The Coldcard Mk4 is the hardware wallet that security-obsessed Bitcoiners reach for when nothing else feels paranoid enough. Dual Secure Elements, full air-gap via microSD, open-source firmware, and features like duress wallets and brick-me PINs that no competitor even attempts. At $157, it is not the cheapest option. It is the most secure one.
But let's be honest up front: the UI looks like it was designed in 2005. The learning curve is steep. And if you've never owned a hardware wallet before, this is not where you should start. The Coldcard is a tool for people who already understand why air-gapping matters and want the best implementation of it. Not for everyone. Best in class for those who need it.
Quick Verdict
The most security-hardened consumer Bitcoin wallet available
| Category | Score | Notes |
|---|---|---|
| Security | 10/10 | Dual Secure Elements, air-gap, duress wallet, brick-me PIN |
| Ease of Use | 5/10 | Number pad UI, steep learning curve, no companion app |
| Open Source | 9.5/10 | Firmware + hardware schematics public on GitHub |
| Features | 10/10 | BIP-85, dice entropy, countdown PIN, anti-phishing words |
| Price / Value | 8.5/10 | $157 for the most capable signing device available |
| Overall | 9/10 | Best security, worst UX. That's the deal |
| Secure Element | Dual chip: ATECC608A (Microchip) + SE050 (NXP) |
| Connectivity | USB-C data + microSD air-gap (NFC optional, can be disabled) |
| OS Support | Windows, macOS, Linux |
| Weight | 30g |
| Dimensions | 88 x 52 x 9 mm |
| Companion App | None (use Sparrow Wallet or Electrum) |
| Price | $157 USD from Coinkite |
| Made in | Canada |
The Coldcard Mk4 is a Bitcoin-only hardware wallet made by Coinkite, a Canadian company founded by Rodolfo Novak (NVK). It's been in production since 2018 and has earned a reputation as the most security-hardened signing device you can buy. Bitcoin developers, security researchers, and long-term holders with serious stacks tend to gravitate here.
What makes the Coldcard different from a Trezor or BitBox02? Two things. First, it can operate completely air-gapped. You never need to plug it into a computer. Transactions move via microSD card, and your keys never touch a networked device. Second, it packs security features that other wallets don't even attempt: duress wallets, brick-me PINs, countdown login delays, dice roll entropy, and BIP-85 derived child wallets.
The Mk4 (current model) runs dual Secure Element chips. That is not marketing fluff. The ATECC608A handles key storage while the SE050 provides a second layer of protection. If one chip has an undiscovered vulnerability, the other still guards your keys. No other consumer hardware wallet doubles up on Secure Elements like this.
Coinkite also sells the Coldcard Q ($219), a larger model with a full QWERTY keyboard and bigger screen. The Q makes passphrase entry tolerable (typing on the Mk4's number pad is genuinely painful). Same security, better interface. But the Mk4 at $157 remains the core product and the focus of this review.
The air-gap workflow uses PSBT (Partially Signed Bitcoin Transactions) and a microSD card as the transfer medium. No USB data cable. No Bluetooth. No WiFi. Just a tiny card you physically move between devices. Here's the process:
Build the transaction
In Sparrow Wallet (or Electrum), construct your transaction. Set the destination address, amount, and fee. Export the unsigned PSBT file to a microSD card.
Sign on the Coldcard
Insert the microSD into your Coldcard. Find the PSBT file in the menu. The Coldcard displays the destination address and amount on screen for you to verify. Confirm and sign.
Broadcast from your computer
The signed PSBT is written back to the microSD card. Move it to your computer. Sparrow reads the signed transaction and broadcasts it to the Bitcoin network.
At no point does the Coldcard establish a data connection with your computer. Malware on your laptop can't communicate with the signing device. The only data that moves is the PSBT file on the microSD card, and the Coldcard verifies every detail on-screen before signing. You can see exactly what you're approving.
Compare this to USB-connected wallets where your computer and the device share a two-way data channel. That channel is harder to audit and creates attack surface that simply doesn't exist with the microSD approach. For someone holding a year's salary or more in Bitcoin, it's the right architecture.
The Foundation Passport achieves air-gapping through QR codes instead of microSD. Both approaches work. QR codes are more visual and intuitive. MicroSD cards handle larger transaction payloads more easily and don't need a camera module. Different tradeoffs, same security goal.
The Mk4 runs two Secure Element chips: the Microchip ATECC608A and the NXP SE050. Most hardware wallets use a single Secure Element (or none at all, in Trezor's case). Coldcard doubles up, and here's why that matters.
A Secure Element is a tamper-resistant chip designed to store cryptographic secrets. It resists physical probing, side-channel attacks, and fault injection. If someone physically tears apart your wallet, the Secure Element makes key extraction extremely difficult without lab-grade equipment and deep expertise.
But what if there's an undiscovered vulnerability in a specific Secure Element chip? It's happened before in other products. By running two chips from different manufacturers (Microchip and NXP), the Coldcard creates redundancy. An attacker would need to break both chips simultaneously. A flaw in the ATECC608A doesn't automatically expose your keys if the SE050 is still protecting them.
For context: the Trezor Safe 3 uses a single Optiga Trust M chip. The Foundation Passport uses a single EAL6+ Secure Element. Ledger uses ST33 chips. None of them double up. The Coldcard's dual-chip approach is unique in the consumer hardware wallet market, and it scores a perfect 10 on security.
This is where the Coldcard pulls ahead of every competitor. These features aren't gimmicks. They address real threat models that other wallet makers ignore entirely.
Duress wallet
Set a secondary PIN that opens a decoy wallet with a small balance. Under physical coercion, you hand over the duress PIN. The attacker sees some Bitcoin, takes it, and walks away. Your real holdings stay hidden behind the primary PIN. No other major hardware wallet offers this.
Brick-me PIN
A special PIN that permanently destroys both Secure Elements when entered. If someone forces you to unlock the device and you enter the brick-me PIN, the Coldcard becomes a paperweight. Your funds are safe as long as your seed backup exists somewhere else. Extreme? Yes. But it exists for extreme situations.
Dice roll entropy
Don't trust the Coldcard's random number generator? Roll physical dice and enter the results manually. The Coldcard converts your dice rolls into entropy for seed generation. You control the randomness. No chip vulnerability can compromise a seed you generated with 100 dice rolls on your kitchen table.
Countdown PIN
A login mode that starts a countdown timer (hours or days) before the device unlocks. Designed to slow down physical attacks. If someone steals your Coldcard and tries to brute-force it, the countdown buys you time to move funds using your seed backup.
Anti-phishing words
After entering your PIN prefix, the Coldcard shows two words unique to your device and seed. These words prove you're using your genuine Coldcard, not a lookalike substitute. Supply chain attacks rely on swapping devices. Anti-phishing words catch that.
BIP-85 derived wallets
Generate multiple independent child wallets from your single master seed. Each child wallet has its own seed phrase. Compromise one, the others stay safe. Useful for separating funds across hot wallets, lightning nodes, or multiple cold storage setups without juggling a pile of seed backups.
Yes. Every line of Coldcard firmware lives on GitHub. Anyone can read it, audit it, and verify that the device does exactly what Coinkite claims. Independent security researchers regularly review the code. Bugs get found and patched in public. There are no black boxes.
Coinkite also publishes the hardware schematics. You can see the board layout, verify which chips are used, and confirm the physical design matches the published documents. This puts the Coldcard in a small club of wallets where both software and hardware are auditable. The Foundation Passport is in that club too. Ledger? Not even close. Their firmware is completely closed source.
Why does open source matter for a device protecting your Bitcoin? Because closed-source firmware means you're trusting the manufacturer's word that there are no backdoors. Open-source firmware means you don't have to trust anyone. The code speaks for itself. And when the code is public, the incentive structure changes: Coinkite knows that any suspicious code would be spotted and called out by the community within days.
You can also build the firmware from source and flash it to your Coldcard yourself. Most users won't do this. But the fact that you can is the point. Verifiability over trust. That's the Bitcoin ethos, and the Coldcard lives it.
For beginners? Yes. Honestly, yes. The Mk4 uses a numeric keypad and a small monochrome screen. Navigation feels like an old Nokia phone from 2004. Menus are deep and not always intuitive. The first-time setup involves more steps than any competing wallet.
Typing a BIP39 passphrase on the Mk4's number pad is painful. Each letter requires multiple key presses, like texting on a flip phone. The Coldcard Q fixes this with a full QWERTY keyboard, but you're paying $219 instead of $157. That's a $62 premium for a bearable typing experience.
There's no companion app. No Envoy equivalent. No Ledger Live. You need to pair the Coldcard with third-party wallet software like Sparrow or Electrum. Sparrow is excellent, but you need to set it up yourself. Nobody holds your hand. The official documentation is thorough, and plenty of community guides exist. But you're reading docs, not tapping “Next” on a guided wizard.
The learning curve is real but not impossible. Most users who commit to the Coldcard properly spend a weekend with a test wallet before moving real funds. Set it up, practice the microSD workflow, sign a few test transactions, get comfortable with the menu system. Then load it with real Bitcoin. Rushing the setup is how mistakes happen.
Bottom line on usability: the Coldcard trades polish for power. Every minute you spend fighting the interface is a minute you're interacting with the most security-hardened signing device money can buy. Whether that tradeoff works for you depends entirely on how much Bitcoin you're protecting and how seriously you take your threat model.
Sparrow Wallet is the most popular pairing for the Coldcard, and for good reason. It's open source, supports full air-gapped PSBT workflows, gives you coin control and custom fee selection, and runs on Windows, Mac, and Linux. If you're using a Coldcard, you should probably be using Sparrow.
The setup process starts with exporting your Coldcard's public key information to a microSD card. You insert that card into your computer and import the wallet file into Sparrow. This creates a “watch-only” wallet. Sparrow can see your addresses and balances, but it can't sign anything. The signing keys stay on the Coldcard, physically isolated.
When you want to send Bitcoin, you build the transaction in Sparrow, export the unsigned PSBT to microSD, sign it on the Coldcard, and bring the signed file back. The whole round trip takes about 60 seconds once you've done it a few times. First time? Budget 5 minutes while you figure out the file navigation.
Sparrow also supports USB connection if you prefer convenience over air-gap purity. Plug the Coldcard in via USB-C and sign directly. You lose the air-gap benefit, but you gain speed. Some users run air-gapped for large transactions and USB for smaller ones. Mixed approaches work fine.
For advanced users, Coinkite also provides ckcc (Coldcard CLI), a command-line tool for scripting Coldcard interactions. You can automate PSBT signing, extract public keys, manage multisig configurations, and batch-process transactions. It's not for casual users, but if you're running a business or managing multiple wallets, the CLI saves serious time.
The Mk4 added NFC (Near Field Communication) for quick transaction signing with compatible mobile wallets. This sparked debate in the Bitcoin community. An air-gapped wallet with a wireless radio? Sounds contradictory.
Here's the full picture. NFC on the Coldcard is optional. You can disable it completely in settings, and many security-focused users do exactly that. When disabled, the NFC chip is powered down and can't transmit or receive. It's as if it doesn't exist. Coinkite even sells a “Mk4 without NFC” model for people who want zero wireless capability on the hardware level.
When enabled, NFC handles the same PSBT workflow that microSD does, just wirelessly at close range (a few centimeters). You tap the Coldcard against your phone to transfer the unsigned transaction, sign it, then tap again to send back the signed result. It's faster than swapping a microSD card. But it does introduce a wireless channel, even if it's short-range.
Our take: if you're buying the Coldcard for maximum air-gap security, disable NFC and use microSD. That's the whole point of this device. The Foundation Passport's QR-code approach is a cleaner implementation because QR codes are a visual, one-way channel you can see and verify. NFC on the Coldcard is fine as an option. Just don't use it if your threat model is the reason you bought the device.
The Coldcard competes with three Bitcoin-focused wallets, each with different strengths. Here's an honest comparison based on months of testing all four.
| Feature | Coldcard Mk4 ($157) | Trezor Safe 3 ($79) | BitBox02 ($149) | Passport ($199) |
|---|---|---|---|---|
| Air-gapped | Yes (microSD) | No (USB) | No (USB) | Yes (QR codes) |
| Secure Element | Dual (ATECC608A + SE050) | Optiga Trust M | ATECC608B | EAL6+ (single) |
| Open source | Firmware + hardware | Firmware only | Firmware only | Full stack (HW + FW + app) |
| Bitcoin-only | Yes | No (5,000+ coins) | Yes (BTC edition) | Yes |
| Duress wallet | Yes | No | No | No |
| BIP-85 | Yes | Yes | No | No |
| Companion app | None (use Sparrow) | Trezor Suite | BitBox App | Envoy (excellent) |
| Beginner-friendly | No | Yes | Yes | Moderate |
| Made in | Canada | Czech Republic | Switzerland | USA |
| Best for | Maximum security | Most people | Privacy + simplicity | Air-gap + usability |
This is the comparison that matters most. Both are air-gapped, open source, and Bitcoin-only. They're the two best options in this category. The choice comes down to what you prioritize.
The Coldcard wins on raw security features. Duress wallets, brick-me PIN, countdown login, dice roll entropy, BIP-85, dual Secure Elements. The Passport doesn't offer any of these. If your threat model includes physical coercion or you want the deepest possible feature set, the Coldcard is the answer.
The Passport wins on usability by a wide margin. Envoy is the best companion app in the hardware wallet space. QR signing is more intuitive than shuffling microSD cards. The build quality feels premium: machined aluminum, color screen, real camera module. Foundation designed a consumer product that takes security seriously. Coinkite designed a security tool that reluctantly became a product.
On open source, the Passport has an edge. Foundation publishes hardware schematics, firmware, and the Envoy app. Coinkite publishes firmware and hardware schematics but has no companion app to open-source. Both are excellent on transparency.
On price, the Coldcard at $157 is cheaper than the $199 Passport. You get more features for less money. But you also get a much worse user experience. That's the trade.
Many security-conscious Bitcoiners own both. In a multisig quorum, running a Coldcard and a Passport as two of three signing devices gives you two independently auditable wallets from different manufacturers. Different firmware, different chip vendors, different attack surfaces. That's defense in depth, and it's the right move for serious cold storage.
You've already owned a hardware wallet for at least six months. You understand seed phrases, derivation paths, and why address verification matters. You hold enough Bitcoin that the additional security is worth the setup time. If you check all three boxes, the Coldcard is built for you.
Bitcoin-only maximalists will love this device. No altcoin firmware bloating the codebase. No Ethereum integration eating up development resources. Every line of code serves one purpose: securing Bitcoin. The attack surface is smaller because there's less code to audit. Coinkite doesn't chase trends. They build for the people who understand why Bitcoin-only matters.
Multisig enthusiasts should seriously consider the Coldcard as one key in their quorum. Pair it with a Passport and a BitBox02 in a 2-of-3 setup coordinated through Sparrow. Three different manufacturers, three different firmware codebases, three different chip vendors. No single point of failure. That's how serious cold storage works.
If you've never owned a hardware wallet before, start elsewhere. A Trezor Safe 3 at $79 teaches you the fundamentals. A BitBox02 at $149 gives you open-source security with a friendly app. Learn on those. Understand what a PSBT is. Get comfortable verifying addresses on a hardware screen. Then come back to the Coldcard when you're ready for the deep end.
Not for everyone. Best in class for those who need it.
The Coldcard supports BIP39 passphrases, which add an extra word (or phrase) on top of your 24-word seed. Enter a different passphrase and you get a completely different set of addresses. This creates plausible deniability: your base seed opens one wallet, your passphrase opens another, and there's no way to tell whether additional passphrases exist.
Combined with the duress wallet feature, this gives you layered defense. The duress PIN opens a decoy wallet. Your main PIN opens your base seed. Your passphrase opens your real holdings. An attacker would need to know all three layers exist, and there's nothing on the device that reveals them.
For seed generation, the dice roll feature deserves a second mention. You roll a standard six-sided die at least 99 times and enter each result. The Coldcard converts those rolls into cryptographic entropy for your seed phrase. No chip, no algorithm, no manufacturer can influence or predict the output. It's the gold standard for verifiable randomness, and the Coldcard is the only major wallet that supports it natively.
The Coldcard Mk4 earns a 9/10 because it is, without question, the most security-hardened consumer Bitcoin hardware wallet you can buy. Dual Secure Elements, full air-gap via microSD, open-source everything, and a feature set (duress wallets, brick-me PIN, dice entropy, BIP-85) that no competitor matches. For serious Bitcoiners protecting serious stacks, nothing else comes close.
It loses one point for usability. The Mk4's number pad interface is ugly and dated. There's no companion app to guide you through setup. The learning curve is steep even by hardware wallet standards. Beginners will struggle, and that's not a failure of the user. The device demands expertise.
At $157, it's actually a bargain for what you get. More security per dollar than any competing wallet. And if your threat model includes air-gap requirements, the Coldcard delivers the best implementation available. Full stop.
Get a Trezor or BitBox02 to learn the fundamentals. Then graduate to the Coldcard when you're ready. You'll know when it's time.
$157 from Coinkite. Ships from Canada with open-source firmware and full air-gap via microSD.
Affiliate Disclosure: Bitcoin.diy may earn a commission if you buy through our links. This doesn't affect our ratings.
By most measures, yes. The Coldcard Mk4 runs dual Secure Element chips (ATECC608A + SE050), fully open-source firmware, complete air-gap signing via microSD, and security features no other wallet offers: duress wallets, brick-me PIN, countdown login, and dice roll entropy. The tradeoff is usability. This is the hardest mainstream hardware wallet to learn. But if your priority is maximum key protection, nothing else comes close.
Air-gapped means the Coldcard never needs a USB data connection to your computer. You sign transactions by passing PSBT files on a microSD card. Your wallet software (Sparrow, Electrum) creates the unsigned transaction and saves it to the card. You insert the card into the Coldcard, review and sign the transaction, then move the card back to your computer for broadcasting. Your private keys never touch a networked device, not even through a cable.
The Mk4 at $157 is the standard choice. It has dual Secure Elements, USB-C, NFC (optional, can be disabled), and the full feature set. The Coldcard Q at $219 adds a QWERTY keyboard and larger screen, which makes passphrase entry and menu navigation much easier. If you can afford the Q, the better keyboard alone is worth the premium. If budget matters, the Mk4 gives you identical security for less.
Yes. That is the entire point. The air-gapped microSD workflow means the Coldcard never establishes a USB data connection with any computer. You can even power it from a USB battery pack or wall charger instead of a computer port. Some users go their entire ownership without ever connecting USB data. The microSD card is the only bridge, and it carries only transaction files.
The duress wallet opens when you enter a secondary PIN instead of your real one. It reveals a separate wallet with a small decoy balance. Under physical coercion, you hand over the duress PIN. The attacker sees Bitcoin, takes it, and leaves. Your real holdings stay hidden behind the primary PIN. No other major hardware wallet offers this feature. It is a genuine security advantage for people whose threat model includes physical coercion.
Yes. Every line of Coldcard firmware is published on GitHub under an open-source license. Independent security researchers can audit the code, verify there are no backdoors, and confirm the device does exactly what Coinkite claims. The hardware schematics are also published. You can verify both the software running on the device and the physical design of the board itself.
Yes, and it is one of the best wallets for multisig. Coldcard handles both single-sig and multisig configurations natively. You can run mixed-vendor multisig with a Coldcard, Foundation Passport, and BitBox02 in a 2-of-3 quorum, coordinated through Sparrow Wallet. Different manufacturers, different firmware, different attack surfaces. That is proper defense in depth.
BIP-85 lets you derive multiple independent child wallets from a single master seed. Each child wallet gets its own seed phrase. If one child wallet is compromised, the others remain safe. This is useful for compartmentalizing funds across hot wallets, lightning nodes, or separate cold storage setups without managing a pile of seed backups. Coldcard was one of the first wallets to implement BIP-85.
Instead of trusting the Coldcard's random number generator to create your seed phrase, you can roll physical dice and enter the results manually. The Coldcard converts your dice rolls into entropy for seed generation. This means you are generating randomness yourself, from a physical process you control. Paranoid? Maybe. But if you do not trust any chip's RNG, dice rolls give you verifiable randomness that no hardware flaw can compromise.
No. Beginners should start with a Trezor Safe 3 ($79) or BitBox02 ($149). Those wallets teach you the fundamentals with far less friction. The Coldcard assumes you already understand seed phrases, derivation paths, PSBT workflows, and why air-gapping matters. Come back to Coldcard after six months with a simpler wallet. At that point, the $157 price tag will make perfect sense.
Air-gapped QR signing with premium build quality and the Envoy companion app
The most beginner-friendly open-source hardware wallet at $79
Swiss-made, fully open-source firmware and hardware with built-in Tor
How to set up long-term Bitcoin storage with hardware wallets and multisig
Comprehensive guide to protecting your Bitcoin from theft and loss
Best practices for backing up and storing your 24-word recovery phrase