The Foundation Passport is what happens when engineers who actually use Bitcoin build a hardware wallet. Fully open-source, QR air-gap signing, AA batteries, made in the USA. For someone who wants air-gap security without the punishing interface of a Coldcard, the Passport is the answer.
The $199 price is not cheap. But you are not paying for a logo or a nice box. You are paying for a device where every component, every line of code, and every design decision can be independently verified. Foundation publishes everything. Their philosophy is trust through transparency, not trust through authority.
The one honest caveat: the Passport works best with the Envoy app, and Envoy does not have a Linux desktop client. If you run Linux exclusively, you will need to use Sparrow or another compatible wallet software instead. Not a dealbreaker, but worth knowing before you buy.
This review covers the Passport 2 (the current model as of 2026). Foundation has improved the device steadily since the original 2021 launch, with better QR scanning performance, updated firmware, and a growing library of Envoy features. If you are looking at a used original Passport, it still works, but the Passport 2 is worth the current retail price.
Quick Verdict
Best open-source air-gap wallet for non-power-users
Scores across five categories. Each is weighted independently based on what matters most for secure Bitcoin storage.
| Category | Score | Notes |
|---|---|---|
| Security | 9/10 | Full air-gap via QR, open-source hardware and firmware |
| Ease of Use | 8/10 | Envoy app makes setup easy; no Linux desktop support |
| Open Source | 10/10 | Hardware schematics, firmware, and Envoy app all public |
| Features | 8/10 | MicroSD backup, dice entropy, multisig support |
| Price / Value | 8/10 | $199 for US-made open hardware with excellent companion app |
| Overall | 8.5/10 | Best open-source air-gap wallet for non-power-users |
Full technical specifications for the Passport 2 (current model, 2026).
| Main Chip | STM32H753 |
| Secure Element | ATECC608A |
| Display | Color LCD |
| Connectivity | QR codes (primary) + microSD + USB-C (power only) |
| Bluetooth | ✗ None |
| Bitcoin-only | ✓ Yes |
| Open Source | Full stack (hardware + firmware + Envoy app) |
| Companion App | Envoy (iOS + Android) |
| Power | 4x AA batteries |
| Made in | USA |
| Price | $199 USD |
Foundation Devices was founded by Zach Herbert, a former executive at the Bitcoin company Casa. The company is based in the United States and launched the first Passport in 2021. The mission from day one was to bring genuine air-gap security to a broader audience, not just the subset of Bitcoiners willing to navigate the Coldcard's austere interface.
What sets the Passport apart from every competitor is the scope of its open-source commitment. Ledger publishes nothing. Trezor publishes firmware. Coldcard publishes firmware and hardware schematics. Foundation publishes all three: hardware schematics, firmware, and the Envoy companion app. Every component of the system can be independently verified by anyone with the technical skill to do so.
The most direct comparison is the Coldcard Mk4. Both are Bitcoin-only. Both achieve true air-gap. Both have open-source hardware and firmware. The Coldcard wins on advanced features: duress wallets, BIP-85 derived child wallets, dual Secure Elements, brick-me PIN, countdown login. The Passport wins on usability: color display, Envoy companion app, simpler workflow. If you want the most powerful signing device available regardless of friction, buy a Coldcard. If you want air-gap security with a workflow you will actually use every day, the Passport is the better choice.
The Passport 2 (current model) refined the original with a better camera for QR scanning, improved battery life, and a faster processor. Foundation has been iterating steadily since launch and maintains active development on both the firmware and the Envoy app.
Foundation sells the Passport directly through its website and ships internationally. There are no authorized resellers, which means every Passport you buy comes directly from the manufacturer with an unbroken chain of custody. This matters for supply chain security. Buying from a reseller introduces additional risk, even if that reseller is reputable. Foundation's direct sales model removes that variable entirely.
The QR workflow replaces the cable or microSD card that other wallets use to transfer transaction data. Everything moves through the camera and screen as visual codes. Here is the full process from start to broadcast:
Build the transaction in Envoy or Sparrow
Your wallet software constructs the transaction with destination address, amount, and fee. It encodes the unsigned PSBT as an animated QR code displayed on your phone or computer screen.
Passport scans the animated QR
Hold the Passport camera up to your screen. The device reads the animated QR frames and reconstructs the full unsigned transaction internally. Nothing digital passes between the two devices.
Verify on the Passport screen
The color LCD shows you the destination address and amount in full. Confirm the address matches your intended recipient before signing. This is the critical verification step.
Sign and display the signed transaction
After you approve, the Passport signs the transaction with your private key and encodes the signed PSBT as an animated QR code on its own screen.
Envoy or Sparrow captures and broadcasts
Hold your phone camera up to the Passport screen. Envoy or Sparrow scans the signed QR, reconstructs the transaction, and broadcasts it to the Bitcoin network.
The security argument for this approach is straightforward. No cable means no data channel for malware to exploit. A USB connection is a bidirectional communication channel. QR codes are a one-way visual signal. You can literally see data moving between devices. There is nothing invisible happening in a driver stack or firmware interface.
Compared to the Coldcard's microSD approach, QR is more intuitive but adds steps when transactions are large. The Coldcard can handle arbitrarily large PSBT files on a microSD card. QR codes have data limits, which is why the Passport uses animated sequences of multiple frames. For standard transactions, the difference is negligible. For complex multisig setups with many inputs, microSD has a practical advantage. Both are genuinely air-gapped. Both are valid approaches to the same problem.
One thing worth noting: the QR workflow requires good lighting for the camera to scan reliably. Dim environments or very bright screens can cause the Passport camera to struggle. In practice, this is a minor inconvenience rather than a real problem. Increasing your screen brightness to maximum before scanning resolves most issues. The camera in the Passport 2 is significantly better at this than the original model was.
With a closed-source hardware wallet, you are trusting the manufacturer's word that the firmware does exactly what they claim and nothing more. You cannot verify there is no backdoor. You cannot confirm the key generation is truly random. You cannot check whether keys could be extracted under certain conditions. You trust the company, and that is all.
Open-source firmware changes the dynamic entirely. The code speaks for itself. Security researchers, Bitcoin developers, and curious users can read every line, audit every function, and report any suspicious behavior. Vulnerabilities get found and fixed publicly. The manufacturer cannot hide mistakes or design in secret extraction mechanisms.
Foundation takes this further than any competitor by publishing the hardware schematics. You can verify the physical board design, not just the software running on it. The Envoy companion app is also open source on GitHub, completing the full stack. If any component of the system were doing something it should not be doing, the community would see it immediately.
Compare this to Ledger, which runs completely closed firmware. In 2023, Ledger launched a “Recover” service that could fragment and export a user's seed phrase to third-party servers. This was only possible because the firmware had the ability to extract keys in software. Ledger users had no way to know this was technically possible until it shipped. Open-source firmware makes that kind of surprise impossible. The community would have caught it in code review long before it launched.
For serious cold storage, the ability to verify what your hardware wallet is actually doing is not a luxury. It is a requirement. The Passport is the only wallet that satisfies that requirement across the complete stack.
There is also a practical benefit to open source that goes beyond auditing: a larger community of contributors catches bugs faster. Foundation's public repositories have received security-relevant contributions and bug reports from outside the company. That collective scrutiny is an ongoing asset that closed-source wallets cannot access. When you buy a Passport, you benefit from every security researcher who has looked at the code.
Envoy is available on iOS and Android and serves as the primary interface for setting up and using the Passport. Foundation has invested seriously in the app, and the quality shows. The guided setup wizard walks you through initial device verification, seed phrase generation, backup confirmation, and watch-only wallet creation in a single coherent flow. From unboxing to first transaction takes under 15 minutes for most users.
Firmware updates are handled entirely within the app. Envoy downloads the signed firmware, verifies the cryptographic signature, and transfers it to the Passport via QR or microSD. You never have to manually download files, verify hashes in a terminal, or worry about whether you got the right build. The app handles verification automatically and refuses to proceed if something does not match.
Day-to-day use through Envoy is clean and fast. Balance view, transaction history, and the QR signing flow are all polished. Envoy supports connection to your own Bitcoin node for users who want full sovereignty over their transaction data. You can also use it with the default Foundation servers if you are not running your own infrastructure. No judgment either way.
The one honest gap is the missing Linux desktop client. Envoy runs on iOS and Android only. Linux users need to use Sparrow Wallet, which works well with the Passport but lacks the guided setup experience. For a device targeting privacy-conscious Bitcoiners, a significant portion of whom run Linux, this is a real omission. Foundation has said a desktop client is on the roadmap. Until it ships, Linux users have a slightly rougher experience.
Despite that gap, Envoy represents a meaningful bar that the rest of the hardware wallet industry should aim to match. The combination of hardware verification, guided onboarding, automatic firmware management, and clean daily-use interface is not available anywhere else. Ledger Live is bloated. Trezor Suite is functional but uninspiring. Envoy is genuinely good software.
| Feature | Passport ($199) | Coldcard Mk4 ($157) |
|---|---|---|
| Air-gap method | QR codes | microSD |
| Open source | Hardware + firmware + app | Firmware + hardware |
| Display | Color LCD | Monochrome small |
| Bitcoin-only | Yes | Yes |
| Companion app | Envoy (excellent) | None (use Sparrow) |
| Beginner-friendly | Moderate | No |
| Advanced features | Moderate | Extensive (duress, BIP-85, etc.) |
| Made in | USA | Canada |
These are the two best air-gapped Bitcoin wallets you can buy, and they serve different users. The Passport wins on user experience by a significant margin. The color display, the Envoy app, and the QR workflow are all more approachable than the Coldcard's number-pad interface and microSD workflow. If you have never used an air-gapped wallet before, the Passport is the gentler introduction.
The Coldcard Mk4 wins on feature depth. Duress wallets, BIP-85 derived child wallets, brick-me PIN, countdown login delay, dual Secure Elements, and years of accumulated power-user features that the Passport does not attempt to match. For someone whose threat model includes physical coercion or who wants to compartmentalize funds across multiple derived wallets, the Coldcard's feature set is genuinely irreplaceable.
Many serious Bitcoiners own both and run them in a 2-of-3 multisig configuration. A Passport plus a Coldcard plus a third device gives you two independently auditable signing devices with different manufacturers, different firmware, and different attack surfaces. That is proper defense in depth for significant cold storage.
The USB-C port on the Passport is wired for power only. It cannot be used as a data connection during signing sessions. This is a deliberate design decision: even if malware on your computer tried to communicate over USB, there is no data channel to exploit. Power comes in, nothing else passes through. Foundation made this architectural choice explicit in their documentation, and it is the right call.
The four AA batteries are one of the Passport's most underappreciated features. No proprietary charging cable to lose. No waiting for a battery to charge before you can sign a transaction. Four AAs are available at any convenience store in the world, swap out in 30 seconds, and last for months of typical use. The Passport can be used anywhere, including locations where you would not want to be seen plugging hardware into a computer.
The microSD slot serves two functions: firmware updates without any network or USB connection, and encrypted seed backup. For firmware, you download the signed release on a separate device, copy it to microSD, and insert it into the Passport. For backup, the Passport can write an encrypted copy of your seed to microSD as a redundant backup option alongside your paper backup.
The color LCD display is genuinely better for address verification than the monochrome screens on most competitors. Seeing a full Bitcoin address displayed clearly in high contrast, with enough room to verify the full string, reduces the friction of the verification step that users are tempted to skip. The machined aluminum case gives the device a premium feel that matches the $199 price point. This does not feel like a budget device.
The physical button layout is intuitive with two side buttons for navigation and a center confirmation button. There is no touchscreen, which some users will miss and others will appreciate for its reliability. Touchscreens introduce their own attack surface and are harder to operate reliably without looking at your hands. The button-based navigation is slower but more deliberate, which suits a device whose primary job is to make high-stakes signing decisions carefully.
The Passport uses the STM32H753 microcontroller as its main chip and the ATECC608A as its Secure Element. The Secure Element handles key storage and cryptographic operations in an isolated environment. It is a single Secure Element, compared to the Coldcard Mk4's dual-chip setup. For most users this is not a meaningful difference. The threat model where one Secure Element chip is compromised while another remains intact is highly theoretical.
The device includes tamper-evident hardware features. The case is designed to show visible evidence of physical tampering, which matters for supply chain security. Foundation publishes information about its assembly process and supply chain in a way that most hardware wallet manufacturers do not. This transparency extends to the verification process: when you first receive a Passport, you verify the device through the Envoy app, which checks cryptographic signatures to confirm the firmware has not been modified.
Seed generation uses the onboard RNG with optional dice roll entropy input. The dice roll feature works similarly to the Coldcard implementation: you enter each roll manually and the device mixes that physical entropy into the seed generation process. If you do not trust any chip's random number generator completely, adding dice roll entropy means your seed incorporates randomness that no manufacturer can predict or reproduce.
One area where the Passport's security model differs from the Coldcard is the absence of a duress wallet feature. If you face a physical coercion scenario, there is no secondary PIN that opens a decoy wallet. This is a real gap for users whose threat model includes that kind of attack. For most people, it is not relevant. But if it matters to you, the Coldcard is the right tool.
Passphrase support is available on the Passport via BIP39 optional passphrase extension. Adding a passphrase to your seed creates a completely separate wallet derivation that is never stored on the device. Even if someone extracted your seed phrase from the device, they would not have access to your passphrase-protected wallet. This is one of the more powerful security features available and works well with the Passport's interface.
After extended testing, these are the standout strengths and the honest weaknesses. No hardware wallet is perfect at $199, and the Passport is no exception.
The Passport fits a specific profile well. It is designed for Bitcoiners who have moved past the beginner stage, understand why air-gap security matters, and want a device they can actually live with day to day. It is not the right first hardware wallet. But for someone upgrading from a Trezor or Ledger, it is a compelling next step.
Buy if you want
Look elsewhere if
The ideal Passport buyer is someone who has been holding Bitcoin for a year or more, has used a simpler hardware wallet, and is ready to step up their security posture. You understand seed phrases. You have used watch-only wallets. You know why verifying a receive address on the hardware device matters. The Passport rewards that knowledge with a genuinely excellent signing experience.
If you are still on the fence between the Passport and the Coldcard, consider your priorities. If usability, companion app quality, and open-source completeness are what matter most, choose the Passport. If maximum feature depth, dual Secure Elements, and a 10-year track record of security-focused development matter most, choose the Coldcard. Both are excellent answers to the question of how to store serious amounts of Bitcoin safely.
The Foundation Passport earns 8.5/10. It is the most complete open-source hardware wallet available. Hardware, firmware, and companion app are all published and auditable. The QR air-gap is genuine and elegantly implemented. Envoy is the best companion app in the category. Made in the USA with transparent supply chain.
It falls short of 9 or 10 because it lacks the deep security features of the Coldcard (duress wallets, BIP-85, dual Secure Elements) and costs $199 in a market where excellent options exist for less. The missing Linux desktop client is a real gap for a significant portion of the Bitcoin-focused user base.
Foundation has been consistent in its development pace. Firmware updates ship regularly. Envoy continues to improve. The company communicates openly about its roadmap and engages with the Bitcoin developer community. This is not a company that ships a product and disappears. For a security device you may hold for years, that track record matters.
For security-conscious Bitcoiners who want air-gap security without fighting the Coldcard interface, the Passport is the right answer. Start with an easier wallet to learn the fundamentals. Then buy the Passport when you are ready to take security seriously.
$199 from Foundation. Open-source hardware, QR air-gap, Envoy app. Assembled in the USA.
Orders ship directly from Foundation Devices in the United States. International shipping is available.
We may earn a commission if you purchase through our link. This does not affect our review or rating.
Yes. The Passport communicates only through QR codes displayed on its screen and scanned by its built-in camera. There's no USB data connection, no Bluetooth, no WiFi, and no NFC. The USB-C port handles power only for battery charging. Your private keys never touch an internet-connected device, even indirectly through a cable. This puts the Passport in the same air-gap security tier as the Coldcard Mk4.
You can. Passport works with Sparrow Wallet, Specter Desktop, BlueWallet, Nunchuk, and any PSBT-compatible software that supports QR-based signing. But Envoy makes the experience dramatically smoother, especially during initial setup, firmware updates, and guided transaction signing. Most users should start with Envoy and explore Sparrow later if they want more control over coin selection and transaction construction.
Running on four AA batteries means no power cable connects the Passport to your computer during signing. This removes a potential attack vector entirely. You can also use the device anywhere, check balances while traveling, and never get stuck because you forgot a cable. AA batteries are available at any convenience store and swap out in 30 seconds.
No. The Passport is Bitcoin-only by design, and Foundation has no plans to change that. A Bitcoin-only firmware has a smaller attack surface, fewer code paths to audit, and no risk of accidentally sending funds on the wrong chain. If you need altcoin support, look at the Ledger Nano X or Trezor Safe 3 instead.
Foundation publishes signed firmware releases with detailed GPG verification instructions. You check the signature, verify the hash, and confirm it matches the open-source code on GitHub. This is the same level of firmware verification that Coldcard and BitBox02 offer. For a device protecting serious amounts of Bitcoin, being able to verify what's running on it isn't just nice to have. It's essential.
In the United States. Foundation is a US-based company that assembles the Passport domestically and publishes information about its supply chain. This matters for tamper-evident security. Knowing where your hardware wallet was built and by whom reduces the risk of supply chain attacks. Most competing wallets are manufactured overseas with less transparency about the assembly process.
Yes. Passport works well in multisig configurations, particularly when paired with Sparrow Wallet or Nunchuk. The QR-based PSBT workflow handles multisig signing smoothly, and you can use multiple Passports in a 2-of-3 or 3-of-5 setup. For serious cold storage, combining a Passport with a Coldcard in a multisig quorum gives you two independently auditable signing devices.
Yes. The Passport generates a 12 or 24 word BIP39 seed phrase using its onboard random number generator. For extra security, you can add entropy from physical dice rolls. You can also import an existing seed phrase if you're migrating from another wallet. The Envoy app verifies your backup during setup to make sure you've written it down correctly.
Several months of typical use on a single set of four AA batteries. If you're signing a few transactions per week and checking the device occasionally, you won't be changing batteries often. The Passport shows battery level on screen and alerts you when levels drop low. Keep a spare set nearby and you'll never be caught off guard.
Probably not as your very first hardware wallet. The QR workflow, seed phrase management, and watch-only wallet concepts have a real learning curve. Beginners are better served starting with a Trezor Safe 3 ($79) or BitBox02 ($149). Those have gentler onramps. Come back to the Passport once you understand how hardware wallets work and why air-gapping matters. At that point, $199 is well justified.
The most security-hardened Bitcoin wallet with dual Secure Elements and full air-gap.
Trezor Safe 3 Review→Beginner-friendly hardware wallet with open-source firmware at $79.
BitBox02 Review→Swiss-made Bitcoin-only wallet with a clean desktop app and USB-C.
Hardware Wallet Comparison 2026→Side-by-side specs and scores for every major hardware wallet.
Bitcoin Cold Storage Guide→Step-by-step guide to moving Bitcoin off exchanges into cold storage.
How to Secure Your Seed Phrase→Best practices for backing up and protecting your recovery words.