How to Create a 2/3 Native Segwit Multisig Wallet Using Blue Wallet and Hardware Signers

Creating a secure Bitcoin wallet is essential for long-term crypto holders and institutional investors alike. A 2-of-3 multisignature (multisig) wallet significantly enhances security by requiring two out of three private keys to authorize transactions. This setup protects against single-point failures—whether from lost devices, theft, or hardware malfunction.

In this comprehensive guide, we’ll walk you through how to set up a native Segwit (P2WSH) 2/3 multisig wallet using Blue Wallet as the coordinator and interface, with Keystone and Coldcard serving as two of the three signing devices. Blue Wallet itself acts as the first signer, making it both a watch-only wallet and an active participant in the signing process.

This configuration ensures your funds are protected across multiple trusted devices, combining the accessibility of a mobile wallet with the hardened security of air-gapped hardware signers.

Core Keywords

• Multisig wallet
• 2-of-3 Bitcoin wallet
• Native Segwit
• Blue Wallet
• Hardware wallet
• PSBT transaction
• Coldcard
• Keystone wallet

These keywords reflect high-intent search queries related to secure Bitcoin storage and advanced wallet setups. They’re naturally integrated throughout this guide to enhance SEO visibility while maintaining technical accuracy.

Preparation: Tools and Requirements

Before setting up your multisig wallet, ensure all components meet the required specifications:

• Keystone Wallet: Must be running firmware version V1.1.0-BTC or later (BTC-only mode). Ensure battery is at least 20%.
• Blue Wallet: Install version 6.6.2 or newer on your smartphone. This will act as Signer #1.
• Coldcard Mk3/Mk4: Update to firmware v2.1.0 or higher. This will be Signer #3.
• MicroSD card (≤512GB, FAT32 formatted): Used to transfer Coldcard’s extended public key (xpub).
• Cloud storage access: iCloud Drive recommended for iOS; Google Drive or local transfer via USB cable advised for Android users.

👉 Discover how secure cold storage solutions can protect your Bitcoin holdings long-term.

Step 1: Export Keystone’s Extended Public Key (xpub)

The first step involves retrieving the extended public key from your Keystone hardware wallet, which will be used to generate the multisig address.

1. Tap the menu icon (☰) in the top-left corner.
2. Navigate to Wallet Profile > Show/Export Extended Public Key.
3. Select Multisig Wallet.
4. A QR code containing your xpub and derivation path (m/48'/0'/0'/2') will appear.

Keep this screen open—you’ll need to scan it during Blue Wallet setup.

Step 2: Export Coldcard’s Extended Public Key

Now extract the xpub from your Coldcard using a MicroSD card:

1. Insert the MicroSD card into your Coldcard device.
2. Go to Settings > Multisig Wallets > Export XPUB.
3. Confirm with (√). The device will save a JSON file (e.g., ccxp-5271C071.json) to the card.
4. Remove the card and connect it to your computer.
5. Upload the file to iCloud Drive or another secure cloud service.

This file contains Coldcard’s xpub and must be imported into Blue Wallet later.

Step 3: Create the 2-of-3 Multisig Wallet in Blue Wallet

With both hardware signers’ public keys ready, now configure Blue Wallet as the coordinator:

1. Open Blue Wallet and tap Add Wallet.
2. Choose a name (e.g., “Secure Vault”), select Vault, then tap Create > Get Started.

3. Under Vault Key 1, tap Create New:

   • Securely back up the generated seed phrase.
   • Tap Done—Blue Wallet automatically registers itself as the first signer.

4. For Vault Key 2, tap Import > Scan or Import a Document:

   • Use the camera to scan the QR code displayed by Keystone.
   • Enter the Master Fingerprint (MFP) shown next to the address path.
   • Set derivation path to m/48'/0'/0'/2'.

5. For Vault Key 3, tap Import > Scan or Import a File:

   • Tap the MicroSD icon at bottom-left.
   • Browse to the Coldcard xpub JSON file uploaded earlier (from iCloud or local storage).
6. Once all three keys are added, tap Create.

Your 2-of-3 native Segwit multisig wallet is now live in Blue Wallet.

👉 Learn more about how multisignature technology strengthens Bitcoin self-custody.

Step 4: Import the Multisig Wallet into Keystone

To enable signing transactions, import the wallet configuration into Keystone:

1. In Blue Wallet, open the new multisig wallet and tap the (⋯) menu.
2. Select Export Coordination Setup—a dynamic QR code appears.

3. On Keystone:

   • Tap ☰ > Wallet Profile > Add Multisig Wallet > Via Camera.
   • Scan the QR code from Blue Wallet.
   • Review wallet details carefully and confirm.
4. The multisig wallet is now imported and ready for signing.

Step 5: Receiving Bitcoin to Your Multisig Address

You can receive funds using either Blue Wallet or Keystone—they both display the same receiving address derived from the combined xpubs.

Option A: Receive via Keystone

1. From Keystone’s home screen, go to Wallet Profile > select your multisig wallet > set as default.
2. Tap Receive—the shared multisig address and QR code will appear.

Option B: Receive via Blue Wallet

1. Open the multisig wallet in Blue Wallet.
2. Tap Receive—the same address is displayed.

Funds sent to this address are secured under 2-of-3 multisig rules.

Step 6: Sending BTC from Your Multisig Wallet

Spending requires signatures from any two of the three signers. Here’s how:

1. Initiate Transaction in Blue Wallet

• Open the wallet and tap Send.
• Enter recipient address, amount, fee rate, and optional note.
• Tap Next—Blue Wallet auto-applies its signature (first signature applied).

2. Sign with Keystone

• In Blue Wallet, tap Vault Key 2 > Provide Signature—a dynamic QR code appears.

• On Keystone:

  • Go to Wallet Profile > Multisig Wallet > select wallet > Set as Current Wallet.
  • Tap Scan at bottom, then scan the QR code from Blue Wallet.
  • Verify transaction details (amount, fee, recipient).
  • Authenticate with PIN/fingerprint and tap Sign.
  • A new QR code with partially signed PSBT appears.
• Back in Blue Wallet, tap Scan or Import a File, then scan Keystone’s response QR code.

Now two signatures are complete.

3. Broadcast the Transaction

• After second signature verification, tap Confirm.
• Tap Broadcast Now—your transaction is sent to the Bitcoin network.

Frequently Asked Questions (FAQ)

Q: What is a 2-of-3 multisig wallet?

A: It's a Bitcoin wallet requiring two out of three private keys to sign and send transactions. This setup improves security by eliminating single points of failure.

Q: Why use native Segwit (P2WSH) for multisig?

A: Native Segwit offers lower transaction fees and enhanced privacy compared to legacy formats. P2WSH specifically supports complex scripts like multisignature setups efficiently.

Q: Can I replace one of the signers later?

A: Yes, but creating a new wallet with updated signers is necessary. Always back up configurations before making changes.

Q: Is internet connection safe for hardware wallets?

A: Hardware wallets like Keystone and Coldcard remain air-gapped during signing—they never expose private keys online, even when scanning QR codes.

Q: What happens if I lose one device?

A: As long as you retain access to any two devices (or their backups), you can still manage funds securely.

Q: Can I use other software besides Blue Wallet?

A: Yes—Specter Desktop, Caravan, or Unchained Capital’s tools also support similar workflows, but Blue Wallet offers mobile-first simplicity.

👉 Secure your Bitcoin future with advanced custody strategies today.