Air Gapped Wallets Compared: Keystone vs NGrave vs Ellipal

The Keystone 3 Pro uses three separate microcontrollers rather than a dedicated secure element chip: one handles the user interface and display, one handles cryptographic operations and key storage, and one verifies the integrity of the other two. This is a different architectural approach from the SE-based devices. The firmware is fully open source under an MIT license (github.com/KeystoneHQ).

The device does not have a CC EAL certification. The Keystone team argues that open source firmware auditable by the security community provides equivalent or greater assurance than a closed-chip certification - a position that is defensible but different from the industry standard.

Compatibility is a notable strength. Keystone 3 Pro integrates natively with MetaMask as an air-gapped hardware wallet option - the workflow is built into MetaMask's “Add hardware wallet” flow. It also supports BlueWallet for Bitcoin, Sparrow Wallet, and several others. This integration quality reduces friction significantly compared to devices that require custom companion apps.

The large 4-inch touchscreen makes transaction verification comfortable. Contract interaction data is decoded and displayed in human-readable format rather than raw hex.

NGRAVE ZERO holds the EAL7 Common Criteria certification - the highest level in the CC framework. EAL7 requires formal mathematical verification of security properties, not just empirical testing. The secure element chip was developed in partnership with IMEC, the Belgian microelectronics research institute that also works on advanced semiconductor research for defense and intelligence applications.

The key generation process is distinctive. NGRAVE ZERO uses a combination of the device's internal true random number generator plus ambient light captured through its camera to generate entropy. This reduces reliance on a single source of randomness - a meaningful improvement over devices that rely entirely on a hardware RNG that could theoretically be manipulated at manufacture.

The trade-off is firmware transparency. NGRAVE's firmware is closed source. You cannot audit what the software does with the chip's certified hardware. The hardware certification is meaningful, but the complete security assurance requires trusting NGRAVE's internal security practices.

The NGRAVE LIQUID app handles the QR scanning and transaction construction on the phone side. The ecosystem is more self-contained than Keystone - you're primarily working within NGRAVE's own software. Supported coins are broad but integration with third-party wallet software is more limited than Keystone.

ELLIPAL Titan 2.0 uses an Allwinner A40i processor - this is a general-purpose application processor, not a dedicated secure element chip. The device does not hold a CC EAL certification. The security architecture here is different from both Keystone and NGRAVE: rather than relying on a certified SE chip, ELLIPAL's security model centers on physical protection and anti-tamper mechanisms.

The metal casing includes a tamper-detection circuit. If the device is physically opened - screws removed, casing separated - the device detects this and wipes its stored data. This addresses a specific physical attack scenario: an attacker who steals the device and attempts to extract memory chips. The wipe makes this attack economically unattractive.

The firmware is closed source. The large 4-inch color touchscreen makes the device comfortable to use. The ELLIPAL companion app handles transaction construction and QR display. Coin support is extensive - over 10,000 coins and tokens. The primary concern from a security architecture standpoint is the lack of a dedicated secure element, which means private key operations run on a general-purpose processor with its associated attack surface.