🟡 Trust Rating: Moderate

The Keystone 3 Pro is one of the few genuinely air-gapped wallets that also handles a huge range of chains, and its firmware is open source on GitHub. Two things keep it out of the green: the company is a Hong Kong entity that builds its devices in China, which is a real supply-chain question for a paranoid threat model, and the "open source" claim has an asterisk. The main MCU library and the secure-element firmware are not published. Good hardware, honest caveats.

What is the Keystone 3 Pro?

Keystone is an air-gapped hardware wallet that never plugs into your computer for signing. Every transaction moves in and out of the device as a QR code shown on its 4-inch touchscreen and scanned by your phone or laptop camera, or by microSD card if you prefer. There is no Bluetooth and no NFC, and signing never touches a cable. The USB-C port charges the battery and can optionally install firmware updates; if you want USB kept off your data path entirely, updates also work by microSD.

The brand used to be called Cobo Vault. It rebranded to Keystone and is now developed and operated by Yanssie HK Limited, a company registered in Hong Kong in February 2021, with the project itself dating back to 2018.[1] The current flagship is the Keystone 3 Pro at $149.[2]

Its real niche is breadth. Where Coldcard, Foundation's classic Passport, and other air-gapped rivals are Bitcoin-only purists, Keystone leans the other way: 5,500+ coins and tokens, and pairing with 45+ software wallets including MetaMask, OKX, Rabby, Sparrow, BlueWallet, and Solflare.[2] If you live across Bitcoin, Ethereum, EVM chains, and Solana and you want to stay air-gapped, there are very few options. This is one of them.

Critical Privacy Concerns

⚠️ Important Considerations

  • Chinese supply chain, Hong Kong company. Keystone is operated by a Hong Kong entity and its devices are manufactured in China. For most users that is fine. For a threat model that includes a nation-state adversary, sourcing security hardware from that jurisdiction is a real consideration you should make on purpose, not by accident.
  • "Open source" is not the whole device. The application firmware is public on GitHub under a permissive license, and that is the part that matters most (signing logic, address derivation, QR handling). But the MH1903 MCU library ships as a pre-compiled blob due to IP restrictions, and the secure-element firmware belongs to the chip vendors. You cannot audit the whole stack line by line.[3]
  • Multichain means more attack surface. Pairing with MetaMask and 40-plus other software wallets is convenient, but the security of your signing session is only as good as the software wallet on the other end of that QR scan. The air gap protects your keys; it does not protect you from approving a malicious transaction the device faithfully displays.

Air-Gapped QR Signing

This is the whole point of the device. Your private keys are generated and stored on the Keystone and never leave it. To send funds, your software wallet builds an unsigned transaction and shows it as a QR code; you scan it with the Keystone's camera, review the details on the 4-inch screen, approve, and the device shows a signed QR code that your software wallet scans back. No cable, no radio, no wireless bridge for an attacker to ride in on. The full transaction is displayed on-device so you are not blind-signing a payload you cannot read.[2]

Three Secure Elements and a Fingerprint Sensor

Keystone uses three separate secure-element chips to isolate the private keys, plus a PCI-level anti-tamper self-destruct that wipes the seed on physical intrusion.[2] The firmware repository lists the three as the Microchip ATECC608A, the Maxim MAX32520, and the Microchip DS28C50, running on an MH1903 MCU.[3] Unlock is by fingerprint (roughly a half-second read) backed by a PIN, and there is optional passphrase support (the 25th-word approach) plus SLIP39 Shamir backup for splitting your seed into multiple shares.[2]

Open-Source Firmware, With Limits

The Keystone 3 Pro firmware is published on GitHub, so independent researchers can read the signing and key-derivation code rather than trusting a marketing claim.[3] That openness has already paid off in the way it is supposed to: Keystone partnered with the security firm Offside Labs, which found a firmware vulnerability that was patched in firmware version 1.2.8; the partnership and fix were announced in January 2024.[4] A vendor that publishes its code, invites outside auditors, and ships the fix is behaving the way you want a wallet vendor to behave. Just keep the asterisk in mind: the MCU library and secure-element firmware are not part of what you can read.[3]

Technical Specifications

  • Signing: Fully air-gapped, QR code and microSD only. No USB data, no Bluetooth, no NFC.
  • Secure elements: Three chips (Microchip ATECC608A, Maxim MAX32520, Microchip DS28C50) plus PCI-level anti-tamper self-destruct.
  • Display: 4-inch full-color touchscreen with full transaction display (anti-blind-signing).
  • Authentication: Fingerprint unlock plus PIN; optional passphrase (25th word).
  • Backup: SLIP39 Shamir backup, multi-seed support (up to 3 wallets).
  • Assets: 5,500+ coins and tokens; 45+ compatible software wallets including MetaMask, OKX, Rabby, Sparrow, BlueWallet, Solflare.
  • Firmware: Open source on GitHub; MCU library and secure-element firmware are proprietary.

Pricing Structure

Product Price Notes
Keystone 3 Pro $149 Air-gapped QR signing, three secure elements, fingerprint sensor, multichain

Keystone vs. Alternatives

Keystone vs. Foundation Passport

  • Keystone: Air-gapped and multichain, 5,500+ assets, Hong Kong company, China manufacturing.
  • Foundation Passport: Also air-gapped by QR and US-assembled, which is exactly the jurisdiction trade Keystone doesn't offer. The classic Passport is Bitcoin-only, though the newer Passport Prime (shipping since 2026) starts reaching beyond Bitcoin via third-party apps. See our Foundation Passport review.

Keystone vs. Trezor

  • Keystone: Fully air-gapped, no USB signing, broader token support out of the box.
  • Trezor: Fully open source including its firmware philosophy, but signs over USB, so no true air gap. See our Trezor review.

Keystone vs. Ledger

  • Keystone: Air-gapped, open-source application firmware, no cloud key-recovery scheme.
  • Ledger: Certified secure element and huge asset support, but closed-source firmware and the Ledger Recover controversy work against it on trust. See our Ledger review.

For the wider field, including the Bitcoin-only air-gapped camp, see our Coldcard review and BitBox02 review, plus the full hardware wallet comparison and our guide to open-source crypto wallets.

When to Use Keystone

Acceptable Use Cases

Multichain users who want a real air gap. If you hold Bitcoin, Ethereum, EVM tokens, and Solana and you refuse to plug a signing device into a computer, Keystone is close to the only game in town.

MetaMask and DeFi users who want cold storage that pairs cleanly with the software wallets they already use.

People who value published, audited firmware and a vendor that ships fixes when outside researchers find bugs.

Not Recommended For

Nation-state threat models where the manufacturing jurisdiction is a dealbreaker. Foundation Passport or a US/EU-assembled device fits better.

Bitcoin-only maximalists who want a smaller, fully auditable, single-purpose device. Coldcard is built for exactly that.

Anyone who reads "open source" as "every chip auditable." It isn't, and no mainstream wallet fully is, but be clear-eyed about it.

The Bottom Line

Consider Keystone if:
  • You want a genuine air gap and broad multichain support in one device
  • You pair with MetaMask, Rabby, or other software wallets and want cold signing
  • You value open application firmware and a track record of shipping audit fixes
Avoid Keystone if:
  • The Hong Kong company and China manufacturing conflict with your threat model
  • You only hold Bitcoin and want a minimal, single-purpose, fully open device
  • You expected every component of the device to be source-available

⚠️ Final Assessment

The Keystone 3 Pro is the strongest air-gapped option we have found for people who need more than Bitcoin. The hardware is serious, the firmware is open where it counts, and the vendor invites and fixes outside audits. It lands at Moderate rather than High for two honest reasons: a Chinese supply chain under a Hong Kong company, and an "open source" story that stops at the MCU and secure-element firmware. Buy it for what it is, a top-tier multichain cold wallet, and make the jurisdiction call on purpose.

Visit Keystone →

Resources