Blog

Send a Bitcoin Private Key Without Trusting Anyone

Device-level identity. No cloud. No middleman. Just two devices and an encrypted tunnel that exists for minutes.

February 2026

You need to send a Bitcoin private key to someone. Not a password — a key that controls real money. Every method you can think of — email, Signal, AirDrop, USB stick — requires you to trust a middleman or physically be there. With Ghost Networks, you create a direct encrypted tunnel between two devices using device-level identity. No server ever sees the key.

The Problem

Every common method of transferring a private key has a fatal flaw: a third party can intercept, store, or leak it. You need a transfer method where only the sender and receiver can ever see the data.

Email: stored on servers, indexed, backed up forever
Messaging apps: cloud backups, metadata, key escrow
Cloud storage: accessible to provider, subpoenas, breaches
USB drive: requires physical meeting, can be lost or cloned
1

Step 1: Create a Phantom Hub with Both Devices

Create a temporary Phantom Hub and add only your device and the recipient's device. This creates an encrypted Ghost tunnel where only these two devices can communicate.

# Create a temporary hub for the transfer
ghost-cli hubs create --name "btc-transfer"
# Add your device
ghost-cli hubs add-device --hub <hub-id> \
--device <my-device-id>
# Add the recipient's device
ghost-cli hubs add-device --hub <hub-id> \
--device <recipient-device-id>
2

Step 2: Serve the Key File Locally

Start a simple HTTP server on your device. It only listens on the Ghost interface, so only the recipient's device inside the Phantom Hub can reach it.

# Serve the key file over the tunnel
python3 -m http.server 8080 --directory ./keys/
3

Step 3: Recipient Downloads the Key

The recipient opens the URL using your Ghost IP. The traffic never leaves the encrypted tunnel — no DNS, no public internet, no cloud relay.

# Recipient opens this URL in their browser
http://172.16.0.5:8080/private-key.txt
4

Step 4: Stop the Server & Destroy the Hub

Once the recipient confirms they have the key, stop the server and delete the Phantom Hub. The tunnel is gone. There is nothing left to attack, intercept, or subpoena.

# Stop the file server
Ctrl+C
# Delete the hub — tunnel gone forever
ghost-cli hubs delete --id <hub-id>

Why This Is Different

Device-level identity: access is tied to cryptographic device keys, not passwords or accounts
Encrypted Ghost tunnel: traffic never touches the public internet or any relay server
No server in the middle: the file goes directly from your device to theirs
Temporary by design: the hub and tunnel are destroyed after the transfer
No logs, no history: nothing is stored on any cloud service or third-party infrastructure

BiFrost Variant: When the Recipient Isn't on Your Network Yet

If the recipient doesn't have a device registered on your Ghost network, use a BiFrost Pass. Create a single-use, time-limited pass that lets them join the Phantom Hub with one device. The pass expires automatically — even if they never use it.

# Generate a single-use BiFrost Pass
ghost-cli bifrost create --hub <hub-id> \
--max-devices 1 --expires 1h
Get Started with Ghost Networks or See Enterprise Plans