Coldcard vs. Blockstream Jade Plus

The Jade Plus uses a "blind oracle" model, which splits key protection between the device and a remote server. Your private key is encrypted and stored on the device, but unlocking it to sign a transaction requires retrieving a matching value from Blockstream's server. Neither piece works without the other, so someone who steals your device cannot access your keys without also compromising the server. The server is "blind" because it never sees your PIN, your addresses, or your key. Blockstream publishes the server code openly, so users who want full independence can run their own instance, removing Blockstream entirely.

The Jade Plus' SeedQR mode removes the server dependency, but changes your responsibilities. In this mode, you encode your seed phrase as a QR code and scan it into the device's temporary memory at the start of each session. Jade loads the seed into temporary memory, signs transactions, and stores nothing when you power off. The QR code is effectively your seed: you need it for every session, and protecting it carries the same weight as protecting your seed phrase.

Coldcard uses a secure element built directly into the hardware. A secure element is a chip that's physically isolated from the main processor and designed so keys never leave it, even during signing. It resists attacks such as circuit probing, voltage glitching, and electromagnetic analysis, and chips used in Coldcard devices carry independent certifications at CC EAL5+ and EAL6+, reflecting real testing against these methods. The same technology has been used in payment cards, SIM cards, and passports for decades.

Both approaches protect your private keys, but with different track records and levels of complexity. Secure elements have decades of real-world testing in adversarial conditions. The blind oracle model is more novel and harder to evaluate with the same confidence. There is also a dependency question: the blind oracle requires a reachable server at signing time, and SeedQR requires the physical QR code for every session. A secure element keeps your keys on-device, fully self-contained, with no external requirement at signing time. For users who want the most established approach with the fewest moving parts, that is a meaningful difference.

Air-gapped signing is the security-first approach. It eliminates any direct data channel between the signing device and a networked computer during the signing process. The Jade Plus supports this with its built-in camera: it scans an unsigned transaction encoded as a QR code, signs on-device, and displays the signed result as a new QR code for the host to broadcast. The same workflow can be done physically with a microSD card. Either way, there is no USB connection, no wireless radio, and no direct data exchange with a networked computer.

The Jade Plus also supports non-air-gapped signing via Bluetooth. When signing over Bluetooth, transaction data travels wirelessly between the device and the host. Any wireless channel is a potential attack surface that can be probed, intercepted, or exploited if a vulnerability exists in the radio's firmware stack stack. Beyond active use, the radio hardware is present on the device at all times, meaning the Bluetooth stack exists as a component regardless of how you choose to sign. The solution to this attack vector is to use air-gapped signing exclusively.

Support for air-gap is partly a design philosophy question. The Jade Plus supports both Bluetooth signing and air-gapped signing, giving users the option to choose. Coldcard is designed without wireless radios, making QR codes, microSD, and NFC the only wireless transfer methods available. For users whose priority is eliminating wireless attack vectors, there is a meaningful difference between a device that has no wireless hardware and one that has it but leaves it unused. The first removes that attack surface by design. The second reduces it through behavior, which is a different kind of assurance.

The Coldcard Q and Mk5 cover more ground on foundational security. Both include dedicated secure element chips for hardware-level key storage, a boot-time anti-phishing display, and a decoy wallet PIN that opens a convincing secondary wallet to protect against coercion. Both ship with serialized tamper-evident packaging and clear cases for inspecting the electronics on arrival. These features are not present on Jade Plus. Additionally, both Coldcard devices are also Bitcoin-only, with no Liquid support. For users who want only Bitcoin, Liquid signing is additional code and signing logic with no benefit.

Both devices cover Bitcoin protocol essentials well, with Coldcard adding additional depth. Both support PSBT, Taproot, and Miniscript, covering the features most self-custody setups require today. The Coldcard Q and Mk5 add PSBT v2 and Seed XOR for splitting a seed into parts that must be combined for reconstruction. Additionally, both Coldcard devices support on-device multisig coordination, assembling complete multisig transactions without an external coordinator, with the Q's larger screen and keyboard making the workflow more ergonomic.

It comes down to architectural model, signing workflow and seed management options. The Jade Plus is a competent device that covers the fundamentals well, supports Liquid for users who operate in that ecosystem, and serves the needs of most users looking for open-source, air-gapped Bitcoin signing. Coldcard delivers a proven hardware security architecture and deeper seed management and customization options. For users whose security requirements extend beyond the basics, that depth is the difference.