TL;DR: Ledger dominates hardware wallet sales but has closed-source firmware and controversial cloud backup features. Open source alternatives let you verify exactly how your Bitcoin is secured. Trezor Safe 5 for multi-coin with good UX, Coldcard for Bitcoin maximalists, Foundation Passport for airgapped elegance, Keystone for DeFi users.

Last updated: 2026-06-07 (prices and model lineups verified against vendor sites).

A hardware wallet device with a recovery seed phrase sheet on a desk

Why Open Source Matters for Crypto

Your hardware wallet holds the keys to your money. Not an account—actual bearer assets. If the firmware is compromised, you lose everything. There's no "forgot password" link. No customer service. No chargebacks.

Ledger is the market leader. They sold millions of devices. Then in May 2023, they announced "Ledger Recover"—a feature that splits your seed phrase and sends encrypted shards to third-party custodians. Optional, they said. But if the firmware can do it optionally, it can do it silently. Users couldn't verify otherwise because the firmware is closed.

The crypto community exploded. Ledger's own CTO admitted on Twitter that a malicious firmware update could extract keys. That's always been true for any hardware wallet—but with open source firmware, you can audit for exactly that threat. With closed source, you trust the company.

"Not your keys, not your coins" only works if you can verify what's handling your keys.

Quick Comparison

Feature Trezor Safe 5 Trezor Safe 7 Coldcard Q Foundation Passport Prime Keystone 3 Pro
Price $129 $249 $249.21 $349 $149
Coins 9,000+ 9,000+ Bitcoin only Bitcoin only 5,500+
Air-gapped No (USB) Wireless (no USB data) Yes (microSD/NFC) Yes (QR/microSD) Yes (QR codes)
Secure Element Yes Yes Yes (2x) Yes Yes (3x EAL5+)
Display 1.54" color touch Color touch (wireless charging) Large color Color IPS 4" color touch
Open Source HW Yes Yes Partial Yes (CERN-OHL) Partial
Open Source FW Yes (GPL) Yes (GPL) Yes (GPL) Yes (GPL) Yes
Made In Czech Republic Czech Republic Canada USA China (HK)

Prices verified 2026-06-07 from vendor sites. Re-check before purchase.

Trezor

Best for: Multi-coin users who want proven security and good UX

Trezor invented the hardware wallet. SatoshiLabs launched the Trezor Model One in 2014—the first commercial hardware wallet ever. A decade later, they're still stubbornly open source while competitors went proprietary.

Current Models

Trezor Safe 3 ($59): Entry-level with secure element. Bitcoin, Ethereum, 8,000+ coins. USB-C. Good starting point.

Trezor Safe 5 ($129): Mid-range flagship. Color touchscreen, haptic feedback, secure element. Better display makes verification easier. The value pick for most users.

Trezor Safe 7 ($249): New flagship. Wireless charging, quantum-ready security architecture, color touchscreen. Trezor's first wireless device. The recommended model if budget allows.

Trezor Model One ($69): The original, still sold. No secure element, smaller screen, but fully functional and cheaper.

What's Open

Everything. Firmware, companion app (Trezor Suite), hardware schematics, board layouts. All publicly available on GitHub. Deterministic builds let you compile the firmware yourself and verify it matches what's on your device.

The Secure Element Debate

Early Trezors didn't use secure elements—SatoshiLabs argued that proprietary security chips couldn't be audited. Critics said this left them vulnerable to physical attacks. The Safe 3 and Safe 5 added secure elements while keeping the firmware open source, addressing the criticism while maintaining transparency where possible.

Trade-offs

Not air-gapped. You connect via USB to sign transactions. For most users, this is fine. For maximum paranoia, Coldcard or Passport's air-gapped approach is more secure.

Buy from: trezor.io (avoid third-party sellers—supply chain attacks are real)

Coldcard

Best for: Bitcoin maximalists who want maximum security and don't care about altcoins

Coldcard is the paranoid option. Made by Coinkite in Canada, it's designed for people who think every computer is compromised and act accordingly. Bitcoin only—no altcoin support, no compromise.

Current Models

Coldcard Q ($249): The flagship. Full QWERTY keyboard, larger color screen, NFC support for signing, dual secure elements. Same paranoid security model Coinkite is known for.

Coldcard Mk5 ($169.94): The budget current model. Dual secure elements, microSD air-gap, numeric keypad. No touchscreen—buttons only. Slightly faster processor than the Mk4.

Coldcard Mk4: Legacy. Still sold, no NFC, no QR. Worth considering only on a tight budget.

Air-Gapped Operation

The Q and Mk5 never need to connect to a computer. Create transactions on your computer, export to microSD, plug the card into Coldcard, review and sign, export back to microSD, broadcast from your computer. The signing device never touches the internet or USB data lines.

The legacy Mk4 can be powered by a 9V battery or USB power bank—no computer contact whatsoever. The Q and Mk5 are rechargeable via USB-C.

Security Features

Trick PINs: Set a fake PIN that shows a decoy wallet or wipes the device. Useful under duress.

Brick Me PIN: A PIN that destroys the secure element immediately.

Anti-phishing words: The device shows two words based on your PIN prefix, confirming you're on the real device, not a fake.

Countdown to login: Optional delay before allowing PIN entry, defeating quick physical theft.

What's Open

Firmware is GPL, available on GitHub. Deterministic builds. Hardware is partially open—schematics available but some components are proprietary.

Trade-offs

Bitcoin only. Steep learning curve. The interface is utilitarian, not pretty. You're paying for security, not UX.

Buy from: coldcard.com

Foundation Passport

Best for: Bitcoiners who want Coldcard-level security with better UX

Foundation, based in Boston, asked: what if a Bitcoin hardware wallet was actually pleasant to use? The Passport looks like a premium device, operates completely air-gapped, and is fully open source—hardware and firmware.

Current Models

Passport Core ($259): The original flagship (recently renamed from just "Passport"). Color IPS display, integrated camera for QR codes, rechargeable battery, premium metal and plastic construction. Made in USA.

Passport Prime ($349): Shipping since Dec 2024. Runs KeyOS, Foundation's Rust-based microkernel OS. Features include secure file storage (50GB), multi-factor authentication, and a developer kit for third-party apps. Designed as a secure platform beyond just Bitcoin storage.

Air-Gapped via QR Codes

No USB data. No Bluetooth. No NFC. No wireless. Transactions pass via QR codes between Passport and your phone/computer, or via microSD. The camera scans, the screen displays, nothing else connects.

This is more user-friendly than Coldcard's microSD-only approach while maintaining the same air-gap security.

What's Open

Everything, properly. Hardware designs are released under CERN's Open Hardware License (CERN-OHL-S v2). Firmware is GPL. You can literally build a Passport from scratch using their published files. This is rare—most "open source" hardware wallets only open the firmware.

Trade-offs

Bitcoin only (like Coldcard). Most expensive option on this list. QR code workflow adds friction compared to USB-connected devices, though it's the price of air-gapped operation.

Buy from: foundation.xyz

Keystone

Best for: DeFi users who need multi-chain support with air-gapped security

Keystone (formerly Cobo Vault) is the air-gapped option for people who use more than Bitcoin. It supports thousands of coins and integrates with MetaMask, making it practical for DeFi—something the Bitcoin-only wallets can't do.

Current Models

Keystone 3 Pro ($149): 4-inch touchscreen, three EAL5+ secure elements, QR-based air gap, fingerprint sensor. Multi-chain by default, with Bitcoin-only firmware available.

Keystone Essential ($119): Smaller screen, fewer secure elements, same air-gap approach.

MetaMask Integration

Keystone is an official MetaMask hardware wallet partner. You can sign Ethereum transactions, interact with dApps, and manage DeFi positions without connecting USB. Scan QR codes between Keystone and MetaMask Mobile.

What's Open

Firmware is open source on GitHub, including the secure element firmware (rare—most vendors keep this closed). Hardware is partially open. Based in Hong Kong, manufactured in China, which matters for some threat models.

Trade-offs

Chinese manufacturing raises supply chain concerns for some users. QR workflow adds friction. The wide coin support means more attack surface than Bitcoin-only devices.

Buy from: keyst.one

Why Not Ledger?

Ledger makes solid hardware. The Nano X and Nano S Plus are well-built, widely supported, and have never had a breach of their secure element. Many security professionals use them.

The issues are philosophical:

  • Closed firmware: You cannot audit what runs on your device. You trust Ledger.
  • Ledger Recover: The firmware can transmit your seed phrase to third parties. Even if you don't enable it, the capability exists. A malicious firmware update could activate it silently.
  • Customer data breach: In 2020, Ledger's marketing database was hacked. Names, emails, phone numbers, and physical addresses of 272,000 customers leaked. Some received physical threats. The device wasn't compromised, but Ledger's operational security was.

None of this means Ledger devices are insecure. It means you're trusting a company rather than verifying code. For some users, that trade-off is fine. For others, it defeats the purpose of self-custody.

Which Should You Buy?

For Most Bitcoin Users: Trezor Safe 5 ($129)

Fully open source, decade-long track record, good UX, secure element. Works with desktop and mobile. The most balanced option. If you can spend $249, the new Trezor Safe 7 adds wireless charging and a quantum-ready architecture.

For Maximum Security: Coldcard Q ($249) or Foundation Passport Prime ($349)

Air-gapped operation means your keys never touch an internet-connected device. Coldcard Q if you want the deepest feature set (trick PINs, NFC, QWERTY); Passport Prime if you want the best UX and fully open hardware including the higher-end KeyOS platform.

For Multi-Chain DeFi: Keystone 3 Pro ($149)

The only air-gapped option with serious multi-chain and MetaMask support. If you use Ethereum, Solana, or other chains, this is it.

On a Budget: Trezor Safe 3 ($59) or Trezor Model One ($69)

Same open-source firmware as the Safe 5, smaller screens, lower prices. The Model One lacks a secure element but has a decade of proven security.

Security Basics

  • Buy direct: Only buy from manufacturer websites. Third-party sellers (Amazon, eBay) have sold tampered devices.
  • Verify the seal: Check tamper-evident packaging hasn't been opened.
  • Generate seed phrase on-device: Never enter a seed phrase that came printed or was generated elsewhere.
  • Metal backup: Store your seed phrase on stamped steel or titanium, not paper. Fire, flood, and time destroy paper.
  • Test recovery: Reset the device, restore from seed, verify you get the same addresses. Do this before storing significant funds.
  • Passphrase consideration: An optional passphrase creates a completely separate wallet. Adds security but also complexity—forget it and your funds are gone forever.

References

  1. Trezor - Original Hardware Wallet Since 2014
  2. Coldcard - Bitcoin-Only Hardware Wallet
  3. Foundation - Passport Hardware Wallet
  4. Keystone - Air-Gapped Multi-Chain Wallet
  5. Trezor GitHub - Open Source Firmware
  6. Coldcard Firmware Repository
  7. Ledger - Recover Feature Announcement
  8. Hardware Wallets - Open Source Comparison 2025