How Do Hardware Wallets in MetaMask Actually Work? - Part 1: Wallets, Seeds, Accounts & Addresses

By EpsilonCrypto | Epsilon Crypto Blog | 12 May 2021

There are two types of wallet when it comes to storing crypto: Hot Wallets and Cold Wallets.

Hot Wallets are wallets where your private key (i.e. seed phrase) is generated on an internet-connected device, such as your laptop or mobile phone. This allows you to conveniently manage your coins and tokens via an app or browser extension, and engage with DeFi services such as Decentralised Exchanges and Yield Farming. These wallets have exploded in usage recently, in large part due to the Binance Smart Chain offering drastically lower fees than Ethereum when engaging in the DeFi world. However, hot wallets comes with the potential risk of your private key being compromised through malware, keyloggers, and other nasty stuff.

Cold Wallets are wallets which produce and store the private key offline in an 'air-gapped' environment (in no way connected to the internet). This means that your seed phrase is never shown on a screen or typed into your computer, and is therefore much harder for hackers to get their hands on. An example of a cold wallet is the Ledger Nano hardware wallet, which is a USB-like drive that is physically separate from your computer and has a small screen to show your seed phrase when you set it up.

The question is: can we somehow combine the security of the cold wallet with the convenience and utility of the hot wallet? Luckily for us, the answer is yes!

MetaMask is a browser extension wallet that allows you to create accounts to interact with Decentralised Applications (Dapps) on Ethereum, Binance Smart Chain, and other blockchain networks. When you first install MetaMask, you will be given a seed phrase from which all the accounts in MetaMask are created. This is the default way to use MetaMask, but as described above, this 'hot' wallet and its associated accounts come with potential security weaknesses.

However, there is a second way to use MetaMask, and that is as a bridge between your cold storage hardware wallet and the DeFi sites or Dapps (Decentralised Apps) you wish to interact with. It is important to understand how these wallets work, so here are the key ideas:

  • Your Ledger device and your MetaMask extension are two separate WALLETS.
  • Each WALLET has its own SEED PHRASE (this is the wallet's private key).
  • In the same way that you have one physical WALLET with many different ACCOUNT cards inside, your Ledger WALLET and your MetaMask WALLET can each hold many different ACCOUNTS too.
  • These ACCOUNTS are distinguished by having different ADDRESSES, in the same way that each of your bank accounts has a different account number.
  • Therefore, each SEED PHRASE is essentially a WALLET, and each WALLET can hold multiple ACCOUNTS, where each ACCOUNT has its own ADDRESS.

Here's the important part: When you link your Ledger (or other hardware wallet) to MetaMask, you are not creating a new MetaMask account. What you are doing is allowing MetaMask to view one of your Ledger accounts.


When you link your Ledger to MetaMask, it shows up alongside your other MetaMask accounts, but the Ledger-linked account does not belong to the MetaMask seed phrase - it is an account derived from the Ledger seed phrase.

The diagram above shows that whilst the account with address 0x6....9ab0 is displayed in the MetaMask extension, alongside MetaMask accounts, it is not a MetaMask account itself but rather a window into a Ledger account. In reality, your MetaMask will look something like this:

5be63a1424353c4c18f3d129626259a7d43f6ce3f436ed1680ee36788d770d4b.pngYou can see that the Ledger account is clearly marked as a Hardware Wallet account, whereas the others belong to the MetaMask wallet itself.

Now, if someone wishes to steal your funds from the Ledger account displayed in MetaMask, they must obtain the Ledger device itself. This is because to confirm a transaction from that account, you must sign it with the account's private key, which we now know is only stored offline and only on the Ledger itself. 

It is worth noting that once you link a Ledger account to MetaMask, your other MetaMask accounts will continue to function as usual: a quick and easy way to confirm (sign) transactions directly within the browser. But if you want the added security that comes with requiring the Ledger device to confirm transactions, you should try to use the Ledger-linked account as your main account for interacting with DeFi sites and Dapps.

In Part 2, we will look at how to actually link a hardware wallet to MetaMask, and explore some of the nuances that should be noted when using this setup to interact with the Binance Smart Chain.

In the meantime, you may wish to get your MetaMask wallet ready to interact with the BSC. For a detailed guide on how to do this, see Step 1 of my recent post: A Complete Beginners Guide To Yield Farming on the BSC

Thank you for reading, and if you found this post useful, please consider a tip! :) 

How do you rate this article?



Epsilon Crypto Blog
Epsilon Crypto Blog

Beginner guides to DeFi, Yield Farming, Binance Smart Chain, and more!

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.