when I set my host file to use time.google.com’s IP address and try to run BTCapsule, it never starts. Which means I need to add another “Please enable internet” somewhere, but not opening at all is still enough to keep the private keys encrypted.
It sounds like you're patching holes, while the setup is fundamentally flawed. The next step would be to
run your own DNS server.
Which means I need to add another “Please enable internet” somewhere
That's one thing I never want to see when dealing with private keys.