In this article, I’d like to take an in-depth look at KeepKeey, a hardware wallet created by a company based in Seattle, the United States. The project started as a fork of Trezor wallet in 2014. Developers of KeepKey wanted a bit more premium-looking solution with a larger screen which should provide better user experience when it comes to verifying the cryptocurrency transactions.
KeepKey is an open-source hardware wallet. Its most significant selling point besides a premium look and larger LCD screen is a smooth integration with ShapeShift. KeepKey is currently the only wallet out there which enables you to convert supported cryptocurrencies, out of the box, without leaving your wallet interface.
What’s interesting about the company is that it was acquired by ShapeShift AG, a company located in Switzerland. For those of you who do not know, ShapeShift is a web-based platform which quickly enables users to convert one currency to another without even having to register. ShapeShift is an exchange where you can easily switch one cryptocurrency to another according to the set rates. It is one of the most popular and most used platforms, which at the time of writing accounts for 2% of all Bitcoin transactions.
With the 129$ price-tag, the Keepkey is one of the priciest hardware wallet solutions. In this article, I would like to cover the entire process from unboxing to initializing, configuration to sending the first transaction. I’ve purchased my KeepKey via one of their official retailers with my coins.
At the moment of publishing this article KeepKey supports following cryptocurrencies:
|Supported coins in KeepKey|
|Bitcoin (BTC)||KeepKey Client|
|Ethereum (ETH)||KeepKey Client|
|Litecoin (LTC)||KeepKey Client|
|Dash (DASH)||KeepKey Client|
|Bitcoin Cash (BCH)||KeepKey Client|
|Dogecoin (DOGE)||KeepKey Client|
There are plans to add ERC-20 tokens, but the company released no official statement on when the implementation is expected. According to their blog post, the ERC-20 tokens will appear as sub-accounts inside the Ethereum account. The first tokens planned for the roll-out are SALT, Aragon, Augur, BAT, Civic, Golem, Gnosis, OmiseGO, District0x, and FunFair.
KeepKey arrives in premium-looking, black cardboard box with a magnetic case. The box is shrink-wrapped in plastic foil.
If you wish to open the box, you’ll have cut through the tamper-proof sticker. It is not easy to open the box without removing the label. I tried quite hard to pull out the device without breaking the seal, but further attempts would damage the package.
Tamper-proof sticker gives psychological security to consumers. In reality, it’s not a bulletproof defense point. If you’re a high-profile target, an attacker could intercept the package and replace it with a replicated box. Even though it sounds fancy and secure, in practice these sort of seals do not provide reliable protection.
Throughout the entire unboxing process, I had a feeling of holding something very well-crafted and premium. Inside the box, you’ll find the KeepKey wallet placed in a foam which protects in transit. The company released the KeepKey Gold, which in essence, is the same product with a different cover design.
I noticed that some people received their KeepKey with a nifty leather pouch in which you can keep your recovery card. Mine did not arrive with such an accessory. After browsing through Reddit, I discovered that the earlier batches came with a leather pouch, but it has been discontinued in the newer version. According to their support on Reddit, because the vendor does not have them anymore.
Here’s what you’ll get :
- KeepKeey hardware wallet
- USB cable
- Cardboard recovery sentence card
- Warranty compliance leaflet
I’ll talk about the device quality in a moment, but here’s what I found appealing. TheWoven Nylon USB Cable is of appropriate length and very high-quality. I do not like the lack of a printed instruction manual. I prefer if they included a spare recovery seed card and not only one.
One of the most prominent advantages of KeepKey is that it looks elegant and simple. With the size of 38 x 93.5 x 12.2 mm it’s the beefiest hardware wallet I used. The front features large 256×64 3.12″ OLED screen protected by a polycarbonate casing. Even though my device arrived with a plastic protector over the polycarbonate casing, I noticed that under a particular angle in the daylight, my unit had quite a lot of tiny scratches. The scratches are visible only at a particular angle in sunlight, so I wasn’t bothered by it.
I can’t confirm if this is an isolated issue, but I haven’t found similar complaints online.
The backside of the device is built out of aluminum. It looks and feels sturdy and durable.
On top, the device has a single button. That button is used for confirming/canceling transactions. I am a fan of minimalist solutions like this.
At the bottom, there’s just a USB port used to power on the device. The device can be powered by a power-bank or even a charger, but to operate it requires a connection to a Chrome App.
On the inner side of the package, there’s a link www.keepkey.com/get-started which is where you need to go, to begin hardware wallet set up.
I must repeat I do not approve of manufacturers not inserting at least a welcome note and giving some instructions to the consumers. It’s just a piece of paper, it would not increase the production cost, but would be helpful to newbies.
The getting started page is very well-organized and concise. It lists requirements before you begin the initialization process.
- Download KeepKey Chrome App and install it.
- Insert your KeepKey hardware wallet into your PC – The KeepKey logo will appear on the screen.
- Initialize the Google Chrome app
Upon the extension installation, you should be automatically redirected to the chrome://apps/. If not open that in your browser and pick the KeepKey client.
If you’re a Linux user like myself, there are high-chanced your device won’t be recognized right away. The generic advice, in this case, is always to use the cable which came with your device, and the latest Chrome version.
I had both of those, so I assumed it has to be the Linux. I found the article on their support page. After following instructions there, my KeepKey got recognized after I restarted the browser and relaunched the app.
I tested the device on Windows 10, and it was just a plug and play, no additional tweaks were required.
In most of the cases, you’ll be asked to upgrade your firmware if your Keepkey is not running on the latest firmware version. KeepKey will display the warning if your wallet is not running an official firmware version
You need to unplug your device, and when you plug it again, you’d need to hold down the button.
While holding the button insert your KeepKey into the USB which will activate the firmware upgrade mode. Press the green upgrade firmware button in the app. The KeepKey Client App will ask you to press the button on the device to verify the upgrade. Hold the button for a few seconds.
Next, you’ll have to confirm that you have your recovery seed backed up. This is inferior user experience, as I’m sure that at this point a newbie would freak out or at least be confused.
Ignore this if you’re setting up the wallet for the first time, we will create the private key next, so just verify that you have the backup (even though you don’t – yet) by holding the button on the device.
“Preparing for the upgrade message will appear, and the device will start the firmware upgrade. The OLED display will show “Firmware upgrade complete. Please disconnect and reconnect message”.
Unplug the device and plug it in again. Now you’re running on the latest firmware version. Now we need to initialize the device and generate our private key.
When you plug in the KeepKey after the initial firmware upgrade, the app will say that now you need to set the device up.
This step is important. You will generate the private key seed which will be displayed only once, and you need to keep it a secret.
Click on the Initialize KeepKey to proceed.
Setting up the label
In the first step, similar to Trezor setup, you’ll be asked to create a label for your device. The label is just a name of your device. It is helpful if you have multiple KeepKeys.
You can not leave the label blank like you can with Trezor. When you enter the name, click on the “Set Label.”
Choosing the PIN
The PIN protects your device physically from unauthorized third-party access. The general advice is to pick a unique PIN that you can easily remember and that you don’t use anywhere else. The longer the PIN, the better the protection.
If you ever forget the PIN, do not worry, you can wipe the device and import your recovery sentence and enter the new one.
You get the point how powerful your private key is? I know, you’re not an idiot, I don’t have to say it as often, but better safe than sorry.
KeepKey has precisely the same mechanism for entering the PIN as Trezor. A 3×3 grid will appear on your PC screen. Each grid looks the same. To know the number representing the grid, you’d have to take a look at your display. This protects you from keyloggers and malware which can’t get access to your PIN. The position of the numbers on the wallet screen will always shuffle.
After you confirm the PIN, KeepKey will show 12 randomly generated words on the screen. These 12 words are your “recovery sentence.” Write it down on a recovery sentence card. Please be very careful with this step and take your time. Tripple check each word and do not rush.
Each word should be in the same order you see it on the screen. Do not store it in digital format, do not take photos of it. Make sure that there are no cameras (even your web camera) around you. This is an important step. Keep and store your private key safe, away from the eyes of others.
The manufacturer will never send you a device with a pre-filled private key card. If you receive such a device – it’s a scam. You and only you can generate the private key; the manufacturer will never know it. The KeepKey uses random generator chip plus random entropy from your PC environment to create the randomness.
Problem with KeepKey is that the device will not give you a second chance to double-check the recovery seed, which is a poor user experience and possibly dangerous. That’s why we will do the device wiping and importing the keys to test them in a moment.
Once you are 100% certain that the seed on the KeepKey and the card are the same, hold the button on your KeepKey to confirm it.
Please wait while the balances are loading. This usually takes few seconds. You have now successfully set up your KeepKey wallet.
For security reasons, I strongly advise you to send a very tiny amount to your KeepKey (steps described in “Receive coins paragraph), wipe the device and perform a seed recovery. This way you’ll be 100% certain that your recovery has been written down correctly. This is something I recommend for every hardware wallet which requires you to write down the seed. It’s not needed, but it’s recommended step.
Wipe the device
KeepKey does not give you the chance to test the 12-word recovery seed on the initial setup. I strongly recommend that you wipe the device and recover the seed again. You can also send a very tiny amount to your newly generated seed. By doing this before loading any severe funds, you’re making sure that your recovery seed is accurately written. Trust me; you’ll thank me later for telling you this now. You’ll also learn how to import your keys into a device with nothing to lose, which may come in handy.
Click on the gear icon (settings) in the top right corner of your device. Select “Wipe Device” and confirm that you want to wipe the private keys and settings from the device by holding the confirmation button.
The KeepKey Client app will now look like the first time you’ve plugged in the device.
Instead, of initializing the device (which will create a new 12-word seed) click on “or Recover KeepKey” in the bottom right corner.
Give your device a name by adding the label. Choose the PIN and confirm it.
This is when things get quite interesting and different compared to other wallet recovery methods. KeepKey uses the “Recovery Cipher.” This method scrambles and shuffles the letters of your words, so even if your computer was infected with a keylogger which wants to “record” your private key, they would only see the scrambled words, not your actual seed.
The upper rows highlighted in white are the alphabetical letters in a fixed position. Below each row, there is an additional row of letters which shuffles randomly each time you enter a character into your PC.
To make this a bit clearer, in my recovery seed example, the first word is humor. I have to enter first four letters into the field #1 of my device which would he humo.
I’ll locate the letter H and type in the letter below it. This way the keyloggers will get the wrong information. My next letter is U. This time the cipher reshuffles the letters. I’ll locate the letter U and enter the letter in a row right below it.
At the same time on the KeepKey screen, you’ll see the letters you entered. The entered words never leave the device; they are stored internally, your PC has no access to them.When you enter first four words, the recovery word will appear on the KeepKey screen. In the KeepKeey Client, press SPACE on your PC keyboard to confirm the word and move on to the next. Sometimes the word will be detected after three letters.
Hint: If your recovery seed is longer than 12 words ( 18 or 24) just keep pressing space after the 18th word.
One finished press enter. The device will load the accounts and show the balance, which if you did everything correctly should appear.
This is very decent security practice. Now that you recovered the seed on the initial setup, you can be confident that your recovery seed has been written down correctly. It eliminates a lot of doubts and stress later, if something happens, trust me.
If you ever wish to have your seeds in sort of cold storage, you can generate the seed, transfer the assets, creating a backup and then wiping the device.
We have set up our KeepKey, written down and tested the recovery seed. What’s next? Now we can configure the device further and explore its options.
The wallet app runs as a Google Chrome app. With the recent news on Google discontinuing the apps, it would be interesting to see which road would the KeepKey developers take. I assume that like Ledger, they will be developing their standalone client. There is an announcement from one of their officials regarding this transition and the time frame on Reddit.
The user interface of the wallet is pretty minimalist and easy to navigate. I do not like the coloring setup of white and green. In my opinion light, green and white do not mix well.
To spend coins from one of your accounts, you’d have to select the account. In this example, I’ll use Bitcoin. When you choose the account, you’ll be presented with three options: Send Bitcoin | Receive Bitcoin | Transactions. Selecting “Send Bitcoin” takes you to a pretty straightforward interface. You’d have to add the address of the public address of the receiver and the amount.
Similar to DigitalBitbox, KeepKey does not have local currency amount. So if you want to send 100$ to someone, you’d have to calculate it externally and enter the amount in bitcoin. This is again the feature that is not hard to implement, and I would like to see it added.
I was shocked to see that there is no ability to select the fee. I’m not talking about the custom fee setup. KeepKey does not have fee selection. You are forced to use their fee estimates. This is something that urgently needs to be addressed by the developers.
When you’re ready to send the coins, click on the “Send.” The device will ask you to enter the re-enter the PIN for each transaction I think this is unnecessary since I already enter the PIN when I plugged in the device confirming I’m the owner with physical access. Having a time-out PIN protection when the device is idle is great, but having to enter a PIN for each transaction ruins the user experience and doesn’t benefit the security in my humble opinion.
Once you clicked on “Send” it will take a few seconds for a message to appear saying that you have to physically confirm the transaction and verify the address on the device. The UX informs the user that you should double-check the address. And how to sign (approve) the transaction.
Once you double-checked that the address displayed on the KeepKey screen is the correct one, hold the button, and you’ll confirm the transaction.
To get a receiving address inside your KeepKey client, select your currency account and go to |Receive Bitcoin|.
The interface will display that you have to double check the receiving address, but it will not do it aggressively. You can still see an entire address and can copy it without even having to verify it on the device.
KeepKey screen will show you the address and a QR code on the device itself. The address is very easily readable and looks excellent.
The weird thing is – once you confirm the address you’re returned to a wallet. I’d rather see a more aggressive approach for receiving addresses, where a user would only see the address partially until it’s physically confirmed on the device. This would improve the overall security user experience.
Converting coins via ShapeShift
KeepKey has been acquired by ShapeShift. Hence the integration does not surprise me. It is a unique feature which I haven’t yet seen in any other hardware wallets that work out of the box. With convert options, you can convert your coins, for example, from BTC to LTC.
To convert the coin, select the account of the currency you’d like to convert from. In this example, I want to convert Bitcoin to Litecoin. First, make sure you have both Bitcoin and Litecoin accounts in your wallet. Select your Bitcoin account and choose “Send Bitcoin.” Instead of typing the address, you now have to select the account of the currency you’d like to convert to from the drop-down menu. Input the amount of the currency you’re converting from and click “Convert and Send.”
The first time you’re making a conversion, you’ll be asked to agree with ShapeShift policy on the device.
When you confirm that you agree with the TOS of the ShapeShift AE, you’ll be asked to enter your PIN once again. You’ll have to verify the conversion on the device.
What I liked is that due to the screen size, they display plenty of information on there, such as the amount you’re sending, the receiving amount, and even the account which will receive the converted coins.
When you verify, there is one last confirmation to perform. KeepKey will ask you to confirm the amount of currency from the account you’re sending from and also display the transaction fee.
Upon confirmation, a message “singing transaction” will briefly appear on the device, and the App will show that the conversion was successful.
The experience of converting crypto assets this way was delightful and smooth. You’ll see the converted coins in the under the account now, in my case the Litecoin Account.
Inside the settings, there are several things you can configure.
- Change label – change the device name
- Change PIN – change the access PIN (up to 9 digits of length)
- Wipe Device – restarts the device to its factory state, make sure to have a backup of your recovery seed if you have any assets added
- Contact Support
- About KeepKey
Of all hardware wallets, I review so far, KeepKey has the least options and does not give much configuration freedom. I was quite surprised that there is no option to add a passphrase to a device out of the box. The passphrase protection, known as plausible deniability is an important security feature.
KeepKey provides support by email. To get in touch, you have to go to their support help-desk page located at the upper right corner, above the main menu of their website and fill out the contact form. When you send out the email, you will not receive a confirmation.
The support is very slow and unresponsive. This is the weakest and slowest customer service I experienced from a hardware wallet company so far. I’m still waiting for them to reply to my ticket and will update this section when I receive an answer.
The community of the KeepKey users can be found on in r/KeepKey sub on Reddit. It’s not a large community but has a decent amount of members and information. The company representatives are also present in the sub and provide support there as well as on Twitter.
KeepKey is a very elegant looking device. It has a premium look and the price. The integration with ShapeShift which enables you to smoothly convert one crypto assets to another is a clever solution. The device has a large LCD screen which displays the receiving addresses. The PIN protection and transaction confirmation work as advertised. I like how easy to use their wallet was.
On the other hand, the development of the device is very slow. My experience with the customers’ service hasn’t been good either, though I’m still testing this part.
When it comes to features, KeepKey is far behind the competitors. Unlike rumors on Reddit, I do not think that the device is not being actively developed. I believe that the acquisition process might have slowed that one down. The team behind KeepKey needs to understand this is not mobile phone market. We as a community do not need a beautiful looking, well-built device which we can show-off and brag with. We need devices which have a stable development team, good support, ethical company and top-notch security and privacy. I was shocked that the SegWit support is not their priority and that passphrase setup is not easy to configure either. For those who are wondering about the number of coins you can store, the device lacks support in this segment as well, though the ERC-20 token support is on their roadmap.
KeepKey is not an insecure device. It works as advertised and provides good user-experience, but lacks lots of features and I can’t justify the price tag of 129$ just because the device looks premium. It needs to have premium features, development, and support. On the bright side, all of these things can be fixed and hopefully, the acquisition with ShapeShift will provide the company with enough manpower and resources to continue to improve and catch-up with the leaders in the industry.
My opinion is that they tackled the wrong holes in the market. The hardware wallet industry has not reached that phase where the products need to differentiate themselves with a design and fancy look. The market needs to evolve and the first company which improves privacy, security, adds more features, provide better customer service, make devices more minimalist and affordable. There’s still the ways to catch up with the competitors, and I’m looking forward how KeepKey and other manufacturers will target those issues in future.
- Large LCD screen
- ShapeShift integration
- Build quality
- Quality of the package
- UI and UX in the wallet
- No Segwit support
- Not easy to set up the passphrase protection (plausible deniability)
- Form factor and the size – quite larger compared to other wallets
- No Lock feature ( if you forget the device unlocked plugged in, someone can access it without even having to type in the PIN)
- Development is a lot slower compared to other competitors
- Customer service response times are longer compared to competitors
- Lacks features like U2F