Hardware wallet is a purpose-built physical device that generates and stores private keys inside a secure element, signs transactions on-device, and never lets the key in plaintext touch your computer. The single most cost-effective custody upgrade for any US holder above a $5K stack — and the foundation of everything else in this handbook.
The core security promise
Three properties define what "hardware wallet" actually means:
Private keys generated by the device's own random-number source. Not your laptop's RNG, not iCloud, not a website. The key exists from birth inside the secure element.
Private keys stored only in the secure element. The host computer never sees the raw key. Even if your computer has stealer malware running, the malware has nothing to steal.
Signatures produced on-device. You confirm the destination address and amount on the device's screen, physically press a button, and the signed transaction comes back to the host for broadcasting. The key never crosses the USB cable in either direction.
The market in 2026
Ledger Nano S Plus ($79) for entry-level. Ledger Stax ($399) for the touchscreen UX premium. Trezor Safe 3 ($79) and Safe 5 ($169) for the open-source camp. OneKey Classic 1S and Pro for the open-source-curious. Keystone 3 Pro ($129) for multisig-first holders with QR air-gap. Coldcard Mk4 ($157) for Bitcoin-only paranoids who want a physical keypad and microSD-based signing.
The matrix decision is covered in detail in the hardware wallet comparison. The short version: a Trezor Safe 3 with SLIP-39 Shamir Backup is the highest-value setup under $80 for a typical five-figure US holder.
The Ledger 2020 breach
In July 2020, Ledger's customer database was leaked: 270,000 email addresses, names, and physical addresses ended up on RaidForums. No seed phrases or device data were exposed — that's not the kind of data Ledger ever held — but the leak triggered a wave of physical "fake Ledger device" packages sent by mail to leaked addresses. The lesson: a hardware wallet's threat model includes the supply chain, not just the device itself.
Buying safely in the US
Always order from the manufacturer's own US storefront. Amazon Marketplace listings — even when "fulfilled by Amazon" — are a steady source of tampered devices, regardless of seller name. Best Buy carried Ledger briefly but withdrew. The current safe channels: Ledger.com, Trezor.io's shop, Coldcard via Coinkite (Canadian, ships to US), Keystone's US warehouse.
On arrival: factory reset. Initialize the device yourself. Never use a seed that came pre-printed in the box — that's the textbook supply-chain attack.
Further reading: Hardware wallet comparison, Secure element, Cold wallet.