COLDCARD logo
Shopping cart Shop

What is a Hardware Wallet?

A hardware wallet is a dedicated device that stores your Bitcoin private keys in isolated hardware, completely separate from your computer or phone.

Newcomers to Bitcoin often assume a hardware wallet stores bitcoin the way a hard drive stores files. However, bitcoin exists as entries on a distributed public ledger, and what a hardware wallet stores is the private keys needed to authorize the spending of bitcoin.

What Does a Hardware Wallet Do?

Hardware wallets, also known as "signing devices", keep your private keys in dedicated hardware that no software on your computer can reach.

When you send bitcoin, your wallet software builds the transaction and passes it to the hardware device. The device then displays the transaction details on its own screen, which you approve by pressing a physical button. The device signs the transaction with your private key and returns the result back to the wallet software for broadcast. Most importantly, the private key never leaves the device.

Your private key is a 256-bit number that authorizes or "signs" transactions for the bitcoin you control. Whoever holds the key can spend the associated bitcoin, which is why key isolation and protection is the core function of a signing device.

While "hardware wallet" is the more common term, "signing device" is more technically precise because the device is used to sign transactions. The terms are used interchangeably in this article.

Secure Element Chip

A hardware wallet generates the private key inside the device and stores it in a dedicated chip. This chip is called a "secure element," and it is designed specifically to resist key extraction attempts, including physical probing, voltage glitching, and side-channel analysis. Secure elements are used widely across industries where information security is paramount.

The idea behind a signing device is that it is a dedicated security device and the sole component in the workflow that interacts with the private key. Your computer, the wallet software on it, and the internet are all treated as untrusted and potential attack surfaces from a security perspective. The device remains isolated from all of them, accepting only transaction data and returning only a completed signature with the transaction.

Why Is a Software Wallet Not Enough?

A software wallet stores private keys on the same device that connects to the internet. That shared environment is a potential point of attack. Malware on your phone or computer needs only access to the memory or storage where the private key is held, and then it can use the key to authorize spending of your bitcoin without you knowing.

There are five main attack classes that affect software wallets, and all of them operate at the software layer before or during signing.

  1. Direct key extraction. Malware with sufficient system privileges can read the private key from memory or from the wallet's data files on disk. Once extracted, the key can drain the wallet from a remote server at any time.

  2. Clipboard hijacking. When you copy a Bitcoin address to paste into a transaction, malware can intercept it and replace the address with an attacker-controlled address at the moment of pasting. The substitution can be invisible in certain wallet interfaces.

  3. Screen capture and keylogging. Malware can record everything displayed on screen and every keystroke entered. Seed phrase displays, passphrase entry, and QR code exports can be captured through this method.

  4. Fee inflation. A compromised signing interface can substitute an inflated fee into the transaction before it is signed. On a software wallet, you may approve a fee that has been quietly manipulated.

  5. Change output substitution. Bitcoin transactions return unspent funds to a change address controlled by the sender. A compromised software wallet can replace that change address with one the attacker controls, thereby stealing the change. The transaction looks normal until you check where the remainder went.

The common thread across all five is that they operate on the compromised computer, before or during signing. A hardware wallet removes the private key from that environment entirely.

How Does a Hardware Wallet Work?

The signing workflow separates transaction construction from transaction signing. Your computer's wallet software builds the transaction and passes it to the hardware wallet. The device displays the details on its own trusted screen, and you review them before approving with the physical press of a button. The device signs using its private key, which never leaves it, and the signed transaction is passed to the computer to be broadcast.

The data format used to pass a transaction between wallet software and signing device is called a PSBT, a partially signed bitcoin transaction. The PSBT contains all the information needed to describe the transaction: the inputs, the outputs, the amounts, and the addresses.

The signing workflow proceeds as follows:

  1. The wallet software on your computer constructs the transaction and formats it as a PSBT.

  2. The PSBT is sent to the signing device via USB, Bluetooth, QR code, or MicroSD card.

  3. The device displays the transaction details on its own screen, including the amount, destination address, change address, and fee.

  4. You verify those details on the device's trusted display and approve by pressing a physical button on the device.

  5. The device signs the transaction using the private key, which does not leave the device.

  6. The signed transaction is returned to the wallet software, which broadcasts it to the Bitcoin network.

Some devices do not independently verify that the change address belongs to your wallet before signing. Checking it on the device screen is the user's responsibility.

Connected vs. Air-gapped Signing

The PSBT can travel to and from the device in two ways: connected or air-gapped.

  1. Connected: The PSBT is transferred directly via USB cable or Bluetooth wireless connection.

  2. Air-gapped: The PSBT is passed via QR code scanning, physical transferring of a MicroSD card, or one-way NFC tap of the device, removing any direct data connection to the signing device.

Air-gapped signing removes the direct live data channel between the signing device and the internet-connected computer in order to remove the attack surface entirely. For a full explanation of how air-gapped signing works, see What is Air-Gapped Signing?. For PSBT technical detail, see What is a PSBT?.

Why Does the Device Screen Matter?

The device screen is one of the most important security properties of a hardware wallet. It is the most trustworthy source of information about what you are actually authorizing.

Malware on your computer or phone can modify what wallet software displays, substitute addresses in the transaction being built, or present a legitimate-looking interface while passing altered data to the signing device. As a result, your computer's display and the device's display may show entirely different things, which is a clear indication that something is wrong.

The hardware wallet's screen shows what the device is actually about to sign, independent of anything your computer is displaying. Before approving any transaction, it is important to verify four things on the device's own display:

  1. The destination address matches where you intended to send to.
  2. The amount you are sending is correct.
  3. The change address belongs to your wallet.
  4. The fee is reasonable in absolute terms.

A hardware wallet without its own screen cannot provide this protection. If the device screen and your computer's display show different details, do not approve.

What Should I Look for in a Signing Device?

Not all hardware wallets make the same security choices. The properties that differentiate them correspond directly to the attacks they are designed to prevent.

  • Air-gap capability. A device that signs via QR code or MicroSD requires no USB connection to your computer, eliminating that attack surface entirely.

  • Open-source and reproducible firmware. When the firmware source code is publicly available and the build can be independently reproduced from source, any developer can verify what the device is actually running. Closed firmware requires trusting the manufacturer's claims without independent verification.

  • Bitcoin-only design. Supporting hundreds of cryptocurrencies means running the validation and signing code for all of them. Each supported coin adds to the code's complexity and attack surface. Bitcoin-only firmware is narrower, easier to audit, and reduces the code exposed to potential vulnerabilities.

  • Dedicated secure element. A secure element stores keys in hardware designed to resist physical extraction techniques. Devices that store keys in general-purpose microcontroller flash lack these defences.

  • On-device passphrase entry. If a passphrase is used to protect the wallet, entering it on the device's own keyboard means the passphrase never touches the computer. Entering it on the host exposes it to keyloggers.

Coldcard devices are built around all of these properties. They use a dual secure element architecture, drawing on chips from two independent vendors. The firmware is open-source with a reproducible build. The devices are Bitcoin-only and support full air-gap signing via QR code and MicroSD card. Passphrase entry is performed on-device.

Hot Wallet vs. Cold Wallet

The connectivity distinction that separates hardware wallets from always-online alternatives, and why it determines the security model.

Read Article

What is Air-Gapped Signing?

How air-gapped signing works, why eliminating USB connectivity matters, and the three methods for passing transactions to a signing device.

Read Article

What is Bitcoin Multisig?

How distributing signing authority across multiple hardware wallets eliminates single points of failure in Bitcoin self-custody.

Read Article

What is a PSBT?

The transaction format that enables unsigned transactions to be transferred between wallet software and signing devices for secure, verifiable signing.

Read Article