If you’re serious about holding bitcoin long-term, leaving it on an exchange or a software wallet is a meaningful risk you can eliminate. The Coldcard Mk4 is widely regarded as one of the most security-focused bitcoin hardware wallets available, but its interface is deliberately minimal and its setup process is less hand-holding than competitors like Ledger or Trezor. This Coldcard Mk4 setup guide walks you through every stage — from unboxing and verifying the supply chain to generating your seed and making your first receive transaction — so you can complete setup confidently without missing a critical step.
What Makes the Coldcard Mk4 Different
The Coldcard Mk4, produced by Coinkite, is a bitcoin-only device. It does not support Ethereum, Solana, or any altcoin. That single-purpose design means the firmware surface area is smaller and therefore harder to exploit. Key hardware features documented in the Coldcard Mk4 technical overview on docs.coinkite.com include:
- Two separate secure elements (ATECC608B chips) for key storage, requiring both to cooperate during signing
- A physical PIN entry pad that never transmits PIN data over USB
- A tamper-evident bag with a bag number recorded in device memory at the factory
- USB-C connectivity plus a MicroSD card slot for fully air-gapped operation
- NFC tap support (can be disabled in settings)
For beginners, the most important implication is this: your private key is generated and stored entirely on the device. It never touches your computer’s operating system during normal use.
Verifying Your Coldcard Before You Begin
Supply-chain attacks — where a device is tampered with before it reaches you — are a documented threat. Coinkite builds in multiple verification layers, and you should use all of them before trusting any funds to the device.
Check the bag number
Your Coldcard ships inside a numbered tamper-evident bag. When you first power on the device, it displays the bag number it recorded during factory setup. Compare that number against the printed number on the physical bag. A mismatch is a red flag; contact Coinkite support immediately and do not proceed.
Verify firmware authenticity
The Coldcard Mk4 displays a bootrom version and verifies its own firmware signature on every boot. The Coldcard documentation (docs.coinkite.com/coldcard/upgrade) explains how to independently verify firmware SHA256 hashes by downloading the release file from the official GitHub repository at github.com/Coldcard/firmware and checking the signed release announcement. Never install firmware from a third-party source.
Setting Your PIN Correctly
Your PIN is your first line of defense if the device is ever stolen. The Coldcard uses a split-PIN system unique to the device.
- Prefix PIN: The first 2–6 digits you enter cause the device to display two anti-phishing words. These words are permanently tied to your specific device.
- Suffix PIN: The remaining digits you enter complete authentication.
The anti-phishing words matter. Every time you unlock your Coldcard, confirm those same two words appear before entering your suffix PIN. If the words ever change, stop — the device may have been replaced with a look-alike. Choose a PIN that is at least 6 digits total. The Coldcard documentation recommends avoiding obvious patterns and never reusing a PIN from another account. Write it down separately from your seed phrase and store it in a different physical location.
Generating Your Seed Phrase
This is the most consequential step in your entire setup. The seed phrase — 12 or 24 words drawn from the BIP-39 wordlist — is the master backup for every bitcoin address your wallet will ever generate.
Use the device’s own entropy
Navigate to New Wallet in the main menu. The Coldcard generates entropy using its secure element hardware random number generator. You can optionally add dice-roll entropy for additional peace of mind: the device accepts manual dice rolls and mixes that input with its own randomness, as described in the Coldcard docs under “Dice Roll Entropy.”
Write it down — do not photograph it
The device displays your 24 words one at a time. Write each word on paper in order. Do not type them into any phone, computer, or cloud service. Do not take a photo. A photograph stored on a phone that syncs to cloud storage is a complete exposure of your funds. Consider engraving your seed onto a metal backup plate (stainless steel or titanium products are widely available) to protect against fire and water damage.
Verify the backup immediately
After recording the words, the Coldcard will quiz you on several of them. Pass this test before moving on — it confirms you wrote the words correctly.
Connecting to Wallet Software
The Coldcard Mk4 does not have its own desktop app. You connect it to a watch-only wallet on your computer, which builds and displays transactions that the Coldcard then signs. Two well-supported options are:
- Sparrow Wallet — open-source desktop software (sparrowwallet.com) with a detailed Coldcard integration guide in its own documentation
- Electrum — long-established bitcoin wallet with hardware wallet support documented at electrum.org
Air-gapped vs. USB connection
For maximum security, use the MicroSD card workflow: export your wallet’s public key file (xpub) from the Coldcard to an SD card, import it into Sparrow to create a watch-only wallet, then transfer unsigned transaction files to the SD card for signing. The Coldcard signs the transaction entirely offline and writes a signed PSBT (Partially Signed Bitcoin Transaction, defined in BIP-174) back to the card for broadcast. This means your private key is never exposed to a networked device. For beginners willing to accept a small convenience trade-off, USB connection also works and is covered in the Sparrow Wallet documentation.
Receiving Your First Bitcoin
Once your watch-only wallet is configured in Sparrow, click Receive to generate a bitcoin address. Before sending any significant amount, verify that address directly on the Coldcard’s screen under Address Explorer. Address verification on the hardware device is critical — malware on a computer can swap a displayed address with an attacker’s address without altering what appears in the software wallet. Confirm the address matches character-for-character on both screens, then send a small test amount first.
What This Means for You
The Coldcard Mk4 has a steeper learning curve than most hardware wallets, but each layer of complexity maps to a specific security property. After completing this Coldcard Mk4 setup guide, you should have:
- A device with a verified supply chain and confirmed firmware
- A split PIN that includes phishing-resistant anti-phishing words
- A 24-word seed phrase stored offline in at least two physical locations
- A watch-only wallet in Sparrow or Electrum connected via SD card or USB
- A verified receive address confirmed on the device screen
The single most common beginner mistake after setup is storing the seed phrase insecurely — in a notes app, a photo roll, or a single paper copy in one location. Treat those 24 words as more valuable than cash, because to the bitcoin network, they are. Regularly test that you can still read your backup and that you remember your PIN. Everything else about using the Coldcard becomes straightforward once this foundation is solid.
