0/bin/
Bitcoin-qt will boot and ask us where to store data, just click ok, nothing will be downloaded since we are not even connected to the internet.
Create a new wallet, select encrypt and descriptor wallet:
After creating the wallet, do a backup and store it in a another device like a USB Flash Drive (if you are using tails after shutting down all will be deleted). To do a backup just click File -> Backup wallet
Now we will get the information needed in order to create a watch wallet only.
Open the console (window → console, or Ctrl+T) and type:
listdescriptors
note: Tthis command is available since version 0.22
With this command we will get a list of 6 descriptors in total. We will be using those with path derivation 84'/0'/0.(We will be using this derivation for native segwit, bech32).
Copy in a text file both of them and save it to the USB flash drive, in this example my .txt file will look like this:
{
"desc”: "wpkh([66bb13d5/84'/0'/0']xpub6CtDSW4S3XVd5uYp9CgsLTZKQcKieJSmjehcvfVJBSy1rPbkKNU3T6UmZ3mn7DoSsTsM6uH8ZKem7LQh3PHyrBAtZopSvF2tonEE7foTWFe/1/*)#a9twa6j5",
"timestamp": 1647182091,
"active": true,
"internal": true,
"range": [
0,
999
],
"next": 0
},
{
"desc": "wpkh([66bb13d5/84'/0'/0']xpub6CtDSW4S3XVd5uYp9CgsLTZKQcKieJSmjehcvfVJBSy1rPbkKNU3T6UmZ3mn7DoSsTsM6uH8ZKem7LQh3PHyrBAtZopSvF2tonEE7foTWFe/0/*)#v3w0q0zv",
"timestamp": 1647182091,
"active": true,
"internal": false,
"range": [
0,
1000
],
"next": 1
}
One descriptor has the value internal:false while the other internal:true. Internal false will provide the information needed for the watch-only wallet to generate receiving addresses while internal true is for the change addresses.
We can shutdown the PC/tails.
-----------------------------------------
Online PC.-----------------------------------------
Your online PC must have bitcoin core installed and synched.
Create a watch wallet only: Select Disable Private Keys, Make Blank Wallet and Descriptor Wallet.
Open the .txt where you saved both descriptors, go to console and import the both descriptors with their timestamp with the command importdescriptors.
In my example command will look like this:
first descriptor:
importdescriptors "[{\"desc\": \"wpkh([66bb13d5/84'/0'/0']xpub6CtDSW4S3XVd5uYp9CgsLTZKQcKieJSmjehcvfVJBSy1rPbkKNU3T6UmZ3mn7DoSsTsM6uH8ZKem7LQh3PHyrBAtZopSvF2tonEE7foTWFe/1/*)#a9twa6j5\", \"range\": [0, 1000], \"timestamp\": 1647182091, \"internal\": true, \"watchonly\": true, \"active\": true}]"
second descriptor:
importdescriptors "[{\"desc\": \"wpkh([66bb13d5/84'/0'/0']xpub6CtDSW4S3XVd5uYp9CgsLTZKQcKieJSmjehcvfVJBSy1rPbkKNU3T6UmZ3mn7DoSsTsM6uH8ZKem7LQh3PHyrBAtZopSvF2tonEE7foTWFe/0/*)#v3w0q0zv\", \"range\": [0, 1000], \"timestamp\": 1647182091, \"internal\": false, \"watchonly\": true, \"active\": true}]"
This will import the descriptor with an initial keypool of 1000 (which is the default), any new addresses you request will come from their descriptors. If all correct it will return “success”: true
After this our watch wallet only it is fully functional allowing us to receive payments and create unsigned transactions.
Before receive any payment in the watch wallet only please be sure you have the wallet.dat backup of the offline walletFor this tutorial I have received two transactions as you can see:
Now to spend them, just do as usual, enter the address to pay to, set fees:
click Create Unsigned:
Then click save and you will get a .psbt file which we will copy to a USB Flash Drive in order to sign with the offline wallet.
-----------------------------------------
Offline PC or with tails-----------------------------------------
If you boot with tails you will have to copy the bitcoin client, copy the backup of the wallet.dat in the bitcoin folder ~/.bitcoin/wallets/wallet.dat
File→Load PSBT from file
Review the information and click sign transaction.
If you are using bitcoin core 0.22 and your wallet is encrypted (which should be if you have followed all the steps in this tutorial) you will get an error (Could not sign any more inputs), passphrase is not even asked. This will be fixed in the next release.
To sign we must unlock wallet first:
window→console and type:
walletpassphrase “mypassprhase” 120
Between “” you enter your passphrase and 120 can be replaced by any number, in this case wallet will remain unlocked for 120 seconds and after that time, it will lock automatically.
After the transaction is signed, click save, and save the signed psbt file to the USB flash drive.
-----------------------------------------
Online PC-----------------------------------------
File→Load psbt from file
Click Broadcast Tx and done: