The crypto-custody market lists about 20 devices that claim "secure." This page narrows the field to eight I have either used personally or evaluated for the editorial pile, then scores each against the security, recovery, and usability dimensions that actually move the needle for a US-based holder.
The scoring rule is blunt: a signing device that fails any one critical dimension goes to the bottom regardless of marketing. Closed firmware, weak EAL grade, no Air Gap option, no multisig path — each of these is a dealbreaker for a different threat model. Read the matrix as a checklist, not as a leaderboard.
The matrix · 8 devices, 9 dimensions
| Device | Price (USD) | Secure element | EAL grade | Open source | Display | Air Gap | Shamir backup | Multisig |
|---|---|---|---|---|---|---|---|---|
| Ledger Nano S Plus | $79 | ST33K1M5 | EAL5+ | Partial | 0.96" OLED + buttons | No (USB) | No | Supported |
| Ledger Stax | $399 | ST33K1M5 | EAL5+ | Partial | 3.7" E-ink touchscreen | No (USB / NFC) | No | Supported |
| Trezor Safe 3 | $79 | Optiga Trust M | EAL6+ | Fully open | 0.99" color + buttons | No (USB) | Yes (SLIP-39) | Supported |
| Trezor Safe 5 | $169 | Optiga Trust M | EAL6+ | Fully open | 1.54" color touchscreen | No (USB) | Native SLIP-39 | Supported |
| OneKey Classic 1S | ≈$70 | Infineon SLE 78 | EAL6+ | App layer open | Mono OLED + buttons | No (USB) | No | Supported |
| OneKey Pro | ≈$249 | Infineon SLE 78 | EAL6+ | App layer open | 3.5" color touchscreen | Yes (QR) | No | Supported |
| Keystone 3 Pro | $129 | Triple SE | 3× EAL5+ | Mostly open | 4" color touchscreen | Yes (QR) | No | Native |
| Coldcard Mk4 | $157 | Microchip ATECC608 | EAL5 | Fully open | OLED + physical keypad | Yes (microSD) | No | Native (anchor feature) |
How to read the rows
Ledger Nano S Plus. The cheapest entry into the Ledger Live ecosystem. Fine for a five-figure stack and a single-signer setup. The 2020 customer-data breach is old news but worth knowing: physical-address leakage was the consequence, not seed exposure. Firmware is partially closed, which is the trade-off you accept for the wider coin support and the Ledger Live UX.
Ledger Stax. Designed by Tony Fadell, with an E-ink curved touchscreen. Price puts it in collector territory; the security model is identical to Nano S Plus. Buy if you want the display; do not buy expecting a different threat model.
Trezor Safe 3 / Safe 5. The open-source benchmark. Optiga Trust M raises the secure element to EAL6+, and SLIP-39 Shamir backup is built in — split the seed across three locations and require any two to recover. Worth paying extra for if you live alone and want resilience without a multisig setup.
OneKey Classic 1S / Pro. A solid alternative if you do not want either Ledger or Trezor. App layer is open source, hardware design is reviewed publicly. The Pro adds a 3.5" touchscreen and QR Air Gap — useful if you want to keep the signing device strictly offline.
Keystone 3 Pro. Multisig-first design with triple secure elements. The 4" touchscreen and QR Air Gap make it the easiest device to operate inside a 2-of-3 setup with a partner or executor. Pair with Sparrow or Specter on the coordinator side.
Coldcard Mk4. Bitcoin-only by design. Physical keypad, microSD Air Gap, PSBT-native workflow. The opinionated UX intimidates first-time users; that is the point. Pick this if you are willing to learn the PSBT round-trip and want the most paranoid signing surface available at retail.
Recommendations by user profile
- Five-figure stack, single signer, US-based. Trezor Safe 3 + Shamir 2-of-3 across home safe, parents' house, bank deposit box. Total cost under $80.
- Six figures, single signer. Trezor Safe 5 or OneKey Pro. Add a passphrase. Move the IRS cost-basis records off the device and into a separate encrypted note.
- Six figures, with executor/family handoff. Keystone 3 Pro + a coordinator like Sparrow. Run a 2-of-3 multisig with one key at home, one at a CPA or attorney, one with a trusted family member.
- BTC-only purist. Coldcard Mk4. Pair with Sparrow. Accept the learning curve.
- Newcomer with under $5K. Ledger Nano S Plus is fine. Do not over-engineer the setup at this scale; learn the basics first.
Purchase channel — US-specific
Always buy from the manufacturer's own US storefront or its single named authorized reseller. Amazon listings are a steady source of pre-seeded or tampered devices, regardless of the "Sold by" name. Coldcard ships from Coinkite (Canada-based but with US delivery). Trezor ships from the official Trezor Shop. Ledger has a US warehouse. If a deal looks better than the manufacturer price by more than 15%, treat it as a counterfeit signal.
Further reading: Cold vs hot wallet, Private keys and seed phrases, Case files.