Pre-order open Model N°01 / 2026 Made in Perth

Own your identity.
Secure it in hardware.

A palm-sized device for your Nostr identity, your Bitcoin, and the digital accounts that belong to you. Not to a company.

Favilla KEY holds the cryptographic keys to your online life on a secure element you can hold in your hand. Convenient when you want it: signs over WiFi for daily Nostr. Secure when you need it: airgapped QR for Bitcoin and cold-storage events. The client app is served by the device itself. No download, no extension, no SaaS to depend on. Designed and assembled in Perth.

Get early access What's on it?
Your keys
Secured
In hardware
Your identity
Sovereign
Can't be taken
Built for
Open
Nostr + BTC
Favilla KEY held in hand, powered on, showing the gold key logo on its display
In hand · ready
Start here

Small enough to hold.
Smart enough to disappear.
Yours, in the way that matters.

A precision instrument for the keys that define you online.

01 / What is it?

Favilla KEY is hardware for your online identity.

Think of it as a hardware wallet, but for your social media identity instead of Bitcoin.

An object you can hold. Machined from a solid block of aluminium, anodised, weighted in the hand. It guards the cryptographic keys that prove you are you online, and keeps them somewhere your laptop, your browser, and the cloud can't reach.

Once it's paired to your phone and home WiFi, it works wherever you are. At home it joins your network. Out and about it creates its own. The device follows you; you don't have to manage it.

02 / What's Nostr?

Nostr is a way to use social media that you actually own.

Post, follow, message, zap. No company holds the off-switch.

Instead of logging in with an email and password, your account is a cryptographic key. You take that key with you across apps. The same identity works on Damus, Primal, Amethyst, and dozens of others.

It's growing fast. Bitcoin people, journalists, anyone who's been deplatformed before. They're all there. The catch: if your key gets stolen, your account is gone forever. There's no "forgot password" button.

03 / Why hardware?

Because right now, most people store their Nostr key somewhere terrible.

In a browser extension. In a screenshot. Pasted into a website. One mistake away from disaster.

A dedicated piece of hardware is the same fix that solved this for Bitcoin a decade ago: take the key off the general-purpose computer, put it on a device built to do only one thing.

The DIY Nostr signer community proved this was needed. Favilla KEY takes that work and shapes it into something anyone can buy and use: finished firmware, finished enclosure, finished client. It arrives in a box. It works on day one.

Want the technical version? Keep scrolling →

What it is

A hardware device
for your Nostr identity,
built like a finished product.

  • Your Nostr key. Generated on the device, encrypted under a key held on an EAL 6+ secure element, signed with sub-200ms latency. Never typed into a browser. Never pasted into a client.
  • A full Nostr client. Served from the device itself. Posts, replies, zaps via NWC, NIP-44 DMs decrypted on hardware. Add it to your home screen, it behaves like a native app.
  • NIP-46 bunker mode. Pair with any compatible Nostr client. Use the same key from anywhere, with signing requests bouncing back to your device for approval.
  • And more on the same device. Bitcoin wallet (V1), CIPHER (the skill-based hash mining game), and a roadmap including Cashu and sign-in with Nostr.
  • Palm-sized hardware. CNC-machined from 6060 aluminium, anodised, with brushed brass buttons. Designed and assembled in Perth. The same idea the DIY signer community pioneered, shaped into a product anyone can buy.
// 01 Principles

A Nostr signer,
built like a real product.

01 / 07

Your nsec stays here.

Generated and stored on an NXP SE051 secure element (Common Criteria EAL 6+), behind a PIN with a hardware brute-force lockout. The key is decrypted only on the device, only during the moment of signing, and only with your PIN. Never on your laptop, never in a browser, never in someone else's cloud.

02 / 07

A real Nostr client, on the device.

Full client served from the hardware itself. Posts, replies, zaps, NIP-44 DMs decrypted on-device. No app store, no SaaS, no DNS. If we disappear, your device keeps working.

03 / 07

NIP-46 bunker, when you need it.

Pair your Favilla KEY as a remote signer for any NIP-46 compatible Nostr client. Same key, same security model, different surface for when you're away from your device.

04 / 07

Airgap when you want.

Camera-driven QR signing. Disconnect WiFi entirely and the device communicates only via light. The only attack surface is your eyes.

05 / 07

And more, on the same device.

Bitcoin wallet with BIP32/BIP39 and PSBT signing, shipping V1. CIPHER skill-based hash mining shipping V1. Cashu and sign-in with Nostr on the roadmap.

06 / 07

Set it down. It locks itself.

Leave the device unlocked on a desk and it notices the stillness, arms itself, and the moment anyone picks it up it wipes the working key from memory and demands your PIN again. A motion sensor turns "I walked away" into an automatic lock. No timeout to forget, no button to remember.

07 / 07

Goes where you go.

At home the device joins your WiFi automatically. Out and about it spins up its own access point so your phone can still talk to it. One pairing during setup, and from then on the network handling disappears. The device follows you.

// 02 KEY Client · self-hosted Nostr PWA

A real Nostr client.
Served from the device.

Most hardware wallets, Bitcoin or Nostr or otherwise, make you download separate software to use them. Favilla KEY doesn't. The client is already inside the device. Power it on, connect to it on your local network, and your browser fetches the entire app from the hardware in your hand. No install, no extension, no SaaS account. The app and the keys live in the same place.
KEY client mentions feed showing recent posts and zap activity
FEED · MENTIONS
KEY client encrypted DM with end-to-end encryption notice
MSG · NIP-44 ENCRYPTED
KEY client Bitcoin wallet showing balance, AUD conversion, and recent on-chain activity
BTC · WATCH & SIGN
Your browser

fetches the app from your local network

◄   HTTP   ► local network only
Your Favilla KEY

serves the app · holds the key · signs the events

Nostr · read & post

Full Nostr client with link previews, video, mentions, replies, and on-device signing.

Zaps

Zap any post via Nostr Wallet Connect (NWC). Point it at your own node or a custodial service like Wallet of Satoshi. Signing happens on the device.

🗝

NIP-44 DMs

Encrypted messages decrypted on-device. Plaintext only ever appears in your local browser, never on a third-party server.

Bitcoin wallet

BIP32/BIP39 wallet with hardened derivation, multi-account, and PSBT signing over airgap QR. Validated against Sparrow with full round-trip on mainnet.

CIPHER

Skill-based hash mining built into the device. Score high, broadcast your daily best to Nostr, enter the weekly draw for real sats.

Airgap fallback

WiFi off? Sign anything via QR. Every protocol works in airgap mode for cold-storage use.

// 03 What's on it

Nostr-first.
Not Nostr-only.

Favilla KEY device displaying its protocol menu — Nostr, Bitcoin, and CIPHER selectable on-screen
Live · v22 menu
01
Nostr
NIP-01 signing · NIP-44 DMs · NIP-46 bunker · zaps
V1
02
Bitcoin
BIP32/BIP39 wallet · PSBT signing · airgap QR
V1
03
CIPHER
Skill-based hash mining · weekly draw for real sats
V1
04
NIP-17 DMs
Gift-wrapped DMs · sender identity hidden from relays
Coming
05
Cashu
Ecash wallet with proofs stored on-device, mint via PWA
Coming
06
Sign-in with Nostr
Use your pubkey to log into websites and apps · no passwords, no SSO
Coming
// 04 Architecture

Where the keys live.

Favilla KEY treats your two identities differently, because they carry different risk.

Your Nostr identity key lives wrapped inside the SE051 itself. When you sign an event, the key is unwrapped inside an authenticated PIN session, the Schnorr signature is computed on the ESP32, then the key is wiped from memory. The window is milliseconds.

Your Bitcoin seed is stored as an AES-encrypted blob in the ESP32's flash, encrypted under a key that lives inside the SE051 and is only usable once your PIN has unlocked a session on the chip. A flash dump returns ciphertext. Miss the PIN, or remove the device, and nothing can be reconstructed.

The NXP SE051 is a Common Criteria EAL 6+ certified secure element, the same class of chip used in payment cards and passports. Your PIN is verified inside the silicon against a hardware auth object with a brute-force retry counter, never against a value in the firmware. ECDH for NIP-44 DM key agreement runs on-chip. The ESP32 adds flash encryption burned into one-time fuses at manufacture, so the storage chip itself returns only ciphertext.

We're deliberately precise about one thing competitors often blur: the SE051 has no native BIP-340 Schnorr, so signing happens on the ESP32, not inside the secure element. The key material is briefly present in RAM during a signature, then wiped. The secure element guards every key at rest and gates every release behind a PIN session; the device minimises how long anything sensitive is exposed. On-chip Schnorr signing, where keys never enter main memory at all, is a roadmap goal bounded by what the silicon supports.

Keys sealed in the secure element at rest. Brought into memory only for the instant of a signature, then wiped. Your PIN gates every release.
FIG. 01 / SIGNING FLOW v1
CLIENT KEY app in your browser HOST + SIGNER ESP32-S3 Schnorr in RAM wiped after use SECURE ELEMENT NXP SE051 holds AES wrap key PIN-gated — PHYSICAL ISOLATION · INSIDE FAVILLA KEY 01 Client sends event hash to device 02 You approve and enter your PIN on the device 03 SE051 supplies the AES key, gated by your PIN 04 Seed blob decrypted into ESP32 RAM 05 Signature computed in RAM 06 RAM wiped · signature returned to client YOUR KEY decrypted on-device, with your PIN, wiped after use
FIG. 02 / KEY ISOLATION · TWO INDEPENDENT GATES V1
ESP32-S3 HOST I²C SE051 SECURE ELEMENT SAME PIN VALUE · SEPARATE SESSIONS DOOR 1 — NOSTR PIN session open OPEN scalar usable DOOR 2 — BITCOIN no session · seed sealed CLOSED seed sealed Unlocking Nostr does not unlock Bitcoin. Spending requires Door 2 opened separately.

Both keys sit behind the same PIN value, but in separate secure-element sessions. Approving a Nostr signature opens Door 1 only. Your Bitcoin seed stays sealed until you separately approve a transaction, which opens Door 2 on its own. Unlocking one identity never unlocks the other.

// 05 Signing control

You decide
what gets a tap.

Hardware wallets usually have one signing mode: every signature blocks you for approval. Favilla KEY gives you a choice. Nostr signing scales to the stakes; Bitcoin signing never does.

Nostr

Three modes. You pick.

  • Auto. Events sign in the background. Good for read-heavy use where you trust the client.
  • Manual. Every event surfaces a Sign request on the device. Tap accept or decline, the way classic hardware signing works.
  • Selective. You define which event kinds auto-sign and which need a manual tap. Notes can flow; DMs require a tap; profile edits require a tap; zap requests get whatever rule you set.
Bitcoin

Always manual. Always a separate PIN.

Bitcoin signing is never automatic. Every transaction surfaces on the device for explicit approval, and unlocking it requires a separate spend PIN, distinct from the PIN that unlocked Nostr earlier in the session. Unlocking your daily Nostr key never gives the device permission to spend.

Favilla KEY prototype held in hand showing a Sign request screen with a real Nostr note (kind 1) ready to accept or decline
Live sign request on prototype hardware. Real post, real device, real approval.
// 06 DM privacy

Who can read
your DMs.

Every modern Nostr setup encrypts message content. None of them let relays read the text. What differs is where the decryption key lives, and that's what decides who could read your messages if something went wrong. Here's how the common approaches compare.

DM privacy
FIG · 02 / who can see your messages
Browser ext
+ web client		 Mobile app
w/ keychain		 Bunker
on a server		 Favilla
KEY
Decryption key isolated from network apps same OS on server
Plaintext never sent to a third-party server decrypted on server
You hold the decryption key, not a server
Decryption key survives a compromised host key sealed in SE, released only with PIN
Swipe to compare → → →
Yes Partial / depends No

Favilla KEY decrypts messages on your own device, gated by your PIN and your secure element, not on a server and not on a general-purpose computer exposed to the network. The decryption happens in the device's own memory and is wiped immediately after.

DM privacy on Nostr is evolving fast. Favilla KEY ships V1 with NIP-44 encryption today. NIP-17 gift-wrapping (which hides sender identity from relays) is the next firmware milestone. When MLS-on-Nostr matures, our hardware is built for it.
// 07 Verifiable claims

No trust. Just verify.

Open firmware, by design

The firmware and the KEY client are built to be published with reproducible builds, so you can verify the binary on your device matches the source. Repo link coming with the first public release.

EAL 6+ secure element

The NXP SE051 carries Common Criteria EAL 6+ certification, among the highest assurance levels for commercial secure elements, evaluated against lab-grade physical attacks including fault injection and side-channel analysis. Dutch chipmaker, German fab — the same lineage NXP supplies to EU payment cards and biometric passports.

Signed firmware updates

Updates are cryptographically signed and only flashable over USB. No silent OTA. No remote attack surface.

Made in Perth

Designed and assembled in Western Australia. Small batches. Direct from us to you.

// 08 CIPHER

Most hardware wallets
sit dead in a drawer.
This one plays for sats.

CIPHER is a skill-based hash-mining game built into the device. Free to play. Score high. Weekly prize pool in real sats.

Each session, you're hunting hashes on the device's hardware. Your score climbs as you go, and the difficulty climbs with it. The same dynamic Bitcoin mining has at the protocol level: more hashpower, more difficulty. Survive longer, score higher. Beat your personal best for the day and CIPHER offers to broadcast that score to Nostr, signed by your Favilla KEY so anyone can verify it's a real device-generated result.

Every week, Favilla collects every player's best daily score and runs a weighted draw: the higher your scores, the more weight you carry, the same proof-of-work principle Bitcoin mining itself uses. The randomness comes from a future Bitcoin block hash, so the outcome is provably fair and nobody (including us) can rig it. The winner's Lightning address (the one on their Nostr profile) receives the prize automatically.

It runs on the same hardware that signs your transactions and your Nostr events. Same secure element, same screen, same buttons. The only difference is what it's doing in idle moments — which is now, for the first time on a hardware wallet, something.

Hardware for the keys you keep
// 09 Operation

Three modes.
Your threat model.

MODE 01

Local PWA

// Daily driver

The KEY client connects directly to the device over WiFi. At home it joins your network; away from home it creates its own access point automatically. Either way, you get one app for your Nostr identity, your Bitcoin, your sats, and your CIPHER plays.

Latency
<200ms
Pairing
WiFi / AP
Best for
Daily use
MODE 02

NIP-46 Bunker

// Power user

For Nostr specifically: pair Favilla KEY as a remote signer for any NIP-46 compatible client. Same key, same security model, different surface for when you're away from your device.

Protocol
NIP-46
Clients
Any NIP-46
Best for
Mobility
Open the bunker client
MODE 03

Full Airgap

// Maximum paranoia

Disconnect WiFi entirely. Sign anything (Bitcoin transactions, Nostr events, anything) over QR using the KEY client. The device communicates only via light.

Network
None
Channel
QR / Camera
Best for
Vault keys
// 10 Specifications

Specifications.

Protocols (V1) Nostr · Bitcoin · CIPHER · Cashu and sign-in with Nostr on the roadmap
MCU ESP32-S3 (WROOM-1U with external antenna). Dual-core Xtensa LX7 @ 240 MHz.
Secure Element NXP SE051. Common Criteria EAL 6+ certified. Tamper-resistant key storage, on-chip secp256k1 with hardware ECDH (NIP-04/NIP-44 key agreement in silicon), PIN-gated access with a hardware brute-force lockout, hardware RNG.
Display 1.5" colour TFT · 240 × 240 · ST7789 driver. Amber and lime UI on absolute black
Camera OV2640 (DVP) with a fixed-focus M12 lens tuned for QR capture. On-device QR decode for airgap signing flows.
Connectivity USB-C (data + power) · 2.4 GHz WiFi b/g/n with WPA3. BLE 5.0 hardware-capable, not used in V1.
Power 500 mAh LiPo · TI BQ24075 power-path manager · custom power management with auto-sleep. Days of mixed use on a single charge; weeks in deep sleep.
Haptics DRV2605L driver with linear resonant actuator. Tactile confirmation feedback
Audio Piezo buzzer for confirmation beeps and CIPHER game feedback
Controls Four tactile brushed brass buttons. Top: navigate up / down. Bottom: accept / decline.
Enclosure CNC-machined 6060 aluminium, anodised. 2 mm Gorilla Glass back panel with the camera aperture and antenna positioned behind it. Planned finishes for later runs: stainless steel, copper, solid brass.
Footprint ~55 × 55 × 15 mm, ~100 grams
Firmware Open source · Reproducible builds · Signed updates over USB only
// 11 Frequently asked

Questions.

What ships in V1?
The Nostr signer is the headline: a full Nostr client served from the device, NIP-44 DMs decrypted on-hardware, NIP-46 bunker support, and zaps via NWC. A Bitcoin wallet with BIP32/BIP39 and PSBT signing ships V1, with airgap QR signing validated against Sparrow. CIPHER (the skill-based sats game) ships with it. NIP-17 gift-wrapping for DMs is the next firmware milestone. Cashu and sign-in with Nostr are on the roadmap.
Where is the KEY client app actually hosted?
On the device itself. The ESP32 inside Favilla KEY runs a local HTTP server, and when you connect to the device on your local network your browser fetches the entire client app from the hardware. There's no server in a datacenter. No Vercel, no Netlify, no DNS that can be hijacked. If we as a company disappear tomorrow, your device and the app on it keep working. The app can never be silently updated against your will. It's part of the firmware, which only changes when you flash a signed update yourself.
Can I import existing keys, or do I need to start fresh?
You can import an existing nsec or BIP39 seed during setup. The device encrypts it under a key held in the SE051 and stores the encrypted blob in the device's flash. From that point on, keys only enter the device's RAM during the milliseconds of an actual signing operation, and are wiped immediately after. Many users prefer to generate fresh keys on the device, but importing is fully supported.
What happens if I lose the device?
You'll have a recovery option set during onboarding: either an encrypted backup you keep yourself or a derived seed you can use to restore on a new device. We don't keep any backups for you. We have no way to recover your keys. That's the point.
How does this compare to existing Nostr signers like the LNbits NSD?
Credit where it's due. The LNbits Nostr Signing Device and the broader DIY community kicked off this whole category. The LNbits NSD runs open-source firmware on a LilyGo ESP32 board, and a generation of Nostr power users learned about hardware signing by building and flashing one. We took a different bet: turning that proven concept into a product anyone can buy. CNC-machined aluminium enclosure, brushed brass buttons, full Nostr client served from the device (not just a remote signer), NIP-44 DM decryption on-hardware, and a Bitcoin wallet on the same device. If you love building your own gear, the DIY signers are excellent and we'd encourage you to try them. If you want something that arrives in a box and just works, Favilla KEY is for you.
Do I have to be at home to use it?
No. Pair Favilla KEY with your phone and your home WiFi once during setup, and after that the device follows you. When you're at home it joins your home network. When you're somewhere new (a café, an office, a hotel) it automatically creates its own access point so your phone can talk to it directly. Same client app, same device, anywhere. You don't have to think about which network you're on; the device handles the switching.
Does it work with my existing Nostr client?
The device implements NIP-46 as a remote signer. Any Nostr client that supports NIP-46 can in principle use Favilla KEY as its signer. You scan a pairing QR on the device, and from then on signing requests bounce to your Favilla KEY for approval. NIP-46 support varies between clients and our compatibility list will grow as we test against each one.
What's the secure element in Favilla KEY?
An NXP SE051. NXP is a Dutch semiconductor company headquartered in Eindhoven, Netherlands, and the SE051 family ships from NXP's German wafer fab. It's the same lineage of secure elements that goes into EU payment cards, biometric passports, and government identification programs in over 120 countries. The SE051 is Common Criteria EAL 6+ certified. It does tamper-resistant key storage, hardware random number generation, native elliptic-curve operations, and PIN-gated access with a hardware lockout counter. We chose it as a single, high-assurance secure element for the whole device rather than splitting trust across cheaper chips.
Does the private key ever leave the secure element?
We're precise about this because it matters. The encryption key that protects your seed is generated and stored inside the SE051 and is never readable, not by an attacker and not by our own firmware. During an actual signing operation the device decrypts the seed into the ESP32's memory for a few milliseconds, computes the signature, and wipes it. Access to that decryption is gated by your PIN. On-chip signing, where the key never enters main memory at all, is a roadmap goal, bounded by what the current secure-element silicon exposes. We'd rather tell you exactly how it works than imply a stronger claim than the hardware supports.
Is the firmware open source?
That's the plan, and the architecture is built for it. The firmware and the KEY client are designed to be published with reproducible builds, and because the client ships inside the firmware (there's no separate download) verifying the firmware verifies the app too. You'll be able to build it from source, hash the binary, and check it matches what's on your device. The public repo lands with the first release.
How much does it cost and when can I get one?
Pricing for the first production run will be announced when reservations open. Drop your email below and you'll be notified the moment we're ready to take orders. No deposit yet. We'd rather lose your interest than take your money before we can deliver.
First production run · Limited

Get early access.

Favilla KEY is in active development, built in Perth, Australia. Drop your email and you'll be first to know when the first units are ready. No deposit, no commitment. Just a heads-up.