All articles

MicroSD card encryption on Trezor Safe 5 and Trezor Model T

MicroSD Card Encryption is an advanced security feature available on the Trezor Model T and Trezor Safe 5. It binds your device to a secret stored on a MicroSD card.

This ensures your Trezor cannot be unlocked without the paired card, and the device’s data cannot be decrypted.

This makes stolen or tampered devices worthless to attackers and adds a powerful layer of protection against physical attacks.

Table of Contents

How it works
When to use it
Requirements
Setup process
- Insert the MicroSD card
- Enable MicroSD Hardware Encryption
Managing the feature
What happens if you lose the MicroSD card?
Security notes
Final thoughts

How it works

MicroSD Card Encryption adds an extra secret outside of your device, making both your PIN and the MicroSD card essential for access.

When you enable the feature, your Trezor generates a random, high-entropy secret.
This secret is a 256-bit (32-byte) random value saved on the MicroSD card. It carries no information about your wallet backup (seed) or your funds.
To unlock, the PIN and the MicroSD card secret must be combined; without both, the data on the device cannot be decrypted.
Without the card, the device remains locked and inaccessible.
Even if an attacker extracted all encrypted data from the device, they could not brute force it to reach your private keys.

When to use it

This feature is optional. You may want to enable it if:

You are concerned about someone stealing your device.
You want stronger physical protection beyond the standard PIN.

Tip: Store your Trezor and the MicroSD card in separate places. Each is worthless to an attacker without the other.

Requirements

To enable MicroSD Hardware Encryption, you need:

A Trezor Model T or Trezor Safe 5
trezorctl version 0.11.6 or later Trezorctl on Windows Trezorctl on MacOS
A FAT32-formatted MicroSD card

If the MicroSD card is not formatted correctly, Trezor will offer to erase and format it for you.

Setup process

Insert the MicroSD card

The card slot is located differently on each device:

Trezor Safe 5: Insert the MicroSD card partially, pins facing away from you.

Trezor Model T: Insert the MicroSD card fully until it clicks, pins facing you on the left-hand side.

Enable MicroSD Hardware Encryption

Connect your Trezor to your computer.
Run the command:

trezorctl device sd-protect on

Follow the on-screen instructions.

Once enabled, your Trezor is locked to the MicroSD card. You will need to insert the card each time you unlock the device.

Managing the feature

You can manage the feature using these commands:

trezorctl device sd-protect on # Enable

trezorctl device sd-protect off # Disable

trezorctl device sd-protect refresh # Replace the current secret with a new one

What happens if you lose the MicroSD card?

If the card is lost or damaged, your wallet is still recoverable using your wallet backup (12, 20, or 24 words).

Always keep your wallet backup safe, private, and offline. Without it, your wallet cannot be recovered.

Security notes

MicroSD Card Encryption protects against physical theft and device tampering.

It does not protect against theft of your wallet backup. If someone obtains your backup, they can restore your wallet on another device.

For additional protection for your wallet backup, consider using a Multi-Share Backup (SLIP-39).

Final thoughts

MicroSD Card Encryption ensures that even if your Trezor device is stolen, it cannot be unlocked or brute-forced without the paired MicroSD card. It is a simple but powerful feature that provides strong defense against physical attacks.

Remember: your wallet backup remains the ultimate failsafe. As long as you keep it safe, private, and offline, you can always restore access to your funds.

;