Today, we explain the tech and rationale behind building Keycard Shell: an air-gapped signing device that works with Metamask and co - based on our super-secure, open source smart cards.
Like a Ledger, but with less blind signing, more open source and modular key management.
Learn more and sign up for early-bird perks at keycard.tech/keycard-shell
When we set out to create Keycard Shell, the crypto security landscape was growing rapidly, but we saw a glaring gap in the market. While hardware wallets like Ledger and Trezor offered strong security, they lacked key features that crypto users craved: privacy, modularity, and transparency through an open-source ecosystem. At the same time, the physical design of these wallets was often cumbersome and bulky - far from ideal for users who needed something sleek, portable, and easy to carry.
The vision for Shell was clear: we wanted to create a wallet that was secure, open-source, and easy to use. We wanted to provide a solution that addressed the common pain points crypto users face with traditional wallets - whether it’s worrying about the safety of paper backups, the lack of visibility in transactions, or the trust required when using closed-source products.
The journey of designing Keycard Shell started with building the first prototype.
Keycard Shell should extend the functionality of Keycard while integrating advanced features like QR code signing via camera, clearer signing via display, and a keycard to type in passwords and navigate the interface. The goal was for Keycard Shell to feel like a “complete” hardware wallet.
Unlike other hardware wallets that might require USB connections or Bluetooth, Keycard Shell was designed to be air-gapped - meaning the device would never expose sensitive data unless securely offline. The idea was to create a system that was both physically compact and digitally secure.
We chose the STM32H573, a Cortex-M33 microcontroller, for its performance, power efficiency, and robust security features, including a True Random Number Generator (TRNG) for cryptographic operations. This decision avoided the vulnerabilities of Cortex-A architectures and full-featured operating systems like Linux, opting instead for FreeRTOS to minimize the attack surface and ensure boot times under 500ms. And, it provided RAM and Flash storage integrated in the MCU - to minimize attack surface.
After the initial designs were laid out, the process entered the iterative prototyping phase. The first few models were tested for fit, functionality, and most importantly, security.
One of the major challenges we encountered early on was ensuring the Keycard Shell was sleek and compact (note: certainly not the case of the early prototypes in the image above), but also packed with additional features, including an TFT display, a CMOS camera for QR code signing, and a microcontroller (MCU) capable of running the firmware. No easy task.
Challenges included optimizing power consumption - critical for the BL-4C battery we selected for its global availability and longevity - and ensuring durability under simulated attacks on the secure element. We tested real-world scenarios, iterating to balance usability with security, such as implementing a low-IQ switch to power off the device when inactive, consuming minimal energy in STOP mode.
A standout feature of Keycard Shell is its camera, essential for scanning dynamic QR codes (via EIP-4527 and UR) for wallets like MetaMask, Rabby and BlueWallet.
After testing multiple CMOS sensors, we discarded rolling shutter options due to distortion with fast-moving QR codes. A global shutter sensor proved ideal, offering crisp, reliable decoding without interpolation overhead - crucial for our memory-constrained Cortex-M platform, where we optimized QR detection using quirc, limiting RAM usage to under 500kB with double buffering for real-time performance.
Post-prototyping, we conducted rigorous security tests, including USB data interception attempts and physical tampering, ensuring Keycard Shell’s air-gapped design held firm. We validated backup functionality across multiple smart cards and tested usability in real-world conditions, confirming the device’s TFT display and camera integration met high standards for clarity and responsiveness.
This design journey marks just the beginning. Keycard will evolve with open-source principles and community input. We’re excited to shape the future of crypto security - one card at a time.
Join the Keycard Shell waitlist at keycard.tech/keycard-shell