Hardware wallet: a “cold vault” for private keys
The core idea: private keys stay inside the device, while transaction approval happens on the wallet screen — this reduces the risk of key theft through a PC, browser, or malicious extensions.
A hardware crypto wallet is a physical device that stores private keys inside it and signs transactions locally without exposing the keys to a computer or phone.
In “hot” wallets, operations are approved in a browser or on a smartphone. In a hardware wallet, the keys remain inside the device, and the signature is approved on its screen (with buttons or a sensor), so malware on the host does not gain access to private keys.
How a hardware crypto wallet works
- Private keys are generated and stored on the device.
- The transaction is signed inside the wallet and approved on the device screen.
- A signed transaction (digital signature) is sent to the network, while the private keys remain offline.
Principle: Who controls the keys controls the assets.
Main advantages
- Suitable for long-term storage of large amounts: the risk is lower than with “hot” wallets.
- Malware on a PC or phone cannot extract private keys from the device, but it can alter details in the interface — checking the address and amount on the screen is critical.
- Suitable for DeFi and staking: connection through official apps or WalletConnect (connecting a wallet to a dApp via QR/session).
2025 context: more models have appeared for different connection scenarios (USB, Bluetooth, QR). The key criterion is the scenario: for frequent operations, the screen and confirmation convenience matter most; for “holding,” the threat model and backup quality matter more.
Well-known brands remain relevant with basic hygiene: offline seed phrase backup and checking operation details on the device screen.
Material updated → 2024–2025 models, USB/Bluetooth/QR scenarios, and typical risks of “blind” signing in DeFi are taken into account.
- What to check before approval → address/network/amount on the device screen.
- How to store a backup → practical backup methods (metal, passphrase, Shamir).
How to choose a hardware wallet: 5 criteria without fluff
Five criteria: details on the screen during signing, type of support (native or through integrations), recovery, as well as connection and price.
-
Security (keys and access)
- PIN and brute-force protection: delays, lockout, or wipe after N attempts.
- Checking before signing on the device screen: address, network, amount, fee.
- Physical access risks: Secure Element and/or passphrase reduce the impact of device theft.
-
Usability (confirmation errors)
- Screen criterion: operation details are displayed, not just “OK/Confirm.”
- Address criterion: long fragments are readable, so any substitution is noticeable.
- For DeFi, visibility of approve/spender (who receives the rights) matters, not “blind signing.”
-
Coins and networks (type of support)
- Support may be native in the official app or provided through integrations (MetaMask/Electrum/Sparrow), which means different limitations and different UX.
- Compatibility is determined by the platform (PC/Android/iOS) and the specific app.
- Practical check: a test cycle of “receive → send a small amount” shows which details appear on the screen during signing.
-
Connection (USB, Bluetooth, QR)
- USB is predictable; QR air-gap reduces the number of data exchange channels, but takes more time.
- Bluetooth is convenient for a phone, but adds a communication channel; in a strict threat model, it is more often used as an optional mode.
- Platform nuances: Android (OTG), iOS (model and app limitations).
-
Price (paying for UX, not for “magic”)
- Usually ~$50–$300+: the price increase is more often tied to the screen, touch controls, and comfort.
- Supply-chain risk is lower when buying from official sellers; “second-hand” and “pre-configured” devices increase the chance of compromise.
- Backup-related costs: metal, a second set, separate storage.
What else to consider when choosing
- Software: Ledger Live / Trezor Suite / BitBoxApp and compatibility with third-party wallets for the required networks.
- Documentation and updates: clear guides and release frequency for the required platform.
- Backup: 24 words / microSD / Shamir (if available) and a one-time dry-run recovery test.
- Response to vulnerabilities: speed, transparency, patches.
A typical failure is linked not to “chip hacking,” but to handling mistakes: buying from unofficial sellers, digital copies of the seed phrase, and signing without checking the address/network/amount on the device screen.
Hardware wallet comparison 2024–2025: what the money actually buys
The table is not a “ranking.” It helps match a scenario: universal multicurrency, QR air-gap, or BTC-only for strict isolation.
How to read it: 1) screen (address/network/amount during signing), 2) connection (USB/BT/QR), 3) “# of coins.” “Support” may be native (official app) or through integrations (MetaMask/Electrum/Sparrow).
Prices and number of coins are approximate: they depend on region, supply, and updates.
| Model | Price | # of Coins | Compatibility | Features | Advantages | Disadvantages |
|---|---|---|---|---|---|---|
| Trezor One | ~$65 (59 €) |
1000 | PC Android (OTG) |
OLED; 2 buttons no SE; open-source |
Low price: lower “entry threshold” easy start and setup open-source code |
No BT or iOS small screen: addresses are harder to verify without SE, passphrase plays a larger role under physical access |
| Trezor Model T | ~$219 | 1800+ | PC Android (OTG) |
1.54″ touch (color) microSD (Shamir) open-source |
Touchscreen: easier to verify data Shamir Backup for backup distribution includes Monero |
More expensive than many alternatives no BT/iOS without SE, passphrase discipline matters more |
| Ledger Nano X | $149 | 5500+ | PC Android/iOS (BT) |
OLED; 2 buttons BT + battery SE CC EAL5+ |
Broad asset and integration coverage mobile scenario: BT + battery SE chip as a plus against physical access |
Closed firmware (different trust model) reputational disputes around brand functions/incidents on iOS, some scenarios may be limited |
| Ledger Stax | $279 | 5500+ | PC Android/iOS (BT) |
E-Ink 3.7″ (touch) Qi charging SE EAL6+ |
Large E-Ink: fewer “blind” approvals large screen and touch controls SE EAL6+ |
Very high price non-removable battery closed firmware |
| Coldcard Mk4 | $150 | BTC-only | PC PSBT: microSD/USB |
OLED + keyboard 2× SE; no BT NFC (optional) |
BTC-only: strict focus PSBT/microSD for offline signing multisig and protective modes |
BTC only higher entry threshold (PSBT, multisig, Sparrow) less “daily-use” comfort |
| Keystone 3 Pro | $149 | 5500+ | Standalone (QR) Android / iOS |
4″ screen; 3× SE fingerprint; no USB/BT self-destruct |
QR air-gap: no cable/BT data channel large screen: easier to verify details convenient for mobile DeFi via QR |
QR process is slower than USB/BT device is larger than “flash-drive” types UX depends on apps/pairings |
| BitBox02 | $120 | ~1500 | PC Android (USB-C) |
Compact USB-C touch edges microSD backup |
microSD backup: fast recovery balance of “transparency + hardware” BTC-only version available |
No iOS on the standard model fewer networks than Ledger touch controls require adjustment |
| NGRAVE ZERO | $398 (398 €) |
1000+ | Standalone (QR) Android / iOS |
4″ touch; camera SE EAL7; biometrics fully offline |
Focus on “hardware” and physical risks large screen + offline approvals Graphene backup as a separate scenario |
Very high price less mainstream experience and fewer integrations closed firmware; scenario depends on smartphone/pairing |
| SafePal S1 | $50 | 30 000+ | Standalone (QR) Android / iOS; USB |
Screen + camera battery Binance Labs support |
Affordable entry into “cold” storage broad lists of networks/tokens QR scenario without a cable |
Outdated UI and button navigation infrequent updates and uneven UX compromise in build/feel |
Practical check: 1) the asset exists in the official list and the support type is clear; 2) the device screen shows the address/network/amount/fee before signing.
Hardware wallet reviews: 8 models and clear trade-offs
Short reviews by scenario: universality, air-gap, BTC-only, or large screen.
How to read it: 1) “Core idea” (scenario and trust model), 2) parameters (screen/connection/software), 3) strengths and limitations, 4) final conclusion on suitability.
Trezor One — a simple “veteran” to start with
Core idea: a budget wallet without Bluetooth or battery. A common choice as a “first cold wallet,” but without a Secure Element; under physical access risks, a passphrase is usually added.
- Connection: USB (micro-USB) • no BT/battery
- Assets: >1,000 (BTC, ETH, LTC, ERC-20, and others)
- Screen/control: OLED (mono) • 2 buttons
- Compatibility: Windows / macOS / Linux; Android (OTG) • iOS — no
- Software: Trezor Suite (Desktop + Web + Bridge)
- Protection model: open-source; SE: no • PIN, Passphrase, offline signing
|
Strengths
|
Limitations
|
Who it suits: a basic wired scenario and a low “entry threshold” into cold storage; for touch-screen or SE-class devices, other models in the lineup are more often considered.
Trezor Model T — Trezor flagship with a touchscreen
Core idea: a color touchscreen and PIN/passphrase entry on the device. Includes Shamir Backup. An “open-source without Secure Element” approach.
- Connection: USB-C • microSD for Shamir • no BT/battery
- Assets: ≈1,800+ • Monero is available here
- Screen: 1.54″ color touch • on-device input
- Compatibility: PC; Android (OTG) • iOS — no
- Software: Trezor Suite
- Protection model: open-source; SE: no • Shamir, CoinJoin, FIDO2
|
Strengths
|
Limitations
|
Who it suits: scenarios where touch UX and Shamir Backup matter within the most “open” trust model possible.
Ledger Nano X — a multicurrency wallet “for every day”
Core idea: a compact wallet with Bluetooth and a battery for mobile scenarios. Ledger Live covers basic operations. It has a Secure Element CC EAL5+, but the firmware is closed.
- Connection: USB-C / Bluetooth • battery
- Assets: ≈5,500+
- Screen: OLED 128×64 • 2 buttons
- Compatibility: PC; Android / iOS • limitations are possible
- Software: Ledger Live
- Protection model: SE CC EAL5+ • PIN, Passphrase, U2F
|
Strengths
|
Limitations
|
Who it suits: “one wallet for many things” (multinetwork + mobile scenario), if closed firmware is acceptable.
Ledger Stax — large E-Ink and a focus on confirmation comfort
Core idea: a focus on readability: curved 3.7″ E-Ink, touch controls, Qi charging, and magnets. In practice, it is close to Nano X, but screen confirmations are easier to read. SE EAL6+.
- Connection: USB-C / Bluetooth • Qi • battery
- Assets: ≈5,500+
- Screen: 3.7″ E-Ink (touch) • always-on
- Compatibility: PC; Android / iOS
- Software: Ledger Live
- Protection model: SE EAL6+ • PIN, Passphrase
|
Strengths
|
Limitations
|
Who it suits: scenarios where readability and screen confirmation comfort are the priority.
Coinkite Coldcard — BTC-only and maximum control
Core idea: a BTC wallet for “strict mode”: PSBT via microSD (air-gap), 2× Secure Element, duress PIN, and protective modes. It is often used for multisig and long-term holding.
- Connection: USB (power) • microSD (PSBT) • no BT/battery
- Assets: BTC-only
- Control: OLED + keyboard • 12 keys
- Compatibility: PC + offline via microSD
- Software: Electrum / Sparrow / Specter
- Protection model: 2× SE • duress PIN, Brick Me, tamper
|
Strengths
|
Limitations
|
Who it suits: BTC holding and multisig setups where control matters more than “everyday” convenience.
Keystone 3 Pro — QR air-gap for active DeFi
Core idea: data exchange via QR (without BT and without USB data transfer), a large 4″ touchscreen, 3× Secure Element, and protective modes. The scenario is mobile DeFi through WalletConnect and pairings with compatible apps.
- Connection: Air-gap (QR) • no BT/USB data
- Assets: ≈5,500+
- Screen: 4″ touch + camera
- Compatibility: Android / iOS • PC via QR
- Software: Keystone Companion • WalletConnect
- Protection model: 3× SE • Self-Destruct, Fingerprint
|
Strengths
|
Limitations
|
Who it suits: QR air-gap and active DeFi operations from a phone when offline signing is the priority.
BitBox02 — minimalism and one-step microSD backup
Core idea: a compact wired wallet with file-based microSD backup, an open-source approach, and a secure chip. Multi and BTC-only versions are available.
- Connection: USB-C • microSD (backup)
- Assets: ≈1,500+ (Multi) • BTC-only is a separate version
- Control: OLED • touch edges
- Compatibility: PC; Android (USB-C) • iOS — no
- Software: BitBoxApp
- Protection model: SE ATECC608A • Anti-Klepto, U2F
|
Strengths
|
Limitations
|
Who it suits: careful storage with simple backup and minimalist UX as the priority.
NGRAVE ZERO — a “desktop vault” with EAL7 and QR mode
Core idea: an offline device in a “mini-smartphone” format: QR exchange, large screen, EAL7 SE, tamper sensors, and a physical Graphene backup. A niche class focused on physical risks.
- Connection: Air-gap (QR) • USB-C: charging/firmware
- Assets: ~1,000+
- Screen: 4″ touch + camera • 480×800
- Compatibility: Android / iOS
- Software: Liquid • WalletConnect; QR integrations
- Protection model: SE EAL7 • tamper sensors, NGRAVE OS
|
Strengths
|
Limitations
|
Who it suits: a strict threat model and large amounts, where offline signing and physical device resilience are the priority.
Niche models and worthy alternatives
These are not the “main hits,” but devices for specific scenarios: ultra-budget, Trezor with SE, BTC-only with better UX, open-source for a technical approach, NFC card for everyday use.
SafePal S1
Format: air-gap via QR (USB is optional, depending on the scenario).
Assets: more than 30,000 tokens/networks are claimed — actual support depends on the SafePal App.
Strong side: low entry price into cold storage + broad network coverage on the lists.
Limitation: simpler UX and closed firmware — the trust model differs from open-source devices.
Who it suits: scenarios where minimum price and broad network lists matter, and the QR process is acceptable in terms of speed.
Trezor Safe 3
Format: wired (USB), without Bluetooth.
Ecosystem: Trezor Suite (PC + Android via OTG).
Strong side: the “Trezor experience” + Secure Element in a more affordable lineup.
Limitation: no iOS/BT and no touch controls — confirmation and navigation are less “mobile.”
Who it suits: scenarios where the Trezor interface and an SE chip for physical access risks matter.
Blockstream Jade
Format: hybrid modes — USB / Bluetooth / QR.
Focus: an open-source approach and BTC scenarios (often through Green and compatible wallets).
Strong side: a choice of connection mode for the situation (USB for simplicity, BT for mobility, QR for isolation).
Limitation: the absence of a “classic” Secure Element — for some scenarios, this is decisive.
Who it suits: an open-source approach and flexible connection modes without being tied to one scenario.
Foundation Passport
Format: BTC-only with QR air-gap and a focus on clear UX.
Integrations: most often paired with Sparrow/Specter and other BTC tools.
Strong side: a strict BTC focus without a “purely technical” interface.
Limitation: high price and strictly BTC-only (without an “alts just in case” scenario).
Who it suits: BTC-only storage with QR air-gap when readability and navigation are the priority.
Tangem Wallet
Format: an NFC “smart card” without a screen — managed through a smartphone.
Security: Secure Element (often listed as EAL6+); firmware is closed/unchangeable.
Strong side: minimal entry threshold and a fast everyday scenario.
Limitation: without a screen on the device, there is no hardware-level verification of address/amount; dependence on the smartphone increases.
Who it suits: scenarios where speed and card form factor matter, while autonomy and screen verification are secondary.
Selection guide: a hardware wallet for profile and scenario
The choice comes down to three parameters: assets (BTC-only or multinetwork), signing (USB / Bluetooth / QR), and risk scale (daily operations or large amounts).
Short selection logic:
- Phone: Bluetooth (Ledger) or QR air-gap (Keystone / SafePal / NGRAVE).
- Fewer “blind” approvals: a readable address and amount on the screen (a larger screen or a more transparent interface).
- Large amounts: priority goes to multisig + distributed backups schemes, then to model selection.
1) For beginners and everyday use
- Trezor Safe 3 / Trezor One — a wired scenario and the Suite ecosystem; protection against substitution depends on checking the address on the screen.
- Ledger Nano S Plus — budget-friendly and broad coin support in a USB scenario.
- SafePal S1 — many networks for minimal cost with QR signing; slower than USB/BT.
2) DeFi/NFT and active use
- Ledger Nano X / Ledger Stax — Bluetooth, Ledger Live, and integrations for multinetwork use.
- Keystone 3 Pro — QR air-gap for mobile DeFi through WalletConnect and compatible apps; QR exchange adds steps and reduces the number of data exchange channels.
- BitBox02 Multi — microSD backup and ecosystem; network coverage should be matched against target tokens.
3) Large amounts and a strict threat model
- 2-of-3 multisig — lower risk of a “single point of failure”: different brands + distributed storage of keys and backups.
- NGRAVE ZERO — QR air-gap and a focus on protection (more expensive and less “everyday” in format).
- Routine matters more than the model: passphrase, metal backup, recovery test, and checking the address/amount on the screen.
Critical during every signature: check the address, network, and amount on the device screen. The seed is stored offline (preferably in metal), and PIN/seed/passphrase are never shared with third parties.
Questions and answers (FAQ)
Seed phrase backup for a hardware wallet: metal, passphrase, or Shamir — what to choose?
The basic level is metal and a second set in another place. For large amounts, passphrase is added or Shamir 2-of-3 is used; a separate step is a one-time recovery check on a “clean” device. A detailed breakdown of backup strategies is covered in a separate article: seed phrase: storage and backups.
USB, Bluetooth, or QR (air-gap): how does this affect a hardware wallet and approval?
QR/PSBT reduces the number of data exchange channels, USB remains a working option when checking on the screen, and Bluetooth adds a communication channel for mobility. The general principle: checking the address/network/amount is done on the device, not in the app.
An infected PC/smartphone and a “clean” hardware wallet: where does the risk remain?
Private keys do not leave the device, but an infected host can replace the address and details in the interface. The practical response is to stop operations and move to a clean environment; in case of doubt, a new seed + passphrase scenario and transfer of funds is used.
DeFi/NFT through a hardware wallet: what matters on the screen during signing?
It is critical that the device screen clearly shows the operation details and action type (for example, transfer or approve), and in EVM — who the spender is and what allowance is being granted. A deeper look at approvals and revoking permissions is covered separately: approval/allowance: checking and revoke.
What should be checked on the device screen before signing?
To whom (address), what (asset/amount), where (network/chainId), how much (fee). In EVM, separately: transfer or approve, and who the spender is. If the operation is unclear, signing is postponed.
When does multisig with hardware wallets make sense?
For large amounts, a 2-of-3 setup on devices from different brands reduces the risk of a single point of failure. The scenario conditions are separate storage of keys and backups, and a test of losing one device. A step-by-step setup and cross-vendor nuances are covered separately: 2-of-3 multisig: principles and setup.
Inheritance and a hardware wallet: what should be planned?
There are two layers: legal documents and a separate “technical instruction” (where the backups are and what the sequence of actions is). The seed phrase is not placed in a will; the scenario must work without the owner’s participation.
Final: cold storage that actually works
A hardware wallet stores private keys inside the device and signs transactions offline. Screen confirmation reduces the risk of address replacement and “signing the wrong thing.”
A practical formula: keys offline + backup stored separately + checking on the screen — the basic set that matters more than a “top model.”
The seed phrase must not appear in digital form (photos/scans/cloud/input on a PC). If the seed has been “digitized,” the risk of compromise is considered elevated.
|
Recommended
|
Not recommended
|
Mini launch algorithm
- Purchase: official seller → check the packaging and contents.
- Initialization: the seed is created on the device → written down offline → second set.
- Access: PIN → if needed, passphrase (stored separately).
- Check: a small test transfer there and back.
- Separation: a separate address for storage and a separate “operational” one for DeFi.
- Maintenance: updates only from official sources + periodic review of permissions (allowance).
Final thought: security comes not from the “most expensive wallet,” but from routine: offline backup, separate storage, and checking on the screen.