Pre-order open Model N°01 / 2026 Made in Perth

Your Nostr key,
finally on hardware.

Favilla KEY is a 55 × 55 mm signing device that keeps your nsec off your laptop and out of your browser. Your key is encrypted on a secure element, only decrypted into the device's own RAM during the milliseconds it takes to sign, then wiped. Pair it once, then post, zap, and message at the speed of a regular client. Sovereignty without the friction.

Reserve a unit Why hardware?
Signing
<200ms
Footprint
55× 55 mm
Element
ATECC608B
Favilla KEY held in hand, powered on, showing the gold key logo on its display
In hand · 55 × 55 mm
The status quo

Your nsec is probably
in a browser extension,
in a screenshot,
in your password manager.

  • Browser extensions can read every site you visit. A single rogue extension or compromised host wipes you out.
  • Web clients ask you to paste your nsec. Once it touches a webpage, you have to assume it leaked.
  • NIP-46 bunkers on someone else's server move the trust problem — they don't solve it. Their server, their rules.
  • Phone keychains are better, but the same OS can read them. And every app update is a fresh attack surface.
  • Favilla KEY generates your key on a dedicated device. It's encrypted at rest, decrypted only into the device's own RAM during the moment of signing, then wiped. Your laptop never sees it.
// 01 Principles

Sovereignty,
without the friction.

01 / 06

Your nsec stays here.

Encrypted at rest on a Microchip ATECC608B secure element, behind a PIN with brute-force lockout. Decrypted only into the device's RAM, only for the milliseconds it takes to sign, then wiped.

02 / 06

Sub-200ms signing.

Schnorr signing on the ESP32-S3 with the key live in RAM only for the duration of the operation. Fast enough that signing feels instant — slow enough that you read what you're approving.

03 / 06

The client lives on the device.

The KEY client isn't hosted on a server — it's served directly by the device. Connect to it on your local network and your browser fetches the whole app from the hardware in your hand. No third-party hosting. No DNS to hijack. No app store gatekeepers.

04 / 06

Airgap when you want.

Camera-driven QR signing. Disconnect WiFi entirely and the device communicates only via light. The only attack surface is your eyes.

05 / 06

Onboarding that respects you.

First boot offers three modes: Offline, Hotspot, Local Network. No twelve-step tutorial. No seed-phrase shame spiral. Pick. Go.

06 / 06

Materials that patina.

Glossy black injection-moulded standard. Brass side buttons. Optional anodised aluminium, stainless, copper, or solid brass enclosures.

// 02 KEY Client · companion PWA

The app is in
the hardware.

The KEY client is a full Nostr client — served directly from your device. Connect to it on your local network and your browser fetches the entire app from the hardware. No hosting. No DNS. No app store. The app and the key live in the same place.
KEY client feed showing followed posts
FEED · FOLLOWING
KEY client encrypted DM with end-to-end encryption notice
MSG · NIP-44 ENCRYPTED
KEY client search with key-on-device privacy guarantees
SEARCH · NO KEY ONLINE
Your browser

fetches the app from your local network

◄   HTTP   ► local network only
Your Favilla KEY

serves the app · holds the key · signs the events

Read & post

Full kind-1 support with link previews, video rendering, mentions, and replies.

Lightning zaps

Wallet of Satoshi by default, or point it at your own LN node. Zap any post, any user.

🗝

NIP-44 DMs

Encrypted messages decrypted on-device. Plaintext only ever appears in your local browser, never on a third-party server.

Blossom uploads

Image and video uploads with progress feedback. Bring your own server or use the default.

Relay-aware feed

Manage your relay list on-device. localStorage caching for fast cold starts.

Airgap fallback

WiFi off? Sign anything via QR. The device still works as a pure offline signer.

// 03 Multi-protocol roadmap

One key.
Many protocols.

Favilla KEY device showing protocol menu — Nostr, Bitcoin, FIDO2, Cipher
Live · v21 menu
01
Nostr
NIP-01 signing · NIP-04/44 encryption · NIP-46 bunker
Shipping
02
Bitcoin
BIP-340 Schnorr · PSBT signing · airgap QR
Coming
03
FIDO2 / WebAuthn
Hardware passkey for the rest of the web
Coming
04
CIPHER
Play-to-win hash game · earn real sats from your device
Shipping
// 04 Architecture

Honest about where the key lives.

Most "hardware wallet" marketing claims keys never leave the secure element. That's true on chips like the SE050 that do native Schnorr — but the ATECC608B we ship today doesn't sign Schnorr. So we'll tell you exactly what happens.

Your nsec is generated on the device and stored encrypted on a Microchip ATECC608B, behind a PIN with brute-force lockout. When you approve a signature, the ATECC unwraps the key into the ESP32's RAM. The ESP32 performs the Schnorr signing operation. Then it zeroes the memory.

The key is never written to flash. It never touches a network. It never enters a browser. It exists in volatile memory for milliseconds at a time, on a device that does nothing else.

Is this as strong as a chip that signs natively? No. Is it dramatically stronger than your nsec sitting in localStorage on every site you've ever pasted it into? Yes — by an enormous margin. The SE050 with native Schnorr is on the v2 roadmap.

We'd rather ship something honest than something that overstates its threat model. The architecture is no different from Krux or SeedSigner — well-understood, open-source, ESP32-based signing. Engineering Note 04
FIG. 01 / SIGNING FLOW · v1 REV B
CLIENT PWA / APP HOST + SIGNER ESP32-S3 Schnorr in RAM wiped after use ENCRYPTED STORE ATECC608B 1 · EVENT HASH ──────► 2 · PIN-AUTH UNWRAP ──► ◄────── 3 · NSEC INTO RAM 4 · SIGN · 5 · WIPE ◄────── 6 · SIGNATURE — PHYSICAL ISOLATION YOUR NSEC never on your computer
// 05 Comparison

How we stack up.
Honestly.

Security architecture
FIG · 02 / where the key lives
Browser
extension		 Web client
+ paste nsec		 Mobile signer
(Amber, nsec.app)		 Bunker
on a server		 Favilla
KEY
Key on a dedicated device your phone
Key encrypted at rest in a secure element OS keychain server-side ATECC608B · JIL High
Survives compromised laptop or phone OS
Survives malicious browser extension
Visible signing approval before signature popup only on hardware screen
Works fully offline airgap mode
No third party holds your key
Open source & reproducibly built varies varies varies varies
Swipe to compare → → →
Yes Partial / depends No
Bunker servers are a real defence against host compromise. The trade-off is that they hold your key — so if the bunker operator is compromised or compelled, you lose. Favilla KEY gives you the host-compromise resistance without the third-party trust.
DM privacy
FIG · 03 / who can see your messages
Browser ext
+ web client		 Mobile app
w/ keychain		 Bunker
on a server		 Favilla
KEY
Decryption key isolated from network apps same OS on server
Plaintext stays in your local network in your browser decrypted on server
You hold the decryption key — not a server
Survives compromised host (laptop, phone)
Resists relay snooping if NIP-44 if NIP-44 if NIP-44 NIP-44
Forward-secret message history NIP-44 limit
Swipe to compare → → →
Yes Partial / depends No
Forward secrecy isn't something Favilla KEY provides — and nobody on Nostr does, today. NIP-44's design uses long-lived keys, so an attacker who eventually obtains your nsec can decrypt every past DM. We listed the row because pretending otherwise would be dishonest. The Nostr ecosystem will need a new spec to fix this; we'll support it on day one.
// 06 Verifiable claims

No trust. Just verify.

Open source firmware

Every byte of code that runs on the device is published. Reproducible builds. Audit it yourself.

JIL High secure element

The ATECC608B holds JIL High rating — a certified lab couldn't extract a key after three person-months of trying.

Signed firmware updates

Updates are cryptographically signed and only flashable over USB. No silent OTA. No remote attack surface.

Made in Perth

Designed and assembled in Western Australia. Small batches. Direct from us to you.

// 07 CIPHER

Most hardware wallets
sit dead in a drawer.
This one earns sats.

CIPHER is a hash-mining game built into the device. You play it, you might win real sats. No subscription, no microtransactions, no in-app purchases — just you, the device, and a chance.

Each round generates a candidate hash on-device. Land in the target zone and the firmware sends a payout from the CIPHER pool to your Lightning address. Miss and you try again. The game is the mining; the mining is the game.

It runs on the same hardware that signs your Nostr events. It uses the same secure element, the same screen, the same buttons. The only difference is what it's doing in idle moments — which is now, for the first time on a hardware wallet, something.

  • ChannelLightning
  • PayoutDirect to your LN address
  • CustodyPool · transparent on-chain
  • Cost to playFree
CIPHER · ROUND 0142 POOL ⚡ 84,205
0x8a · 4f7 · 9c1 · 2e3
► HUNTING TARGET ZONE
— FIG · live game state · v21
Hardware for the keys you keep
// 08 Operation

Three modes.
Your threat model.

MODE 01

Local PWA

// Daily driver

The KEY client connects directly to the device over your local network. Read your feed. Post. Zap. The fastest path from idea to signed event.

Latency
<200ms
Pairing
WiFi / AP
Best for
Daily use
MODE 02

NIP-46 Bunker

// Power user

Pair Favilla KEY as a remote signer for any NIP-46 client. Damus, Amethyst, Coracle — same key, same security model, different surface.

Protocol
NIP-46
Clients
Any
Best for
Mobility
MODE 03

Full Airgap

// Maximum paranoia

Disconnect WiFi entirely. Sign events over QR using the KEY client. The device communicates only via light. The only attack surface is your eyes.

Network
None
Channel
QR / Camera
Best for
Vault keys
// 09 Specifications

Specifications.

MCU ESP32-S3 N16R8 — dual-core Xtensa LX7 @ 240 MHz · 16 MB flash · 8 MB PSRAM
Secure Element Microchip ATECC608B — JIL High rated key storage with PIN-gated access and brute-force lockout. SE050 with native Schnorr planned for v2.
Display 1.5" colour TFT · 240 × 240 · ST7789 driver — amber and lime UI on absolute black
Camera OV5640 with autofocus and hardware QR decoding for airgap signing flows
Connectivity USB-C (data + power) · 2.4 GHz WiFi b/g/n with WPA3 · BLE 5.0
Power 500 mAh LiPo · TP4054 charging · AP2112K LDO · ~12h active signing
Haptics DRV2605L driver with linear resonant actuator — tactile confirmation feedback
Audio Piezo buzzer for confirmation beeps and CIPHER game feedback
Controls Two side buttons in brushed brass — scroll and select
Enclosure Glossy black injection-moulded standard. Optional anodised aluminium, stainless, copper, or solid brass
Footprint 55 × 55 × 9 mm — 32 grams
Firmware Open source · Reproducible builds · Signed updates over USB only
// 10 Frequently asked

Questions.

How is this different from Amber, nsec.app, or a browser extension?
Software signers like Amber, nsec.app, and browser extensions all keep your key on a general-purpose computer — your phone or laptop. That works until something goes wrong: a malicious app, a compromised browser, a phishing page that asks for your nsec, an OS-level keychain leak. Favilla KEY moves the key onto a dedicated device that does only one thing: encrypt your nsec at rest in a secure element, and decrypt it briefly into its own isolated RAM during the milliseconds of a signature. No browser. No third-party apps. No background processes. No network access except via the explicit modes you choose.
Where is the KEY client app actually hosted?
On the device itself. The ESP32 inside Favilla KEY runs a local HTTP server, and when you connect to the device on your local network your browser fetches the entire client app from the hardware. There's no server in a datacenter. No Vercel, no Netlify, no DNS that can be hijacked. If we as a company disappear tomorrow, your device and the app on it keep working. The same architecture also means the app can never be silently updated against your will — it's part of the firmware, which only changes when you flash a signed update yourself.
What happens if I lose the device?
You'll have a recovery option set during onboarding — either an encrypted backup you keep yourself or a derived passphrase you can use to restore on a new device. We don't keep any backups for you. We have no way to recover your key. That's the point.
Can I import my existing nsec, or do I need to start fresh?
You can import an existing nsec during setup. The device encrypts it and stores it on the ATECC608B. From that point on, the key only enters the device's RAM during the milliseconds of an actual signing operation, and is wiped immediately after. It's never written to flash, never sent over the network, never visible to the PWA. Many users prefer to generate a fresh key on the device and migrate identity over time, but importing is fully supported.
Why ATECC608B and not the SE050 you mentioned?
Honest answer: the ATECC608B is what we could ship now. It's a JIL High rated secure element used in millions of devices, with a fully open toolchain and a well-understood threat model. The SE050 is better — it can do native Schnorr on-chip, meaning the key would never enter ESP32 RAM at all — but integrating it well takes more time. It's on the v2 roadmap. We'd rather ship a working v1 with an honest description than an unobtainable v2 with marketing claims we can't deliver.
Does it work with other Nostr clients?
The device implements NIP-46 as a remote signer. Any Nostr client that supports NIP-46 can in principle use Favilla KEY as its signer — you scan a pairing QR on the device, and from then on signing requests bounce to your Favilla KEY for approval. NIP-46 support varies between clients and our compatibility list will grow as we test against each one.
Is the firmware open source?
Yes. Both the firmware and the KEY client are published with reproducible builds. The client ships inside the firmware — there's no separate download — so verifying the firmware is the same as verifying the app. You can build it from source, hash the binary, and check it matches what's on your device.
How much does it cost and when can I get one?
Pricing for the first production run will be announced when reservations open. Drop your email below and you'll be notified the moment we're ready to take orders. No deposit yet — we'd rather lose your interest than take your money before we can deliver.
Why not just use Bitkey / Trezor / Coldcard?
Those are excellent Bitcoin signers, but none of them ship Nostr support out of the box. Some can be made to sign Schnorr events with custom firmware — but the user experience is built around Bitcoin transactions, not social posts. Favilla KEY is built Nostr-first: the screen, the menus, the companion app, the latency targets are all designed for the cadence of social.
First production run · Limited

Reserve a unit.

Limited production from Perth, Australia. Drop your email and we'll let you know the moment reservations open. No deposit yet — just a heads-up.