The NGRAVE ZERO holds the world's only EAL7 security certification for a consumer hardware wallet. It's fully air-gapped with zero data connections, has a 4-inch touchscreen, biometric key generation, and is IP55 rated. It also has closed-source firmware, costs $398 (before a $99 backup kit), and requires a proprietary companion app.
EAL7 is the top of the Common Criteria security evaluation framework. It requires formal mathematical verification of security properties, extensive independent testing, and documented evidence that the design is sound at a theoretical level, not just empirically tested. No other consumer hardware wallet has achieved it.
In practical terms: EAL7 means a government-accredited lab has formally verified the NGRAVE ZERO's security design. EAL6+ (used by most competing wallets) means the design was rigorously tested and penetration-tested, but not formally verified.
The gap between EAL6+ and EAL7 is real. Whether it matters for personal Bitcoin storage is a different question. Most serious security researchers would argue that an open-source, independently auditable firmware (like Trezor's or Foundation's) gives users more practical security than a closed EAL7-certified design, because you can verify it yourself rather than trusting a certification body.
Hardware wallet security depends on the device doing exactly what it claims: signing transactions with your keys and never exporting those keys. With open-source firmware, independent researchers verify this continuously. Vulnerabilities get found and fixed in public. You can build the firmware yourself from source if you want to be completely certain.
With closed firmware, you trust NGRAVE. The EAL7 certification means an accredited lab trusted them too — but that was at one point in time, for one specific firmware version. Future updates aren't automatically recertified. The certification tells you the design was sound when it was evaluated. It doesn't tell you what the firmware does today.
For personal Bitcoin self-custody, the ability to verify what runs on your device matters more than any certification. This is why the Bitcoin security community consistently rates open-source wallets above closed-source ones regardless of their certification level.
This is the practical consequence of proprietary ecosystem design. The NGRAVE ZERO requires the NGRAVE LIQUID app to function. Your GRAPHENE backup plates use NGRAVE's proprietary encoding. If NGRAVE stops operating, updates the app in a breaking way, or discontinues support, you need a recovery path.
NGRAVE's seed phrase uses standard BIP-39 words, which means if you have your full seed phrase written down in standard format, you can always recover to a different wallet. The GRAPHENE plates encode to the same underlying seed. So the underlying Bitcoin is recoverable with standard tools regardless of NGRAVE's fate.
The LIQUID app dependency is the real risk. Wallets that work with Sparrow Wallet (Foundation Passport, Coldcard, Keystone, Trezor) give you independence from any single company's software. That's a meaningful long-term advantage.
| Feature | NGRAVE ZERO | Passport ($199) | Keystone 3 Pro ($149) |
|---|---|---|---|
| Price | $398+ | $199 | $149 |
| Security cert | EAL7 | EAL6+ | EAL6+ |
| Open firmware | ❌ Closed | ✅ Yes | ✅ Yes |
| Air-gap | ✅ QR only | ✅ QR only | ✅ QR only |
| Companion app | NGRAVE LIQUID only | Envoy (+ Sparrow) | Keystone app (+ Sparrow) |
| Bitcoin-only | ❌ No | ✅ Yes | ✅ Optional firmware |
| Sparrow support | ❌ No | ✅ Yes | ✅ Yes |
| Screen | 4" LCD | 1.8" LCD | 4" IPS |
If you have specific institutional or compliance reasons to need EAL7 certification, the NGRAVE ZERO is the only device that delivers it. For that use case, the price and ecosystem constraints are acceptable.
For personal Bitcoin self-custody, you're paying $398 for a certification that matters less than open firmware, and accepting ecosystem lock-in that the competition doesn't require. The Foundation Passport at $199 or Keystone 3 Pro at $149 give you better Bitcoin-specific security properties for significantly less money.
If premium design and the "most certified" claim matter to you and cost is not a concern, the NGRAVE ZERO is genuinely impressive hardware. Just go in understanding the tradeoffs. The cold storage guide helps clarify which security model fits your situation.
From $398 at NGRAVE's official store. Ships worldwide with EAL7 certified security and zero network connectivity.
Affiliate Disclosure: Bitcoin.diy may earn a commission if you buy through our links. This doesn't affect our ratings.
EAL stands for Evaluation Assurance Level, a security certification from the Common Criteria framework. EAL7 is the highest level possible — it involves formally verified design, mathematical proofs of security properties, and the most rigorous independent testing process. EAL6+ (used by Trezor Safe 5, Foundation Passport, and others) is already very high; it covers penetration testing and semi-formally verified design. EAL7 goes further with full formal verification. In practice, the difference matters most to institutional security buyers and government deployments. For most Bitcoin holders, EAL6+ is more than sufficient. The NGRAVE ZERO is the only consumer hardware wallet with EAL7, which is a genuine achievement.
Yes, and it takes air-gap more seriously than most. The NGRAVE ZERO has zero connectivity: no USB data, no Bluetooth, no WiFi, no NFC, no microSD card. All communication happens via QR codes between the device and the NGRAVE LIQUID app on your phone. The USB-C port is for charging only. There is physically nothing on the device that can transmit data other than the display showing QR codes.
No, and this is the main criticism of the device. The operating system and firmware are proprietary and closed source. NGRAVE argues that their EAL7 certification and formal security verification compensates for this. The Bitcoin security community generally disagrees — independent firmware auditability is valued above certifications, because certifications can't be verified by the individual user. Coldcard, Trezor, Foundation Passport, Keystone, and BitBox02 all publish open firmware. NGRAVE doesn't.
The NGRAVE ZERO generates what it calls a 'Perfect Key' — a 64-character hexadecimal seed that's equivalent to a 256-bit master private key (more entropy than a standard 24-word seed phrase). The generation process involves user-provided randomness via the device's camera (a photo contributes to entropy), biometric fingerprint input, and the device's internal random number generator. The result is a seed with certified maximum entropy. You back it up on NGRAVE's GRAPHENE stainless steel plates (sold separately, ~$99).
GRAPHENE is NGRAVE's proprietary stainless steel seed backup system. It uses two plates: one with a QR-coded pattern unique to your device, and one with your key data. You need both plates together to reconstruct the wallet. This is a split-backup scheme similar in concept to SLIP-39, but proprietary to NGRAVE's system. A basic GRAPHENE backup costs ~$99, on top of the $398 device cost. For comparison, a DIY stainless steel seed backup (CryptoSteel, Cryptoddle, etc.) costs $30-80 and works with any standard BIP-39 wallet.
No. The NGRAVE ZERO is designed around the NGRAVE LIQUID companion app (iOS and Android). Transaction signing, account management, and all wallet interactions require the app. Unlike the Foundation Passport (which works with Sparrow, BlueWallet, and others) or the Keystone (which works with 30+ wallets), the NGRAVE ecosystem is tightly coupled to NGRAVE's own software. You're relying on NGRAVE to maintain the app and servers.
For most Bitcoin holders, no. At $398 (or up to $498 with GRAPHENE), you're paying a significant premium for EAL7 certification and premium hardware design over devices with stronger Bitcoin-specific security properties. The Foundation Passport at $199 has open hardware and firmware (auditable, which EAL7 isn't to end users), QR air-gap, and works with Sparrow Wallet without a proprietary app. The NGRAVE ZERO makes sense for institutional or high-net-worth situations where EAL7 certification creates a documented compliance requirement. For personal Bitcoin storage, it's overkill in the wrong direction.
Bitcoin multisig via NGRAVE is limited compared to Sparrow-compatible devices. The NGRAVE ecosystem is primarily designed around single-signature wallets managed through NGRAVE LIQUID. Advanced multisig coordination (like setting up a 2-of-3 with Sparrow across multiple devices) is not NGRAVE's strong suit. For serious multisig Bitcoin setups, Coldcard, Foundation Passport, and Keystone 3 Pro have better Sparrow integration.
NGRAVE is a Belgian company founded in 2018. The device was designed with input from Jean-Jacques Quisquater, one of the cryptographers cited in Satoshi's original Bitcoin whitepaper. The Belgian origin and EAL7 certification at imec, a world-leading nanoelectronics research center in Leuven, are part of NGRAVE's premium positioning.
Foundation Passport wins on most Bitcoin-specific criteria: open firmware you can verify, works with Sparrow without a proprietary app, cleaner self-custody story, and costs $200 less. NGRAVE ZERO wins on hardware build quality, EAL7 certification, IP55 water and dust resistance, and the biometric key generation process. If you're choosing purely for Bitcoin self-custody security, Passport is the better choice. If premium hardware design and the highest available security certification matter for institutional reasons, NGRAVE.