Keycard Shell vs Ledger: What Makes a Wallet Trusted?
Hardware wallets come in many forms, but all have one primary purpose: to keep your private keys safe and in your custody.
Those who use hardware wallets want their keys to be under their control and secure, and they face an important choice: do you trust the manufacturer's claims of security, or do you verify it yourself?
One of the widely well-known wallets in the ecosystem is Ledger, widely adopted and known for its relative security. However, even wallets like Ledger have their shortcomings when it comes to being open, verifiable, and modular.
Keycard Shell is a hardware wallet designed to be verifiably secure, open source, and offer powerful security features such as air-gapped transaction signing and human-readable transaction data.
While Ledger is regarded as a secure hardware wallet, much of its architecture is relatively closed, especially when compared to the ground-up design of Keycard Shell for openness and verifiability.
For Keycard Shell, openness is the core design principle that shaped the wallet’s architecture from inception.
Many projects “open source” parts of their stack after the fact. Shell was designed to be inspectable from day one.
Where Ledger’s microcontroller (MCU) firmware and secure element are closed, Keycard Shell’s firmware and secure element are fully open source.
The same is true for hardware design. The schematics, PCB layout, BOM, and 3D casing files for Keycard Shell are publicly published and open for anyone to verify. Ledger does not make this depth of hardware design information available to its users, keeping schematics, layout, and other components closed to inspection.
When both hardware and software are open, the system becomes auditable. Developers, researchers, and security professionals can review the firmware, inspect the secure element applet, and analyse the hardware design for vulnerabilities or backdoors.
The deeper benefit of this fully open-source design is verifiability.
Shell supports reproducible builds, allowing users to build the firmware from source and confirm that the resulting binary matches the one running on the device.
Several parts of the system are verifiable:
Firmware: Buildable from source with hash verification.
Secure element applet: Open source and buildable by users.
Blockchain metadata databases: Data such as ERC-20 token lists, ABIs, and chain IDs are produced through an open pipeline from public sources. The build process is reproducible, and each version includes provenance links and version history.
In other words, unlike with Ledger and similarly closed wallets, the entire stack for Keycard Shell can be independently reproduced and checked.
Traditional hardware wallets combine everything into one device: key storage, transaction signing, interface, and logic. The result is a monolithic design where one piece of hardware carries all responsibilities.
Keycard Shell breaks this model apart with a card-based architecture that separates roles into two parts:
- Keycard: the removable secure element containing the private keys
- Shell: a stateless host providing the screen, keyboard, and camera
Except during initial setup, Keycard Shell never even encounters any private keys; they stay entirely on the card and can’t be exported.
A single Shell can be used with unlimited Keycards. Each card contains its own seed and PIN, and users simply swap their Keycard to switch wallets.
This gives users the freedom to rename their cards to reflect whatever they
Cards can be named to reflect their purpose, with users able to ascribe labels to their Keycards, such as “Savings”, “Trading”, or “Family”.
This allows power users, who often need to maintain several seeds for different purposes, to simply use separate cards instead of juggling multiple devices and interfaces.
Cards can also serve as convenient backups for wallets, allowing for the physical distribution of private key backups that are all compatible with the Keycard Shell device.
The device itself stores nothing sensitive, such as public keys or transaction history, and removing the Keycard from the Shell effectively wipes the session. This means that if desired, multiple users with their own Keycards can use the same Shell device while retaining control over their private keys.
Unlike the hardware of Ledger and other wallets, Shell’s specifications are open and available for anyone to inspect. The device uses a standard Nokia BL-4C battery that can be replaced for only a few dollars and without any tools.This means that, unlike with many other devices, including Ledger wallets, if the battery on the device ever fails, it is not rendered unusable.
On the other hand, those hardware wallets that use sealed or soldered batteries eventually turn into electronic waste.
While Keycard Shell is a modular, open, and verifiably secure device for interacting with Keycards, Keycards are not tied exclusively to this hardware.
Keycards support NFC, allowing you to use the same card you insert into your Shell with your smartphone, payment terminals, or even physical access control terminals.
This allows your Keycard to become a portable security module, not just an isolated card that works with a single reader device.
The biggest difference between these two ecosystems–Keycard and Ledger–is not in hardware design or convenience: it is how trust is established in the user.
Keycard Shell’s open design encourages users to verify its security for themselves. Ledger, while regarded by many as one of the most secure hardware wallets available, requires users to trust its proprietary components.
Its secure element firmware, communication protocols, and tightly integrated software ecosystem are all proprietary or include proprietary components, making open inspection and, therefore, verification impossible.
Ledger also strongly promotes Ledger Live as the primary interface for managing assets. In many cases, this becomes the default environment for interacting with the device.
While offering several convenience features, Ledger Live also functions as a monetisation platform. It integrates services such as staking, swaps, and “earn” products directly within the application.
This creates a vertically integrated system where Ledger hardware wallet users are incentivised to connect to Ledger’s own service layer over a diverse range of alternative applications.
Keycard Shell takes a different approach, offering no mandatory companion application. The device works with more than fifteen existing wallets, including:
- MetaMask
- Rabby
- Sparrow
- Specter
- Nunchuk
- BlueWallet
- imToken
- Bitget
- Cove
Air-gapped operation is also possible through QR codes, meaning the device itself never needs to connect to the internet.
Another architectural difference between Keycard Shell and Ledger lies in how the secure element behaves after deployment.
With Keycard, the secure element applet is locked and fused. Once installed, its behaviour cannot be altered. Not by users, not by the development team, and not by external pressure.
Ledger’s secure element firmware, by contrast, is upgradable. Firmware updates can modify how the chip processes or exports key material.
In May 2023, Ledger announced a service called Ledger Recover, which allows private keys to be split into encrypted shards and stored with custodial providers.
The feature demonstrated that Ledger’s architecture technically allows private keys to be exported from the device under certain conditions.
For some users, this raised an uncomfortable realisation: that the system relied on trusting the company’s firmware not to extract keys rather than it being architecturally incapable of doing so.
The Keycard applet contains no export path for private keys, and because the applet cannot be changed once fused, such a path cannot be added later.
Keycard’s open, reproducible system allows users and researchers to confirm how keys are handled. Ledger’s closed system requires trust in the manufacturer’s assurances.
Functionally, Keycard Shell and Ledger are both secure hardware wallets. They sign transactions and keep private keys isolated from internet-connected devices.
Their underlying architecture, however, represents two distinct approaches to security. Ledger’s is based on trust in it as a vendor, while Keycard earns trust through its verifiable and open design.
The question for users who are most concerned about having control over their keys is not simply which device is more secure; it is where they prefer to place their trust.