An honest comparison of Coinkite's two flagship hardware wallets. Same security architecture. Same firmware. Wildly different ergonomics. Here's how to choose.
The short answer
Buy the ColdCard Q if:
- You hold over $50k and you're in this for the long haul
- You use a passphrase (and you should)
- You operate or plan to operate a multisig
- Reading small screens annoys you
Buy the ColdCard Mk4 if:
- You want ColdCard security at a $100+ discount
- You're adding a second or third signer to a multisig
- You don't need to enter passphrases often
- Portability matters more than ergonomics
Buy both if:
- You're going multisig and want two Coinkite-trust-anchored signers paired with a non-Coinkite third device (see the device diversity principle)
That's the headline. The rest of this guide is the defense of those calls.
For where ColdCards fit in the broader hardware wallet landscape, read our 2026 Hardware Wallet Buyer's Guide. For the full self-custody framework, read the Sovereignty Protocol.
What's identical (which is more than most people realize)
The Q and the Mk4 are not different products. They're the same product, in two different physical shells.
Same security architecture. Both devices use Coinkite's dual secure element design — a Microchip ATECC608 paired with a Maxim DS28C36, sourced from different manufacturers, configured so neither can act alone. Your seed is sharded across both. A compromise of either chip is insufficient; an attacker would need to break both, from two unrelated semiconductor companies, simultaneously. No other hardware wallet on the market replicates this architecture.
Same firmware codebase. Coinkite maintains a single firmware repository with branched manifests for each device. ColdCard Mk4 firmware v5.5.0 and ColdCard Q firmware v1.4.0Q were released the same day (March 5, 2026) with the same features. When Coinkite ships BIP-322 Proof of Reserves, PushTX, the Transaction Output Explorer, or any other firmware capability, both devices get it. There is no "lite" firmware tier. You're getting the same software.
Same supply chain integrity. Both ship with Coinkite's tamper-evident bags, signed and bagged in Canada, with documented opening checks. Both support reproducible firmware builds you can verify byte-for-byte against the published source on GitHub.
Same dice-roll entropy. Both let you generate your seed from your own dice rolls, combined with device entropy, so you never have to trust factory randomness alone.
Same air-gap options. Both support microSD card transfers and NFC tap-to-transfer. Both can be used fully air-gapped (no USB cable connected to a computer).
Same multisig support. Both can be coordinator or co-signer in arbitrary 1-of-N through 15-of-15 multisigs, with the same descriptor handling and same signing flow.
Same passphrase model. Both support BIP-39 passphrases of arbitrary length, the same passphrase vault + decoy wallet pattern, the same wallet derivation logic.
If you bought a Q and an Mk4 and signed identical transactions with each, the resulting signatures would be indistinguishable. The security guarantees you get are exactly the same.
So why are there two devices? Because using the same security model feels radically different depending on which shell you're holding.
What's different
Five things, all in the input/output layer.
1. The keyboard
This is the biggest practical difference, and it's the reason most serious users now reach for the Q.
Mk4: numeric keypad only. 0–9, with the PIN entered as anti-phishing pairs. Passphrase entry happens via the on-screen "T9-style" letter wheel — press 2-2-2 to get "C," cycle through letters with each press. It works. It's tedious. A 6-word passphrase takes 90+ seconds to type.
Q: full QWERTY physical keyboard. Type passphrases the way you type passwords. A 6-word passphrase takes under 15 seconds.
This matters more than it sounds. Most ColdCard Mk4 owners I've worked with end up using short passphrases (or none at all) because the entry process is painful. That's the operational security model degrading under friction. The Q removes the friction, which means users actually use the protection they paid for.
If you use a passphrase — and you should, because the passphrase vault + decoy pattern is one of the most underrated security tools in Bitcoin — the Q is dramatically more pleasant to live with.
2. The screen
Mk4: 128×64 monochrome OLED. Adequate for displaying addresses and PSBT details, but you'll squint at long character strings. Multisig coordination — where you verify multiple signers and a descriptor — pushes the limits of what this screen can comfortably show.
Q: 320×240 color LCD. Five times the pixel count. Multisig descriptors fit on one screen instead of paginated across three. Address verification is glanceable. The QR codes the device generates are easier to scan from the receiving wallet's camera.
For single-sig users this is a quality-of-life upgrade. For multisig coordinators it's a meaningful security improvement — when verifying complex transactions, more screen real estate means fewer "I'll just trust what it says" moments.
3. The camera
Mk4: no camera. Transactions move in via microSD card or NFC tap.
Q: built-in QR scanner. PSBTs can be scanned directly from your watch-only wallet's screen. This is the same QR-based air-gap that Foundation Passport and SeedSigner use, and it eliminates the SD card shuffle from your signing workflow.
In practice: with the Mk4, signing a transaction means saving a PSBT to SD, ejecting it from your laptop, inserting into the Mk4, signing, ejecting, reinserting into the laptop, broadcasting. With the Q, you point the camera at your laptop screen, the Q signs, and you point the Q at the laptop camera to broadcast back.
The Mk4 workflow is fine. The Q workflow is faster. Neither is more secure than the other in absolute terms — both are genuinely air-gapped.
4. The form factor
Mk4: Small. Roughly the size of a thick USB key. Pocketable. Fits in a small steel case for travel.
Q: Substantially larger. Closer to a small calculator or an old BlackBerry. Not pocketable in normal clothes. Lives on a desk or in a bag.
For a device that signs maybe one transaction a month, this isn't a daily problem. But if you travel with your hardware wallet — and you shouldn't, for OPSEC reasons, but people do — the Mk4 is more discreet.
5. The price
Mk4: ~$149–$179 depending on configuration and where you buy.
Q: ~$239–$299.
About $100 difference. Both prices are reasonable for what you're getting. Neither is cheap. Both are insurance you pay once for years of use.
When the Q is the right call
Reach for the Q in any of these situations.
You're going to use a passphrase. The Q makes passphrase entry pleasant; the Mk4 makes it painful. Pain causes shortcuts. Shortcuts kill self-custody outcomes. If you're going to use a passphrase — and you should — the Q earns its premium back in friction reduction alone.
You're running or planning to run a multisig. Multisig involves verifying descriptors, comparing signer fingerprints, reviewing partial signatures. All of this is harder on a small monochrome screen. The Q's larger display makes you more likely to actually verify what you're signing, which is the entire point of the device.
You sign transactions more than a few times a year. The camera-based PSBT workflow on the Q is faster than the SD-card shuffle. If you're a frequent signer (a small business owner accepting Bitcoin payments, a treasury operator, an active node runner) the workflow difference compounds.
You expect to grow into more advanced features. ColdCard ships new features regularly: Miniscript, advanced multisig coordination, Liquid support down the road, Lightning interactions. Almost all of these will be more pleasant to use on the Q's larger screen.
You're buying one device and one device only. If you're not going multisig and you want a single signer to last a decade, get the better one. The price difference is amortized over years of use.
When the Mk4 is the right call
Reach for the Mk4 in any of these situations.
You're adding a backup signer to a multisig. In a 2-of-3 multisig, your second or third signer doesn't need a great UX — it's a device you'll touch maybe twice a year. A Mk4 in this role is perfect: same security, lower cost, smaller footprint for the backup location.
You're budget-constrained but want ColdCard security. $149 is a defensible entry point for a hardware wallet of this security caliber. If the choice is "Mk4 today or no hardware wallet for six more months while I save," buy the Mk4 today. The opportunity cost of delaying self-custody is real.
You're buying for a non-technical user who won't use passphrases. If you're setting someone up who'll never use a passphrase — say, an elderly relative whose entire self-custody operation will be "press button, sign, done" — the Mk4's UX limitations matter less. The smaller form factor may even be easier for them to manage.
Travel concerns matter. A Mk4 hidden in a checked bag is less conspicuous than a Q. Note: we don't recommend traveling with your hardware wallet at all in most threat models. But if you must, the Mk4 is more discreet.
You want a small "spending" cold storage. Some users keep a small "convenience" stack on a hardware wallet for monthly DCA outflows or merchant payments, with the bulk of their stack on a separate, deeper-cold device. A Mk4 works fine for the convenience role.
Both, paired in multisig — the real power move
If you're going multisig — and once your stack crosses ~$250k you probably should — the right move isn't "buy two Qs" or "buy two Mk4s." It's device diversity.
Our standard 2-of-3 recommendation:
| Signer | Device | Role |
|---|---|---|
| 1 | ColdCard Q | Daily coordinator, the device you actually pick up |
| 2 | Blockstream Jade Plus | Different manufacturer, QR-based air-gap, different attack surface |
| 3 | SeedSigner (or ColdCard Mk4) | Different software stack, lives at secondary location |
The reason: a 2-of-3 multisig is only meaningfully "2-of-3" if your signers don't share failure modes. Two ColdCards in the same multisig means a single firmware vulnerability, however unlikely, could affect both. Three different manufacturers means three different supply chains, three different firmware codebases, three different secure element designs. Real diversity.
For more on this, book a multisig butler to walk you through the setup.
Setup differences — the honest comparison
Both devices walk through roughly the same setup sequence:
- PIN selection (with anti-phishing word verification)
- Seed generation (with dice rolls)
- Steel backup of seed
- Passphrase configuration
- Watch-only wallet pairing (Sparrow, Nunchuk, or similar)
- Test transaction
- Recovery drill
Q setup time: ~90 minutes including dice rolls, steel backup, and a full recovery drill. The QWERTY keyboard makes passphrase entry a non-event.
Mk4 setup time: ~75 minutes. Faster overall because there's less UI to navigate, but slower at the passphrase step because of the T9-style entry.
In both cases, the time investment is dominated by the recovery drill — wiping the device after initial setup and restoring from your steel backup + passphrase to confirm everything works. This is the step most users skip and shouldn't. Untested backups aren't backups.
If you want a butler to walk you through either device's setup end to end, book one. Plan 2 hours; you'll leave with a tested, working vault and the confidence to never call us again.
Firmware features — what both ship today
As of firmware versions Mk4 v5.5.0 and Q v1.4.0Q (March 2026), both devices include:
- BIP-322 Proof of Reserves. Sign a message proving you control specific UTXOs without spending them. Useful for institutional audits, lender disclosures, or just proving control to yourself.
- PushTX. Tap your Q or Mk4 to your phone after signing; your phone opens a webpage that broadcasts the freshly signed transaction. Bridges the gap between air-gapped signing and the public internet without ever connecting the wallet to a network.
- Transaction Output Explorer. Inspect every output of a transaction before approving — change addresses, payment addresses, OP_RETURN data. Catches subtle attacks on PSBT construction.
- Transaction Input Explorer. Same for inputs — see exactly which UTXOs you're spending, where they came from, their values.
- WIF Store. Import individual Wallet Import Format keys for one-off signing operations.
- BIP-380 key expression export. Modern descriptor-based wallet pairing with Sparrow and Nunchuk.
- Miniscript support (in edge builds). Advanced spending policies coming to stable releases.
All shared. The Q doesn't get firmware features the Mk4 doesn't, except for a small number of features that physically can't run on the Mk4 (anything that requires the camera or the full keyboard).
Power and connectivity
Mk4 power: USB-C, no battery. Plug in to use.
Q power: AAA batteries (included) with USB-C as an alternate power source. You can use the Q untethered for genuine air-gap, including in environments where you don't want to plug it into anything.
The Q's battery model is divisive. Some users love the untethered operation. Others hate dealing with batteries. AAAs are everywhere and last months under normal use, but you will forget to replace them at the wrong moment. Keep spares with your steel backup.
Both devices support data transfer via:
- microSD card (Q has dual slot; Mk4 has single)
- NFC tap-to-transfer
- USB-C (for charging the Q; the Mk4 uses USB as a data option too)
The Q adds the camera as a fourth data channel. That's the meaningful connectivity difference.
The Coinkite trust question — applies equally to both
A few things to know about Coinkite as your hardware wallet vendor, which apply to both devices equally:
They've been doing this since 2018. Coinkite is one of the oldest active Bitcoin hardware companies. Their track record is long and well-documented.
They're Bitcoin-only. No shitcoin support, no DeFi browsers, no "smart" features. Every dollar of R&D goes into making one device better at one job.
Their firmware is reproducibly buildable. You can clone the GitHub repo, build with Docker, and confirm byte-for-byte that the binary on your device matches the published source. This is the gold standard. Few hardware wallet vendors offer this.
Their secure element architecture is dual-vendor. As covered above — Microchip + Maxim, no single point of failure.
They sell direct and through a small set of authorized resellers. Bitcoin Butlers is one. Coinkite themselves is another. Don't buy from Amazon, eBay, or random Telegram offers. Supply chain integrity matters.
Their support is responsive. Email-based, ticket-tracked, English-language. Don't expect a phone line — that's not their model — but reasonable response times and competent answers.
If you're going to anchor a chunk of your self-custody to a single vendor, Coinkite is a defensible pick. We'd argue it's the most defensible pick among "vendor-anchored" devices, second only to fully community-built devices like SeedSigner.
Where to buy
Buy from Bitcoin Butlers or direct from Coinkite. Either is fine.
If you buy from us:
- We ship in our own tamper-evident packaging on top of Coinkite's
- We accept Bitcoin (on-chain or Lightning) and fiat
- We can pair the device with custom steel backups engraved to ColdCard format
- We can pair it with butler-led setup if you want a guided onboarding
If you buy from Coinkite directly:
- Lowest possible price
- Direct from the source
- Privacy-respecting checkout (they don't ask for more KYC than necessary)
Don't buy from: Amazon, eBay, AliExpress, Walmart, any drop-shipped third-party seller. Supply chain compromise on hardware wallets is a real and documented attack vector. The savings are not worth the risk.
The TL;DR
| | ColdCard Q | ColdCard Mk4 |
|---|---|---|
| Price | $239–$299 | $149–$179 |
| Security architecture | Dual secure element | Dual secure element |
| Firmware | Identical | Identical |
| Keyboard | Full QWERTY | Numeric only |
| Screen | 320×240 color | 128×64 mono |
| Camera | Yes | No |
| Form factor | Calculator-sized | USB key-sized |
| Power | AAA + USB-C | USB-C only |
| Setup time | ~90 min | ~75 min |
| Best for | Primary signer, passphrase users, multisig coordinators | Backup signers, budget primary, non-passphrase users |
| Our default | ✓ for serious users | ✓ for budget or backup roles |
If you're choosing one device and you can afford the Q: get the Q. If you're building a multisig: probably one Q (as coordinator) and either an Mk4 or a non-Coinkite device as your other signers. If you're truly budget-constrained: the Mk4 is genuinely fine — same security, just less pleasant ergonomics.
Shop ColdCard Q, shop ColdCard Mk4, or book a butler to walk through your specific setup.
For the full framework these devices fit into, read the Sovereignty Protocol. For comparisons against non-Coinkite devices, read the 2026 Hardware Wallet Buyer's Guide.
Last updated: [DATE]. We refresh this comparison when Coinkite ships major firmware changes or pricing updates. Tell us on Nostr if anything needs correcting.
Published under CC BY-SA 4.0.