What is a hardware wallet in crypto?

A hardware wallet is a physical device, typically resembling a USB stick, that stores your cryptocurrency private keys offline. Because the keys never touch the internet, hardware wallets are virtually immune to online hacking, malware, and phishing attacks. They are considered the safest way to store cryptocurrency.

What is the difference between a hot wallet and a cold wallet?

A hot wallet is connected to the internet (examples: MetaMask, Phantom, Trust Wallet) — convenient for frequent use but vulnerable to online attacks. A cold wallet stores keys offline (examples: Ledger, Trezor) — less convenient but far more secure. The key difference is whether your private keys are ever exposed to an internet-connected device.

Do I need a hardware wallet?

A hardware wallet is generally recommended if you hold more than $1,000-$5,000 in crypto, plan to hold long-term, or want full self-custody security. For small amounts or frequent trading, a software wallet may be sufficient. The decision depends on how much you have at stake and your security priorities.

What happens if I lose my hardware wallet?

If you lose your hardware wallet, your crypto is NOT lost — because the hardware wallet is just a key storage device, not a vault. Your funds live on the blockchain. As long as you have your seed phrase (recovery phrase), you can restore all your accounts on a new hardware wallet or compatible software wallet.

Can hardware wallets be hacked?

Hardware wallets are extremely resistant to remote hacking because private keys never leave the device or touch the internet. However, they are not completely invulnerable. Physical attacks with specialized equipment, supply chain attacks (buying a tampered device from an unofficial seller), and social engineering (tricking you into revealing your seed phrase) are all theoretical or documented attack vectors.

Which hardware wallet is the best?

The two most established hardware wallet brands are Ledger and Trezor. Ledger uses a proprietary Secure Element chip and supports 5,000+ tokens but runs closed-source firmware. Trezor is fully open-source and was the first hardware wallet on the market. Both are considered reliable. The best choice depends on whether you prioritize open-source transparency (Trezor) or broader token support and features (Ledger).

Hardware Wallets Explained — Cold Storage vs Hot Wallets

How a hardware wallet works

The core principle of a hardware wallet is simple: your private key never leaves the device. Here is the step-by-step process of how a hardware wallet handles a transaction:

Key generation. When you first set up the device, it generates your private keys internally, using its own random number generator. The keys are created inside the device and stored there permanently.
Transaction request. When you want to send crypto, your computer or phone prepares the transaction details (recipient address, amount, network) and sends this unsigned transaction data to the hardware wallet.
Internal signing. The hardware wallet displays the transaction details on its own screen for you to verify. If you approve, the device signs the transaction using the private key — entirely within its own secure processor.
Signed output. The signed transaction is sent back to your computer, which broadcasts it to the blockchain network. At no point during this process does the private key leave the hardware wallet.
Malware immunity. Even if your computer is completely compromised — infected with keyloggers, clipboard hijackers, or screen-capture malware — the attacker cannot extract your private key because it never exists on your computer. They would need physical access to the device itself.

Cold wallet vs hot wallet

The terms "cold" and "hot" describe whether a wallet's private keys are exposed to the internet. This is the single most important security distinction in crypto storage.

Hot wallets

A hot wallet is any wallet where your private keys exist on an internet-connected device. This includes browser extensions like MetaMask, mobile apps like Phantom or Trust Wallet, and desktop applications. Hot wallets are convenient — you can sign transactions instantly, interact with DeFi protocols with a click, and access your funds from anywhere.

The tradeoff is security. Because your keys are on a device connected to the internet, they are vulnerable to malware that can extract keys from memory, phishing sites that trick you into signing malicious transactions, and browser exploits that compromise extensions. For more on these risks, see our guide on staying safe in crypto.

Cold wallets

A cold wallet keeps private keys on a device that is never directly connected to the internet. The most common form is a hardware wallet, though the term also covers other offline methods like air-gapped computers or even paper wallets (private keys printed or written on paper).

Cold wallets require you to physically interact with the device to approve each transaction. This extra step — plugging in the device, reviewing the transaction on its screen, pressing a physical button to confirm — is both the inconvenience and the security feature. No remote attacker can approve a transaction for you.

Side-by-side comparison

Factor	Hot wallet	Cold wallet (hardware)
Security	Moderate — keys on internet-connected device	Very high — keys never online
Convenience	High — instant access, one-click signing	Lower — requires physical device, manual confirmation
Cost	Free	$60-$400 depending on model
Best for	Daily transactions, small amounts, active DeFi use	Long-term storage, significant holdings, self-custody
Primary risk	Malware, phishing, browser exploits	Physical theft, losing seed phrase, supply chain attacks

Major hardware wallets

The hardware wallet market is dominated by two established brands, with several newer entrants offering alternative approaches.

Ledger

Ledger is the most widely used hardware wallet brand. Its devices use a Secure Element chip — the same type of chip used in credit cards and passports — to protect private keys. The Ledger product line includes:

Nano S Plus — The entry-level model. USB-C connection, small screen, supports 5,000+ tokens. Typically around $80.
Nano X — Adds Bluetooth connectivity for mobile use, larger storage, and a slightly bigger screen. Around $150.
Stax — Premium model with an E Ink touchscreen, wireless charging, and a more modern design. Around $280.

Ledger runs a proprietary operating system (BOLOS), which means the firmware is not fully open-source. This has been a point of contention in the community. In 2023, the announcement of Ledger Recover — a feature that could split and export seed phrases to third-party custodians — raised significant concerns among users who chose hardware wallets specifically to ensure their keys would never leave the device. The feature is opt-in, but its existence sparked an ongoing debate about the meaning of self-custody.

Trezor

Trezor, made by SatoshiLabs, was the first commercially available hardware wallet (launched in 2014) and is fully open-source — anyone can inspect the firmware and hardware design. The product line includes:

Model One — Basic model with a small screen and two physical buttons. The most affordable hardware wallet available, typically around $60.
Model T — Adds a color touchscreen and supports more cryptocurrencies. Around $180.
Safe 3 — Newer model with a Secure Element chip (a first for Trezor), USB-C, and updated security architecture. Around $80.

Trezor's open-source approach means its security has been publicly audited and tested by the community for over a decade. The tradeoff: earlier models lacked a Secure Element chip, which theoretically made them more vulnerable to sophisticated physical attacks (addressed in the Safe 3).

Other notable hardware wallets

Keystone — An air-gapped hardware wallet that communicates entirely through QR codes. It never connects to a computer via USB or Bluetooth, adding another layer of isolation.
GridPlus Lattice1 — A larger, home-based device with a touchscreen and smart card system. Designed for users who interact with DeFi frequently and want to review transaction details on a large display.
SafePal — Budget-friendly hardware wallet with air-gapped signing via QR codes and a companion mobile app.

When do you need a hardware wallet?

Not everyone needs a hardware wallet. The right storage solution depends on how much crypto you hold, how you use it, and your personal risk tolerance.

You probably need one if...

You hold more than $1,000-$5,000 in crypto. You plan to hold long-term (months or years). You want genuine self-custody where you control your own keys. You are storing retirement savings or funds you cannot afford to lose.

You probably don't need one if...

You hold small amounts for learning or experimentation. You trade frequently and need instant access. You keep most of your crypto on a reputable exchange (custodial storage). You are still in the early learning phase and want simplicity first.

Many experienced users take a hybrid approach: a hardware wallet for the majority of their holdings (long-term storage), and a hot wallet with a smaller amount for daily DeFi activity and transactions.

Setting up a hardware wallet

The setup process is similar across brands, and getting it right from the start is critical.

Buy from the official source. Order directly from the manufacturer's website or an authorized retailer. Never buy a hardware wallet from a marketplace like eBay or Amazon third-party sellers — the device could have been opened, tampered with, or pre-loaded with compromised firmware.
Verify the seal and packaging. Check that security seals are intact and that the device shows no signs of tampering. Both Ledger and Trezor provide verification instructions in their documentation.
Generate your seed phrase on the device. During initial setup, the device will generate a seed phrase (typically 24 words). This phrase is displayed on the device's own screen — never on your computer. Write it down on paper. Not on your phone, not in a notes app, not in a cloud document. On paper.
Set a PIN. The PIN protects the device itself. Without the PIN, a thief who steals the physical device cannot access your keys. Most hardware wallets wipe themselves after several incorrect PIN attempts.
Test recovery before storing significant funds. After setup, consider resetting the device and restoring from your seed phrase to verify that you recorded it correctly. Better to discover a problem with a test recovery than when you actually need it.

Common mistakes to avoid

Buying from unofficial sellers. A used or repackaged hardware wallet could have pre-generated keys that the seller already knows. If they have your seed phrase, they have your funds.
Storing the seed phrase digitally. Taking a photo of your seed phrase, storing it in a password manager, or saving it in a cloud document defeats the purpose of offline key storage. If your phone or cloud account is compromised, so is your seed phrase.
Not testing recovery. If you do not verify that your written seed phrase correctly restores your accounts, you may discover the error only when you urgently need to recover — which is the worst possible time.
Confusing the device with your crypto. The hardware wallet is not a vault that contains your crypto. Your tokens live on the blockchain. The hardware wallet is just a key — a tool for signing transactions. If you lose the device but have your seed phrase, you can buy a new device and restore everything. If you lose your seed phrase, no device can help you.
Ignoring firmware updates. Manufacturers release firmware updates to patch vulnerabilities and add features. Keeping your device up to date is part of maintaining its security.

Using a hardware wallet with DeFi

A common misconception is that you must choose between the security of a hardware wallet and the convenience of interacting with DeFi protocols. In reality, you can have both.

Most hardware wallets integrate with popular browser wallets like MetaMask, Rabby, and others. The setup works as follows: you connect your hardware wallet to MetaMask as a "hardware account." When you interact with a DeFi protocol — swapping tokens, providing liquidity, staking — MetaMask prepares the transaction, but instead of signing it with a software key, it sends the unsigned transaction to your hardware wallet. You review and confirm on the device, and only then is the transaction signed and broadcast.

This gives you the browser-based convenience of a hot wallet with the signing security of cold storage. The only additional step is the physical confirmation on the hardware device for each transaction. For more on the wallets themselves, see our crypto wallet guide.

Viewing your hardware wallet portfolio

Because your hardware wallet generates standard blockchain addresses, anyone (including you) can view the contents of those addresses using a block explorer or portfolio tracker — no wallet connection required.

CleanSky is built around this principle. Paste any address from your hardware wallet and see your complete portfolio: all tokens, all DeFi positions, all supported networks, presented in a clear and organized view. Your hardware wallet stays disconnected. Your keys stay offline. You get full portfolio visibility without any security compromise. For more on keeping your assets safe, see our guides on staying safe and crypto privacy and security.

See your hardware wallet holdings alongside all your other wallets — one complete portfolio view.

Try CleanSky Free →

Choose your language

What is a hardware wallet?