BlogInsights
Keycard: Modular, Open Hardware Wallet (Overview)

Keycard: Modular, Open Hardware Wallet (Overview)

K
Kamila
on 10 Jul 2026
Keycard splits hardware security into a portable smartcard for keys and a separate Keycard Shell for transaction approvals.

A modular hardware wallet splits security responsibilities across separate, purpose-built components instead of packing everything into one sealed device. The signing key lives inside a dedicated secure element chip, while the display, input, and communication layers exist in a separate shell or host. This approach lets each component be individually verified, replaced, or upgraded without altering the security model.

Traditional hardware wallets combine a screen, microcontroller, secure element (when present), and communication interface into a single enclosure. A modular design breaks that coupling. The cryptographic core, where private keys are generated and never leave, becomes a portable smartcard. The interface layer, where you review transaction details and approve signing, becomes a separate device.

Keycard is a concrete example of this architecture, built around two distinct products that work together.

The Keycard smartcard is a credit-card-sized NFC device running a BIP-32 HD wallet applet on an NXP JCOP4 P71 JavaCard secure element, certified at EAL6+ under Common Criteria. It has no battery, no screen, and no network connectivity. When a host device sends an unsigned transaction hash over ISO 7816 APDU commands, the card signs internally using its on-card key and returns only the signature. Raw private keys never enter the host.

The Keycard Shell is the modular interface: a standalone signing device with a 2.0-inch color display, 12-key keypad, and a global-shutter camera for QR code scanning. It contains no keys of its own. When a Keycard is removed, the Shell holds zero user data and powers off. Private keys exist only inside whichever Keycard is inserted.

This separation creates a powerful property: you can carry the slim smartcard in a regular wallet, leave the Shell at home, and still have your signing key with you. Any number of Keycards can work with one Shell, and one Keycard can work across multiple Shells.

Splitting the system means two components to manage instead of one. The standalone Keycard, without the Shell, lacks its own display for on-device transaction verification, so you depend on the host wallet's UI. The Shell solves that but adds a second piece of hardware. The trade-off is explicit: maximum portability (card alone) versus maximum verification security (card plus Shell).

The Keycard's NXP JCOP4 P71 secure element earned its EAL6+ rating at the chip level, meaning trained evaluators with professional equipment tested the silicon's resistance to physical and logical attacks within a defined scope. This is the same certification class used in national passports and banking cards. The chip also includes a hardware True Random Number Generator compliant with AIS-31 PTG.2 and AVA_VAN.5 (the highest Common Criteria vulnerability assessment level), so all key generation happens entirely on-card without relying on the host device's entropy.

A deliberate design decision: the Keycard applet firmware cannot be updated. Once the GlobalPlatform keys are randomized and the card enters the SECURED state, no new code can be loaded, modified, or removed. This eliminates an entire class of firmware-level supply-chain attacks. The boundary is clear: if a future protocol requires new cryptographic primitives (Schnorr signatures, for example), a new card revision is needed rather than a firmware patch.

The Shell's STM32H573 microcontroller carries its own security certification (PSA Level 3, SESIP3), including 35 days of penetration testing against hardware, software, and side-channel attacks. Its firmware can be updated, but only after the bootloader verifies a cryptographic signature and the user physically approves the flash. A dual-bank mechanism writes new firmware to the inactive flash partition and rolls back automatically on failure.

AttributeKeycard (+ Shell)Ledger Nano/StaxColdcard Mk4
Secure elementEAL6+ NXP JCOP4 P71Secure element (proprietary)Microchip ATECC608A
Source modelFully open source (MIT), firmware, bootloader, hardware, BOMPartly closed firmwarePartly open source
Air-gapped signingYes (Shell camera + QR, ERC-4527)No (USB or Bluetooth)Yes (microSD + QR on Mk4)
Modular key separationKeys on removable smartcard, Shell is statelessKeys inside sealed deviceKeys inside sealed device
Form factorISO 7816 smartcard (card) + separate signing device (Shell)USB dongle or touchscreen slabCalculator-style device
Card firmware updatesImpossible by design (immutable)UpdatableUpdatable
Wallet compatibility15+ wallets, no proprietary app requiredLedger Live required for most featuresPrimarily Coldcard + Sparrow/Electrum

The comparison highlights real engineering differences. Keycard's open hardware and stateless Shell design are unusual. Coldcard also offers air-gapped signing, but bundles keys and interface into one device. Ledger's secure element is well-tested but runs partly closed firmware, which limits independent verification.

Malware on the connected host. Because the Keycard signs on-card and the Shell provides an independent display for transaction verification via QR codes, a compromised computer or phone cannot silently alter what gets signed. The Shell shows recipient addresses, amounts, and fees on its own screen. The boundary: you must actually verify this information before pressing the physical OK button.

Physical theft. The card is PIN-protected (6-digit, configurable 2 to 10 retry limit). After exhausting attempts, the card locks. A 12-digit PUK provides recovery with its own retry limit. An optional duress PIN unlocks a cryptographically separate decoy wallet, and the card reveals no indication which PIN was entered. The limitation: PIN secrecy depends on you.

Supply-chain tampering. Immutable firmware eliminates post-manufacture code injection on the card side. Both the Keycard and Shell support authenticity verification: the card carries a factory-signed ECDSA certificate in its Ident applet, and the Shell uses mutual authentication with a verification counter and first-verification date to flag cloning attempts. The boundary: the NXP JCOP4 P71 silicon itself is proprietary, so trust in the chip rests on its Common Criteria evaluation and billions of units deployed globally across banking and government use cases.

Blind signing. The Shell decodes ERC-20 transfers, EIP-712 typed data, Gnosis Safe transactions, Permit/Permit2 calls, and Bitcoin PSBTs before displaying them for approval. An on-device function-selector database provides ABI decoding. The limitation: nested or recursive ABI structures exceed the device's memory, and novel contract calls may display raw calldata rather than human-readable fields.

What does "modular" mean in the context of the Keycard hardware wallet?

It means the cryptographic key storage (the Keycard smartcard) and the user interface (the Keycard Shell) are physically separate components. The smartcard holds your keys and performs all signing operations, while the Shell provides the screen, keypad, and camera. Either component can be swapped independently.

Is the Keycard smartcard air-gapped?

The standalone Keycard communicates over NFC (13.56 MHz contactless) or ISO 7816 contact interface, so it is not physically air-gapped. It is accurately described as a hardware signer with no network connectivity, meaning no Wi-Fi, Bluetooth, or internet. Air-gapped signing requires the Keycard Shell, which uses camera-based QR codes (ERC-4527) with no RF hardware at all.

Can Keycard firmware be updated?

The Keycard smartcard's applet is immutable once locked. GlobalPlatform keys are randomized and the card is set to SECURED state, preventing any code changes. The Keycard Shell firmware, by contrast, can be updated with cryptographic signature verification and physical user approval.

What happens if I lose the Keycard Shell?

The Shell stores no keys and no user data. When the Keycard is removed, the Shell forgets everything. You can use your Keycard with any other Shell or connect it directly to a compatible phone or desktop via NFC or a USB smartcard reader.

Which wallets work with Keycard?

Keycard works with over 15 wallets including MetaMask, Rabby, Sparrow, Nunchuk, BlueWallet, Specter, Status, imToken, Bitget, UniSat, Ambire, Bitcoin Safe, Cove, and Bull Bitcoin. No proprietary companion app is required. Connection paths include QR (via Shell), USB HID, and NFC.

Does Keycard support Bitcoin multisig?

Keycard acts as a signer in multisig setups. It signs PSBTs with all sighash flags and supports Legacy, Nested SegWit, Native SegWit, and Multisig (P2WSH) address formats. Multisig coordination and PSBT combining happen in the paired third-party wallet such as Sparrow, Nunchuk, or Specter.

What does EAL6+ actually certify?

EAL6+ is a Common Criteria assurance level applied to the NXP JCOP4 P71 secure element chip, not to the entire Keycard product or its firmware. It means the silicon was semi-formally verified and tested by accredited evaluators against physical and logical attack scenarios. It is the highest widely used CC level, the same class protecting passports and bank cards, but it does not guarantee absolute security against all possible future attacks.

Can I back up my keys across multiple Keycards?

Yes. The same BIP-39 recovery seed can be loaded onto multiple Keycard smartcards, each protected by its own independent PIN. This provides physical redundancy. Each card's KeyUID (a SHA-256 hash of the master public key) lets you confirm that two cards hold the same seed without exposing it.

Is the Keycard system fully open source?

The Keycard applet, Shell firmware, bootloader, hardware schematics, BOM, and 3D enclosure files are all published under the MIT license on GitHub. Shell firmware supports reproducible builds so anyone can verify that the published source matches the binary running on a device. One honest boundary: the NXP JCOP4 P71 secure element silicon itself is proprietary, which is typical for certified secure elements across the industry.