Air gapped computer for signing transactions
Keeping the private keys only on a computer without Internet connection (WiFi, modem, Ethernet hardware removed by hand) and without USB interfaces (USB is not a secure interface, there are known exploits) is better if you are worried about firmware malware inside the USB devices (flash drives) and inside the UEFI and the Intel processors. You can transfer the signed transactions using the monitor/keyboard, floppy discs or DVD/CD (not USB!). Using USB devices is dangerous because their firmware may contain malware. If you use USB printer it would be dangerous to reuse it on other computers, because of the risk that the printer is infected with malware (with access to the god mode processor malware). You should assume that the firmware of your devices contains malware: CPU Printer USB drives Hard drive (if any) UEFI Keyboard (key logger) Other (?) And verify that your monitor does not have a screen transmitter (like demonstrated in the Mr. Robot).