How to Set Up Caravan for Cold Storage Multisig Without Servers

Most Bitcoin multisig solutions store your wallet configuration on someone else's server. Caravan takes a fundamentally different approach: it runs entirely in your browser, never stores your data anywhere, and lets you coordinate hardware wallets from different manufacturers without trusting any third party with your wallet information.

This statelessness is both Caravan's greatest strength and its biggest operational challenge. You gain genuine sovereignty and censorship resistance, but you accept full responsibility for safeguarding your configuration files, extended public keys, and backup procedures. Here's how to set up a cold storage multisig that depends on nothing but your own hardware and discipline.

What Caravan Actually Does

Caravan is a multisig coordinator, not a wallet in the traditional sense. It doesn't hold keys, store balances, or remember anything between sessions. Instead, it provides an interface for combining multiple hardware wallet keys into a single multisig policy, generating receive addresses, constructing transactions, and coordinating signatures.

The tool supports standard M-of-N quorums (like 2-of-3 or 3-of-5) with up to seven keys. It works with hardware wallets from multiple manufacturers, including Trezor One, Trezor Model T, Ledger Nano S, Ledger Nano X, and Coldcard Mk2 through Mk4. This vendor diversity is itself a security feature: if a vulnerability emerges in one manufacturer's firmware, your funds remain protected by keys on other devices.

To interact with the Bitcoin network, Caravan needs a consensus source. You can point it at your own Bitcoin Core node for maximum privacy, or use a public block explorer like Blockstream.info or mempool.space. The choice is yours, and you can change it anytime.

Before You Touch Caravan

Multisig adds meaningful complexity to Bitcoin custody. If you haven't already mastered single-signature hardware wallet usage, including seed backup, recovery testing, and basic transaction construction, tackle that first. A misconfigured multisig can be harder to recover from than a lost single-sig seed.

Prepare Each Hardware Wallet Independently

Before any device interacts with Caravan, initialize it using the manufacturer's own software:

1. Generate a fresh seed on each hardware wallet
2. Write down the seed phrase using the manufacturer's recommended backup procedure
3. Verify the backup by performing a test recovery
4. Send a small amount of bitcoin to the device's single-sig address
5. Spend that bitcoin back to confirm the device signs correctly

This validation step catches hardware defects, firmware bugs, or backup errors before they affect your multisig funds. Complete this process for every device that will participate in your quorum.

Creating the Multisig Wallet

Open Caravan in your browser. You can access it via Unchained's GitHub Pages hosting or download and self-host your own copy (the entire application is open source). For cold storage setups, self-hosting eliminates even the theoretical risk of a compromised hosted version.

Step 1: Define Your Quorum

Choose your M-of-N configuration based on your security needs and operational constraints:

• 2-of-3: Tolerates one lost or compromised key while requiring two signatures for any spend. Good for personal cold storage with keys in different locations.
• 3-of-5: More redundancy, suitable for larger amounts or institutional setups where keys might be distributed across jurisdictions.
• 3-of-7: Maximum redundancy Caravan supports, useful when key holders might be unavailable for extended periods.

Consider that you'll need M devices present (or their PSBTs transported) to spend. Geographic distribution improves security but complicates transactions.

Step 2: Import Extended Public Keys

For each hardware wallet, you need to import its extended public key (xpub) into Caravan. This can happen via direct USB connection or through file-based transfer for air-gapped devices.

For USB-connected devices (Trezor, Ledger):

1. Connect the device to your computer
2. In Caravan, select the device type and click to import
3. Approve the connection on the hardware wallet screen
4. Verify the derivation path matches your expectations

For air-gapped Coldcard via microSD:

1. Power the Coldcard from a wall adapter (never USB for true air gap)
2. Export the extended public key to microSD
3. Transfer the SD card to your computer
4. Import the file into Caravan
5. Return the SD card to the Coldcard for future PSBT signing

The air-gapped approach ensures signing keys never directly connect to an internet-capable machine. This matters most for your "cold" keys in a geographically distributed setup.

Step 3: Export and Secure the Configuration

Once all xpubs are imported and your quorum is defined, Caravan generates a wallet configuration file in JSON format. This file contains:

• Your M-of-N policy
• All extended public keys
• BIP32 derivation paths
• Redeem script data needed for spending

Export this file immediately and store it securely. Without it, you cannot reconstruct your multisig wallet even if all your seed phrases remain intact. The configuration ties the seeds together into a specific multisig arrangement.

Store copies of the configuration file in:

• An encrypted password manager
• A USB drive in a secure location separate from any hardware wallet
• Potentially alongside each seed backup (so recovering any single key also recovers the configuration)

Unchained's documentation emphasizes that losing this configuration data can make future spending or recovery significantly harder. Treat it as seriously as your seed phrases.

Receiving Bitcoin

With your wallet configured, Caravan can generate receive addresses. Each address derives from your multisig policy and requires M-of-N signatures to spend.

1. Load your configuration file into Caravan
2. Navigate to the address generation section
3. Generate and record the address
4. Verify the address on at least one hardware wallet display

This verification step matters: it confirms your hardware wallet recognizes the multisig setup and agrees on the address derivation. A compromised computer could display a different address than what your hardware expects.

Spending from Cold Storage

When you need to move funds, Caravan constructs a Partially Signed Bitcoin Transaction (PSBT) that each hardware wallet can sign independently.

Constructing the Transaction

1. Load your configuration file into Caravan
2. Connect to your consensus source (your own node or a public explorer)
3. Caravan fetches your available UTXOs
4. Enter the destination address and amount
5. Set your fee rate based on current mempool conditions
6. Generate the unsigned PSBT

Collecting Signatures

For USB-connected devices, you can sign directly through Caravan's interface. For air-gapped Coldcard:

1. Export the PSBT to microSD
2. Transfer the card to your Coldcard
3. Review and approve the transaction on the Coldcard screen
4. The Coldcard adds its signature to the PSBT
5. Return the card to your computer
6. Import the partially signed PSBT back into Caravan

Repeat this process until you have M signatures. With a 2-of-3 setup, you need two of your three devices. The keys can sign in any order, and you can shuttle the PSBT between devices in different locations if necessary.

Broadcasting

Once you have sufficient signatures, Caravan finalizes the transaction and broadcasts it through your configured consensus source. If you're using your own node, this provides privacy. If you're using a public explorer, the transaction is visible to that service.

Operational Discipline for Long-Term Cold Storage

Stateless multisig requires ongoing attention that single-sig wallets don't:

Test your recovery process annually. Load your configuration file into a fresh Caravan instance, verify you can derive your addresses, and confirm at least M hardware wallets can still sign.

Update hardware firmware carefully. Before updating any device, ensure you have verified seed backups. Some firmware updates have historically caused issues with multisig derivation paths.

Document your setup. Record which devices hold which keys, where they're located, what derivation paths you used, and the exact software versions involved. Your future self (or your heirs) will need this information.

Maintain multiple configuration copies. If you store keys in different locations, keep a copy of the configuration file with each key. Geographic distribution loses its value if all configuration copies are in one place.

The Tradeoffs Are Real

Caravan's serverless architecture delivers genuine sovereignty. No company can freeze your funds, no server outage can lock you out, and no subpoena to a third party can compromise your privacy. But this comes at a cost.

You are responsible for everything: configuration backups, hardware maintenance, operational security, and recovery procedures. There's no support ticket to open if something goes wrong. The tool is open source, which means you can verify the code and the community can audit it, but it also means there's no guaranteed long-term maintenance.

For smaller amounts of bitcoin, single-signature hardware wallets offer comparable security with far less complexity. Multisig through Caravan makes sense when the value at stake justifies the operational overhead, or when your threat model specifically requires eliminating single points of failure.

Used correctly, Caravan creates what amounts to a personal clearinghouse: institutional-grade security properties without the counterparty. That's a powerful capability, but only if you're prepared to exercise the discipline it demands.