This glossary explains the technical terms you’ll see in setup guides, reviews, and troubleshooting pages for hardware wallets. I wrote this from hands-on testing and reading primary specs (BIPs, SLIPs, NIST). You’ll get plain-language definitions, short how-to guidance, and links to deeper guides elsewhere on the site (for example, see seed phrase, secure element, and firmware updates).
A seed phrase (also called a recovery phrase) is a human-readable list of words that encodes the entropy used to derive your private keys. The most widely used standard is BIP-39, which defines how words map to binary entropy and how the phrase is converted into a binary seed that wallet software uses to derive accounts (BIP-32/BIP-44) [1][2].
Why care? Because the seed phrase is effectively the master key to your non-custodial funds. Lose it, and you lose access (unless you have another copy). Store it securely.
Sources: BIP-39 (spec) and BIP-32 (HD wallets) explain the math and the PBKDF2 step that turns mnemonic+optional passphrase into a seed [1][2].
| Seed length | Entropy bits | Typical trade-offs |
|---|---|---|
| 12 words | 128 bits (plus checksum) | Easier to write; less entropy but still practically secure today. See BIP-39 for exact maths [1]. |
| 24 words | 256 bits (plus checksum) | Higher entropy, favored for long-term cold storage; longer to transcribe. |
In my experience, many long-term holders opt for 24 words because it reduces brute-force risk margin over many decades. But 12 words remain widely used and acceptable for everyday security needs.
BIP-39 supports an optional passphrase that is combined with the seed phrase in the derivation step. People sometimes call this a "25th word." It acts as an additional secret — effectively creating a second seed that’s only recoverable with both the phrase and the passphrase [1].
But there’s a trade-off. If you forget or lose the passphrase, funds become unrecoverable (no vendor or court can restore it). So, only use a passphrase if you can reliably back it up (see passphrase (25th word)).
A secure element is a tamper-resistant microcontroller designed to store cryptographic keys and perform sensitive operations inside an isolated environment. It’s not a marketing term — it’s a class of hardware often certified under standards like FIPS 140 or Common Criteria [3][4].
A secure element protects private keys from being read even if the rest of the device is compromised. That said, implementation matters (how keys are used, firmware checks, and supply-chain security all affect real-world safety). For a deeper discussion see secure element.
Sources: FIPS 140 and Common Criteria summaries explain what tamper resistance means in practice [3][4].
Firmware is the device-level program that runs the wallet: UI, transaction construction, and hardware access. Firmware updates add features and fix bugs. But updates are also an attack vector if attackers can push malicious firmware.
A secure update process uses cryptographic signatures: the update package is signed by the vendor (or a key managed by the vendor) and the device verifies that signature before applying the update. You should verify firmware authenticity and follow a documented verification process (see firmware updates and verify firmware).
For design guidance, see NIST and OWASP recommendations on secure firmware update practices [5][6].
Air-gapped means the signing device is physically isolated from the internet. How does it work in practice? You prepare a transaction on an online machine, export it to the offline wallet (QR, microSD, or USB), sign the transaction on the air-gapped device, then import the signed transaction back and broadcast.
This reduces remote attack surface, because private keys never touch an internet-connected computer. But it adds friction and requires careful handling of exported data (PSBT format — BIP-174 — is commonly used for partially signed Bitcoin transactions) [7].
See air-gapped and air-gapped-signing for step-by-step guides.
And yes, air-gapped setups are slower and require more attention to detail.
Multi-signature setups require multiple independent keys to sign a transaction (for example, 2-of-3). Multisig reduces single-point-of-failure risk and helps with shared custody, geographic separation, and inheritance planning.
Important technical points:
If you’re considering multisig, read multisig, multisig setup, and multisig compatibility.
Common backup options:
Keep backups offline, avoid photos or cloud storage, and test recovery on a testnet or spare device before trusting a backup method in production.
| Connection | Convenience | Attack surface | Notes |
|---|---|---|---|
| USB | High | Medium (USB firmware attacks exist) | Common desktop workflow; watch for BadUSB-style risks [10]. |
| Bluetooth | High (mobile) | Higher (wireless interception/relay risks) | Requires pairing; follow vendor and NIST Bluetooth guidance [5]. |
| NFC | Low–Medium | Low–Medium | Short range, useful for quick mobile taps; still a wireless channel. |
| Air‑gapped | Low | Low (best remote risk reduction) | Best for long-term cold storage, higher friction. |
Read connectivity-usb-bluetooth-nfc before choosing a model.
My rule of thumb: assume user error is likelier than device breakage; design backups and access around that assumption.
Q: Can I recover my crypto if the device breaks? A: Yes, with your seed phrase you can restore to another compatible wallet (follow the steps at restore-recovery). Test this in advance.
Q: What happens if the company goes bankrupt? A: Your private keys are non-custodial; as long as you control your seed phrase and follow standard derivation schemes (BIP-32/BIP-44), you can restore funds independent of the company (see company-failure-recovery).
Q: Is Bluetooth safe for a hardware wallet? A: Bluetooth adds convenience but increases attack surface. Follow pairing best practices, firmware verification, and consult connectivity-usb-bluetooth-nfc. NIST Bluetooth guidance is helpful here [5].
Q: Can I use a passphrase and still recover if I forget it? A: No — losing the passphrase is effectively losing access to funds secured by that passphrase. See passphrase-25th-word.
Q: Does multisig remove the need for backups? A: No — multisig reduces single-key risk but you still need reliable backups of each required signing key or shard. See multisig-setup.
Glossaries are most helpful when paired with hands-on guides. If you’re starting: follow a step-by-step setup and test restore on a small amount first (see getting-started and setup-initial).
But don’t rush—security is about repeatable processes. If you want a deeper technical reference, read the specs linked below and the multisig and firmware pages on this site.
References
Ready to apply these terms? Start with the getting started guide or review device-specific setup steps at device-overview.