PIN & Passphrase
A KeepKey has two separate, optional locks. They’re easy to confuse, but they protect against completely different things. You can use one, both, or (not recommended) neither.
PIN — guards the physical device
The PIN is a code you set during setup. It’s required to unlock the device before it will do anything, so a thief who steals your KeepKey can’t just plug it in and drain it.
Two details make it strong:
- The number grid shuffles every time. Your computer only ever sees positions on a scrambled keypad, not the digits — so screen-recording malware and over-the-shoulder watchers learn nothing reusable.
- Too many wrong guesses wipes the device. This stops an attacker from brute-forcing it. A wipe is not a loss: you restore from your recovery phrase.
A PIN protects the device. It does not protect the recovery phrase — anyone who has your written-down words doesn’t need your PIN at all.
Passphrase — creates a hidden wallet
The passphrase (sometimes called a “25th word”) is an optional secret you can add on top of your recovery phrase. Combined with your phrase, it derives an entirely separate, hidden wallet.
What makes it powerful:
- It’s never stored on the device. It exists only in your head (and your secure backup). Even someone who physically extracts the device’s stored seed gets nothing without the passphrase — which is why it’s the strongest defense against a physical attacker. See the Security page.
- Each passphrase = a different wallet. Enter a different passphrase and you get a different set of accounts.
The trade-off: because it’s never stored, if you forget it, that hidden wallet is unrecoverable. Write it down as carefully as your recovery phrase and test recovery before funding it.
Which should I use?
- PIN: yes, always. It’s basic device security with no downside.
- Passphrase: for higher-value storage, once you’re comfortable with the backup discipline. It’s optional and advanced.
On your KeepKey
- Set up and learn the shuffled-grid PIN in PIN.
- Create and manage hidden wallets in Passphrase (Hidden Wallets).
- See how both fit the overall threat model on the Security page.