How does the bitcoin source code define its 21 million cap?
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…
,As the events of 2022 have illustrated, nothing is more important than taking self-custody of your bitcoin and removing counterparty risk.
“Your keys, your bitcoin. Not your keys, not your bitcoin.”
Andreas Antonopoulos
When you entrust your bitcoin to a third party (e.g., an exchange), you are at their mercy when it comes to accessing your wealth. This can entail many risks and inconveniences, from unplanned outages and scheduled maintenance to account closures. The most painful possible outcome by far is a complete loss of your bitcoin in the event of a bankruptcy or hack.
Fortunately, such an outcome can be avoided for less than $100 and with a few simple steps. This high-level overview will equip you with the information needed to pick the best hardware wallet (or wallets) for you.
note: The wallets in this list are all compatible with many third-party wallet software tools. These applications have widely varying feature sets, such as support for connecting to your own node, coin control, replace-by-fee (RBF), or Tor. This article focuses on the specific features of the devices themselves.
Manufacturer | Released | MSRP | Suitable for | Native app |
SatoshiLabs | 2014 | U.S. $69 | Beginners | Trezor Suite |
Connector | microSD | Camera | Secure element |
microUSB | — | — | — |
Battery | Bluetooth | NFC | Open source |
— | — | — | ✅* |
The Trezor Model One was the first consumer hardware wallet designed for the masses. Approaching nine years of production, the device has stood the test of time and earned its place among bitcoiners.
Overall, it’s lightweight, low-cost, and compatible with a wide range of wallet software interfaces. It’s a simple and straightforward entry point for beginners who may not yet be comfortable with more advanced features such as air-gapped signing.
Comparable to the size of a standard USB stick, the Model One easily fits in the palm of your hand. At just 12 grams, you’ll be hard-pressed to find a lighter option. Although traveling with a hardware wallet on your person comes with risks, if you absolutely must, this may be a more portable and inconspicuous choice.
If you do not require every advanced feature and can manage without certain design comforts (i.e., a touch screen), this device fits the bill. As one of the lowest-cost devices on the market, it’s ideal for the casual user with basic needs.
While Model One supports multiple tokens (and Model T supports even more), SatoshiLabs offers bitcoin-only firmware, which strips out all non-essential applications, including altcoin support, U2F, and Trezor Password Manager.
*The hardware and firmware for Trezor devices are open source
†Bitcoin-only firmware not installed by default
tip: Click or tap a green check ✅ to read more about any of the hardware wallet features in this article.
Manufacturer | Released | MSRP | Suitable for | Native app |
SatoshiLabs | 2018 | U.S. $219 | Beginners | Trezor Suite |
Boasting several quality-of-life improvements over the Model One, the Model T replaces clickable buttons with a touch screen and ditches the microUSB port in favor of the now more widely-used USB-C. The Trezor Model T also adds a microSD slot, but it cannot be used for air-gapped signing via PSBTs.
You’ll interact with the Model T via its 1.54” LCD touchscreen. The benefit is that, when restoring or accessing a wallet, all sensitive data can be entered directly on the device: PIN, passphrase, and recovery seed. And entering that sensitive data is noticeably easier.
As one of the few devices on the market that currently supports Shamir backups, the Model T enables users to generate a seed phrase which can then be split into several unique pieces (called “shares”), with the user specifying how many are required to recover the wallet.
While the microSD card slot on the Model T can’t be used for signing PSBTs, it can be used to enhance your security. This feature allows you to encrypt your device PIN, requiring the microSD card to be inserted to decrypt your data and use the device.
*The hardware and firmware for Trezor devices are open source
†Bitcoin-only firmware not installed by default
‡Unlike Model One, Model T supports FIDO2 for passwordless authentication
Manufacturer | Released | MSRP | Suitable for | Native app |
Ledger | 2022 | U.S. $79 | Beginners | Ledger Live |
Connector | microSD | Camera | Secure element |
USB-C | — | — | ✅ |
Battery | Bluetooth | NFC | Open source |
— | — | — | — |
The Nano S Plus is Ledger’s entry model comparable to Trezor’s Model One. It’s a revamp of the original Nano S (released in 2016, since discontinued), boasting a larger screen, increased internal storage (1.5MB vs. 320KB), and USB-C in place of microUSB.
Most hardware wallets operate using a single firmware application. Ledger takes a different approach, opting for a custom operating system called BOLOS. The rationale is that a multi-token wallet must compartmentalize risk by allowing users to install isolated apps that cannot interact with one another.
This is an important consideration for bitcoiners who may not accept the attack surface created by offering thousands of tokens without the option to disable such functionality.
One of the critical distinctions between Trezor and Ledger is the trade-off around secure elements and the closed-source nature of the one used in Ledger’s devices. A device with a secure element requires slightly more trust, but secure elements offer protection against fault attacks, side-channel attacks, and other less common attacks.
Most hardware wallets will automatically trigger some form of security procedure (reset or self-destruct) after several sequential incorrect PIN attempts. Ledger devices will return to a factory reset state after just three failed PIN entries (compared to 16 for Trezor devices). On the one hand, you must be careful not to carelessly make attempts if you forget your PIN. Conversely, an attacker would have a wiped device on their hands in short order.
*Ledger lets you can attach a PIN code to a passphrase-protected wallet
†You can enter an incorrect PIN three times to wipe the device
Manufacturer | Released | MSRP | Suitable for | Native app |
Ledger | 2019 | U.S. $149 | Beginners | Ledger Live |
There isn’t a vast difference between the Nano X and the more affordable Nano S Plus. While it comes with an internal battery, air-gapped usage is not possible. The other differing traits include Bluetooth for signing transactions using a mobile phone app and slightly more storage (2MB vs. 1.5MB).
With a battery life of 3-4 hours per charge, the Nano X offers the option of Bluetooth signing. One downside of this feature is that the battery cannot be replaced (due to the device’s design) and has an expected life of 5 years.
Pairing this device with Ledger’s native app (Ledger Live) on your smartphone eliminates the need for a cable. Bluetooth connectivity may understandably make some bitcoiners nervous due to the potential for leaking sensitive information. However, Ledger does acknowledge such concerns.
This feature can also be disabled entirely via the device’s settings, and a traditional USB-C connection can be used in its place.
*Ledger lets you can attach a PIN code to a passphrase-protected wallet
†You can enter an incorrect PIN three times to wipe the device
Manufacturer | Released | MSRP | Suitable for | Native app |
Coinkite | 2022 | U.S. $149 | Intermediate | N/A |
The fourth version of the Coldcard comes with a handful of new features and changes to the now-discontinued Mk3. With its numeric keypad and plain design, the device appears to the average person to be nothing more than an old-school pocket calculator.
The addition of a second secure element (from a different manufacturer) offers an alternative approach to private key storage. One of the secure elements stores an encrypted version of your private key but requires both the second secure element and microcontroller unit (MCU) for decryption.
The Coldcard Mk4 has an embedded NFC chip for PSBTs, address sharing, and actions like “tap-to-sign” when used with a compatible NFC reader (i.e., smartphone). This functionality is disabled by default and can be made permanently non-functional by damaging the device’s board.
The higher “security” is on your list of requirements, the higher up the Coldcard Mk4 is likely to be. Several unique features and design elements contribute to the device’s standing among seasoned bitcoiners:
The Coldcard Mk4 has a variety of options when it comes to supplying power to the device in an air-gapped manner. You can opt for a standard 9V battery + USB adapter, a power bank, or an AC adapter plugged directly into a power outlet.
*Both the hardware and firmware for Coldcard is fully source-viewable, and its architecture allows the secure element not to be trusted
†The Coldcard’s duress wallet is controlled by the same keys as your main wallet
‡The Coldcard’s “brick-me” PIN does not reset the device—it destroys it
Manufacturer | Released | MSRP | Suitable for | Native app |
Blockstream | 2021 | US $65 | Beginners | Blockstream Green |
The long-awaited hardware wallet from Blockstream arrived in 2021 and packs a punch for its price point. While it lacks a microSD card slot, PSBTs can still be executed using the camera. Taken in conjunction with its built-in 240 mAh battery, true air-gapped usage is possible.
A noticeable missing component from this device is a secure element (an intentional design and security consideration). Instead, an alternative security model is used, allowing all hardware and firmware components to be fully open-source.
The inclusion of an internal battery and Bluetooth enables wireless use with compatible wallet software, for example the Blockstream Green app for iOS. This feature is disabled by default and must be activated via the device’s settings.
If you don’t wish to plug the Jade directly into a computer to execute actions or use Bluetooth, you can simply make use of the device’s camera to scan addresses via QR code, and present signed transaction data as a QR code on the device’s screen.
While many hardware wallets come with a factory reset, decoy wallet, or self-destruct PIN, the Jade has an even more innocuous option—erasing the stored wallet (recovery phrase) and displaying an ‘Internal Error’ message.
The Jade can be used to send and receive assets issued on the Liquid Network when used with the Blockstream Green wallet. Previously, the Ledger Nano S also supported some Liquid Network assets, but this model has since been retired, making the Jade the only commercially-available option.
Manufacturer | Released | MSRP | Suitable for | Native app |
Shift Crypto | 2019 | US $149 | Beginners | BitBoxApp |
Connector | microSD | Camera | Secure element |
USB-C | ✅ | — | ✅ |
Battery | Bluetooth | NFC | Open source |
— | — | — | ✅* |
Manufactured in Switzerland, the BitBox 02 is a compact and discreet choice for cold storage. The design is based on the original BitBox 01, which was discontinued in November 2019. However, this time Shift Crypto released a bitcoin-only edition which can only support bitcoin firmware in an effort to reduce attack vectors compared to a multi-token compatible device.
“The BitBox02 Bitcoin-only will only ever have Bitcoin firmware. Nothing else. Unlike other hardware wallets, the Bitcoin-only edition cannot be reset to support other coins. The Bitcoin-only firmware is locked down at factory setup.”
Shift Crypto
Actions are confirmed or rejected on the device by touching sensors located along its sides. The built-in screen also allows for on-device PIN entry. The main trade-off of the BitBox is that it is not possible to use the device in an air-gapped manner.
With no obvious markings (other than a small Shift Crypto logo), the BitBox02 appears to be a generic black USB stick to the untrained eye. This makes it an ideal option for those needing to use a hardware wallet in public settings.
The device plugs directly into a computer or smartphone via its USB-C port (or USB port with included adapter) rendering cables unnecessary. This option will be particularly attractive to users who may require a device for a high volume of low value transactions, prioritizing convenience over privacy.
*The BitBox 02 firmware is open source, and its architecture allows the secure element not to be trusted
Manufacturer | Released | MSRP | Suitable for | Native app |
Yanssie HK | 2021 | US $169 | Beginners | Keystone |
Connector | microSD | Camera | Secure element |
microUSB | ✅ | ✅ | ✅ |
Battery | Bluetooth | NFC | Open source |
✅ | — | — | —* |
Fomerly known as the Cobo Vault, this device has a large touchscreen making it feel similar to navigating a smartphone. While it has support for a long list of tokens, bitcoin-only firmware is available (this becomes irreversible once installed).
The Keystone Pro’s hardware design is open source, as is the secure element’s firmware. However, the device’s firmware is not considered to be open source (though independent code audits are offered).
Located on the back of the device, this feature can be enabled to unlock and signing transactions. However, the inclusion of a fingerprint sensor may also introduce risks associated with $5 wrench attacks and plausible deniability.
The Keystone Pro gives the option of using a AAA-powered battery pack or a rechargeable lithium-ion battery pack (both of which are inbcluded included) for air-gapped usage. Similar to the Coldcard Mk4, the use of external battery sources eliminates the threat of compromised charging cables unsuspectingly transmitting data.
If access to the circuit board is attempted by removing the screen, the device will initiate a self-destruct process: wiping sensitive data and bricking itself. It should be noted that this action is triggered by a button battery with a 2-year lifespan, meaning the device must be replaced after 2 years if you wish to preserve this feature.
*Some but not all components of the device are open-source
†Bitcoin-only firmware is not installed by default
‡The device has no wipe PIN, but it does have a self-destruct mechanism, and the device is wiped after 5 incorrect password attempts
Manufacturer | Released | MSRP | Suitable for | Native app |
Foundation Devices | 2022 | US $259 | Beginners | Envoy |
The second iteration from Foundation, Passport is priced at the higher end of the spectrum when compared to other air-gapped options. Built without wireless communication capabilities of any kind, the device ingests data via microSD card and camera. While it does have USB-C port, the device has been configured (pins removed) to transmit power only and prevent any data from being transmitted.
Unlike the first version of Passport, this device replaces the AA-battery pack with a standard rechargeable lithium-ion battery. The rationale was to offer greater battery life and more accurate power level indicator. However, this design choice does not introduce any additional dependency on Foundation Devices for parts, as the chosen battery can be sourced from a variety of vendors.
A similar feature to the Coldcard Mk4, Passport will display a blue LED to confirm that the secure element has not been tampered with since its last use, and to confirm that any firmware updates are genuine. If tampering or inauthentic firmware is detected, a red LED will turn on.
*Passport’s firmware and hardware is open source, but the device uses a secure element chip that is not
Manufacturer | Released | MSRP | Suitable for | Native app |
N/A | 2020 | Varies | Advanced | N/A |
Connector | microSD | Camera | Secure element |
microUSB | ✅ | ✅ | — |
Battery | Bluetooth | NFC | Open source |
— | — | — | ✅ |
SeedSigner is a do-it-yourself template for a no frills, air-gapped hardware wallet that can perform a number of limited, but critical, operations. The key design considerations of this device were to create a stateless, low-cost option using general-purpose hardware aimed at long-term holders and multisignature custody schemes. One trade-offs to be aware of is power-up speed (up to 1 minute).
Three basic components make up the device:
These parts can be sourced from a variety of vendors. You’ll also need an enclosure to protect the parts and a MicroSD card for importing and exporting data. If you prefer a more convenient option, the SeedSigner can be purchased as a pre-assembled kit. Air-gapped operations are achieved through use of the power only MicroUSB port on the Rasp Pi Zero, the MicroSD card for exporting PSBTs and the camera for scanning QR codes.
Unlike other hardware wallet options, the SeedSginer does not generate your private key for you on the device. Instead, you must provide the entropy (either through dice rolls, coin flips, or taking a photo with the camera), input this data, and the device will calculate the final seed word (checksum).
While users can opt for custom cases and more expensive parts, the basic hardware requirements place it as the most affordable option against its pre-assembled peers. At present, it’s possible to acquire the essentials for just under $50.
A device built with off-the-shelf parts eliminates any single company as a single point of failure. Everything about the device is open source and trust-minimzed. For these reasons among others, the device has attracted a growing crew of developers, designers, and tinkerers building all kinds of solutions and additional functionality.
For those inclined to add some personality to their Seed Sginer, options are endless: 3D print your own enclosure, purchase custom buttons and joystick, use higher-grade components, etc.
BTC-only | PIN | Decoy PIN | Wipe PIN |
✅ | — | — | — |
U2F | Air-gap | DIY entropy | Third-party wallets |
— | ✅ | ✅ | ✅ |
With so many choices now available on the market, it can be easy to get overwhelmed. However, like all matters relating to securing one’s wealth, the choice of hardware wallet requires a uniquely personal solution.
Considering several factors unique to you (e.g., the amount of wealth being secured, anticipated frequency of use, privacy preferences, etc.) can help narrow down the list. Another key question is whether the device will be used as a standalone wallet (singlesig) or part of a multisig custody scheme.
“As long as you’re controlling your own bitcoin and have those words written down, secured, you have the freedom to control your money.”
Marty Bent
Everyone will have different needs, technical abilities, and desired features. There will always be trade-offs. But, the most important foundational step is to take one: Learn about your self-custody options until you feel confident in securing your private keys and taking possession of your bitcoin. An affordable and reputable hardware wallet can make this process significantly easier.
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…
Ted Stevenot, Stephen HallWhen Satoshi Nakamoto created bitcoin, he established in its code a fixed number of bitcoin that will ever exist. Since…
Ted StevenotOriginally published in Parker’s dedicated Gradually, Then Suddenly publication. Bitcoin is often described as a hedge, or more specifically, a…
Parker Lewis