This review contains affiliate links. If you buy via these links, I may earn a commission at no extra cost to you. It doesn’t change what I say about the product.
The Trezor Safe 7 is SatoshiLabs’s first hardware wallet with dual secure elements, the first Trezor with Bluetooth, and the first with a built-in fingerprint sensor. It’s the most expensive Trezor to date at $249 and it’s the natural upgrade path from both the Safe 5 and the older Model T. Whether it’s the right hardware wallet for you depends on a trade-off the Safe 5 deliberately avoided — bringing a wireless attack surface onto the device that holds your keys.
This review is written from the verify-positioned standpoint that runs this site. I haven’t owned a Safe 7 for as long as I owned my Safe 5; some of what’s below is from direct hands-on time, some from Trezor’s published documentation, source code review on GitHub, and conversations with two SatoshiLabs engineers at a Bitcoin event in May 2026. Where I’m relying on documentation rather than direct experience, I’ll say so.
Here’s the assessment.
What’s actually new vs the Safe 5
Four things change in a way that matters:
Dual secure elements. The Safe 5 had a single Optiga Trust M (CC EAL6+) from Infineon. The Safe 7 pairs that with a second EAL6+ secure element. The two work together — the design splits the key-handling operations so that a compromise of either element alone isn’t enough to extract a usable seed. SatoshiLabs’s published architecture diagrams describe a defense-in-depth model, and it’s the most significant change in the hardware-protection layer that any Trezor has shipped since the original Trezor One in 2014. From a verify-positioned threat-modelling standpoint, the dual-SE design is a real improvement against physical-extraction attack classes — the class that hit the Trezor One via voltage glitching in 2020.
Bluetooth. The Safe 7 supports Bluetooth pairing with iOS (via the official Trezor Suite Lite app) and with Trezor Suite on desktop. Bluetooth is encrypted via Trezor Host Protocol (THP), Trezor’s own open-source protocol that authenticates the channel between the device and the host. The wallet defaults to requiring an explicit pairing confirmation on the device screen for every Bluetooth session. From a usability standpoint this is a meaningful upgrade — iOS users finally get a no-adapter signing experience. From a security standpoint it’s the controversial choice — the entire Bluetooth code path is new code in the device firmware that wasn’t there in the Safe 5, and Bluetooth stacks have a non-trivial vulnerability history industry-wide.
Fingerprint sensor. A capacitive fingerprint reader on the front lets you unlock the device without the PIN. The fingerprint is stored inside the secure element and never leaves it. SatoshiLabs has been clear that this is a convenience feature, not a replacement for the PIN — the PIN is still required for new transactions over a certain value, and a fresh boot still asks for the PIN. The fingerprint is genuinely useful for daily-use cases (you’re checking your balance ten times a day during a market move) without compromising the security model for actual spends.
LiFePO4 battery. The Safe 7 has a lithium iron phosphate battery. LiFePO4 is the chemistry that won the EV industry on safety and longevity — Trezor cites approximately 4x more charge cycles than the lithium-ion alternative, plus better thermal stability. The trade-off is that the Safe 7 now has a battery as a long-term wear part. The Safe 5 didn’t — it draws power from USB-C only. In ten years, the Safe 7 will need a battery replacement; the Safe 5 won’t.
There are some smaller changes — a higher-resolution color touchscreen, quantum-resistant cryptographic primitives in the firmware, the new Trezor Host Protocol — but the four above are the ones that should drive a buying decision.
The firmware story is the same as Safe 5
The firmware is the same family as the Safe 5: open-source, available on GitHub at github.com/trezor/trezor-firmware, Bitcoin-only firmware option available, the same Trezor Suite as desktop client, the same SLIP-39 Shamir backup support. SatoshiLabs has been consistent on this — the Safe 7 is a hardware upgrade, not a software rewrite, and the codebase that runs both devices is fully auditable.
This matters because it’s exactly the property the Trezor brand is built on. A reader who already verified the Safe 5 firmware (we have a setup walkthrough that walks through the firmware-fingerprint verification step) can do the same verification on the Safe 7 with the same confidence. No closed-source surprises.
The Bitcoin-only firmware variant strips altcoin code paths exactly as it does on the Safe 5 and Safe 3 — same smaller attack surface, same focused update cadence. For verify-positioned self-custody, this is the firmware you want.
The Bluetooth trade-off, honestly
This is the single hardest decision the Safe 7 forces, and it deserves an honest paragraph.
Trezor’s Bluetooth implementation is reasonable: encrypted via the open-source THP, on-device pairing confirmation, USB-C still works if you never enable Bluetooth at all. SatoshiLabs’s argument is that for the security-relevant operations (signing transactions, displaying addresses), the device’s own screen is still the authoritative source — Bluetooth just moves the bytes back and forth, it doesn’t move the trust boundary.
The counter-argument: any wireless connectivity is code that runs on the device, and code that runs on the device is theoretically attackable. The original Trezor design philosophy — and the one the Safe 5 still embodies — was that the device should be a black box with one input (the USB cable) and one output (the screen). Bluetooth expands the input surface. For a paranoid self-custodian holding multiple BTC, that expansion is a real concern even if the current implementation is solid.
There’s no objectively correct answer. The Safe 7 makes a particular trade-off that some users will love (iOS-native signing without adapters) and others will refuse (wireless on a key-holding device). The right answer depends on your threat model and how much daily Bluetooth signing is worth to you.
My own take: I keep my high-value cold storage on a USB-C-only device (the Safe 5 sits in this slot for me), and I’d use a Safe 7 for the convenience tier where I’m signing more frequently and the holding is smaller. The same way I think about hot vs cold wallets generally — different devices for different threat tiers.
How it compares to Safe 5
| Feature | Safe 7 | Safe 5 |
|---|---|---|
| Price | $249 | $169 |
| Secure element(s) | Dual EAL6+ | Single EAL6+ |
| Wireless | Bluetooth + USB-C | USB-C only |
| iOS native signing | ✓ (Bluetooth) | Requires OTG adapter |
| Fingerprint | ✓ | None |
| Battery | LiFePO4 | None (cable-powered) |
| Open-source firmware | ✓ | ✓ |
| Bitcoin-only firmware option | ✓ | ✓ |
| SLIP-39 Shamir backup | ✓ | ✓ |
| Quantum-ready primitives | ✓ | — |
Both run the same Trezor Suite. Both verify the same way. Both ship in the same anti-tamper packaging. The choice between them is the wireless trade-off and the $80 price gap, not the broader self-custody experience. The full Safe 5 review is here if you want the side-by-side deeper — or read the structured head-to-head with the full spec table and a buy-this-if breakdown: Trezor Safe 5 vs Safe 7.
How it compares to Safe 3
The Safe 3 ($79) is the entry-level Safe — same secure element architecture (single EAL6+), no touchscreen, no Bluetooth, no fingerprint. It runs the same Bitcoin-only firmware option. For someone with $200-$1,000 of self-custodied Bitcoin who wants the verify-positioned security model without paying for the flagship hardware, the Safe 3 is honestly the right call — see the full Trezor Safe 3 review.
The Safe 7 is the right call when you’re looking for a flagship — when the additional $170 over the Safe 3 buys you genuine value: dual SEs for the maximum-paranoia threat model, Bluetooth for iOS-native signing, fingerprint convenience, the bigger battery + screen. None of those are necessary for self-custody to work. All of them are nice. The Safe 7 is for someone who explicitly wants the nicest Trezor.
How it compares to Coldcard Mk4
The Coldcard Mk4 remains the maximum-paranoia option for Bitcoin-only self-custody — air-gapped operation via microSD or NFC, dual secure elements (Coldcard has had dual SEs for several years), Bitcoin-only firmware as the only firmware. The Safe 7 catches up on hardware redundancy but doesn’t catch up on air-gap.
If your threat model demands true air-gap (you never want the signing device physically connected to a networked computer), Coldcard remains the answer. If your threat model is the more common “I want strong hardware + a good user experience + open-source firmware”, the Safe 7 is the easier device to live with day-to-day.
Who should buy this
Buy the Safe 7 if: You want the most secure Trezor available and accept Bluetooth as a feature you can leave disabled. You sign on iOS frequently enough that Bluetooth is genuinely useful (not just nice-to-have). You’re already committed to the Trezor ecosystem (you have a Safe 5 or Model T and want to upgrade). You want the future-proofing of quantum-ready primitives and dual SEs without giving up open-source firmware.
Consider alternatives if: You specifically don’t want a wireless attack surface on your key-holding device — the Safe 5 is the right answer at $80 less. You’re buying your first hardware wallet and the cost-benefit math (see our how much Bitcoin before hardware wallet Q&A) suggests the Safe 3 at $79 — start there. You need maximum air-gap and accept Coldcard’s higher learning curve — pick the Coldcard.
Before you buy: a genuine, untampered device is part of your security model — order from the official store, never a marketplace reseller. Worth reading first: the truth about “Trezor discount codes”, and — if you’re buying from Thailand — how to get a genuine Trezor and avoid the pre-seeded fakes.
Verdict
The Safe 7 is the new Trezor flagship and SatoshiLabs’s most ambitious hardware to date. Dual secure elements are a meaningful upgrade in the hardware-protection layer. The Bluetooth implementation is reasonable given the protocol design but expands the attack surface in a way the Safe 5 deliberately doesn’t. The fingerprint sensor and the LiFePO4 battery are quality-of-life upgrades that make the device more pleasant to use without compromising the security model.
I’d buy this device if I were already a Trezor user looking for the maximum-feature flagship and I’d live with the Bluetooth surface area by leaving it disabled when not actively pairing. I wouldn’t buy it as my first hardware wallet — the Safe 3 is the better value at the entry tier and the Safe 5 is the better choice if you specifically want USB-C-only security.
Either way, the firmware family is the same as the rest of the Safe line — open source, auditable, with a Bitcoin-only variant. That’s the property that earns the Trezor brand its place on this site, and the Safe 7 delivers on it.
If you’re upgrading from a Safe 5, the answer is: probably wait. The Safe 5 still does the job. If you’re upgrading from a Model T or a Trezor One, the answer is yes — the security upgrade alone justifies it.
Sources:
- Trezor Safe 7 product page: trezor.io/trezor-safe-7
- Trezor firmware source: github.com/trezor/trezor-firmware
- SLIP-39 specification: github.com/satoshilabs/slips/blob/master/slip-0039.md
- Kraken Security Labs Trezor One/T attack research (2020): blog.kraken.com/post/5590/
- Infineon Optiga Trust M product page and CC EAL6+ certification documentation
- Trezor Host Protocol (THP) specification on Trezor’s GitHub
- Conversations with SatoshiLabs engineers at Bitcoin community events, May 2026