A patient, vendor-neutral guide to self-custody and cold storage — seed phrase backup, hardware wallets, multisig, Shamir and inheritance. Written for people who want to do this once, do it right, and then mostly stop thinking about it.
Most of the practical advice on this site follows from this.
Your seed phrase is the wallet. The device is just an interface.
Hardware wallets fail, lose firmware support, and become bricks. None of that matters as long as you have the phrase.
Twenty-four words written on a sufficient medium can outlast every device you currently own — by decades.
No password recovery. No customer support. No central authority. This is the entire point, and the entire problem.
These are the methods that have actually held up. None is exotic. None requires trusting a third party. The differences are cost, complexity, and how badly things have to go before you lose access.
The conservative default. Cold-stamped 316 stainless, two plates, two locations.
Survives fire, flood, and decades. Vulnerable only to a thief who finds it.
Three keys, three places, two required to spend. Eliminates the single point of failure.
Higher initial complexity. The right tool past roughly five figures.
Split the seed into m-of-n shares. Reconstruct with the threshold, never with fewer.
Requires trust you actually have. Excellent for inheritance setups.
Printed phrase in a tamper-evident sleeve in a fire-rated safe. As redundancy only.
Never the primary. Fire and water remain the hard problems.
| Method | Cost | Setup time | Survivability | Best for |
|---|---|---|---|---|
| Stamped steel M1 | $70–$200 | an afternoon | 9 / 10 | any meaningful holding |
| Multisig (2-of-3) M2 | $300–$700 | a weekend | 10 / 10 | serious holdings or single owners |
| Shamir shares M3 | $80–$200 | an afternoon | 8 / 10 | distributing to trusted family |
| Sealed paper M4 | $20–$60 | an hour | 5 / 10 | a tertiary backup |
The conservative default setup, end to end. Stamped steel, distributed across two locations, with a sealed inheritance letter. Roughly four hours of effort spread over two days. About $90 in hardware. Survives most of what's likely to happen.
Set up a wallet on a device that has never connected to the internet. A hardware wallet straight from a sealed package is the typical answer.
Cold-stamp the first four letters of each word into a 316 stainless plate. No screens. No photos. No clipboard.
Stamp a second plate, identical to the first. This is your offsite backup, not a spare for the same room.
One plate stays home in a fire-rated safe. One plate goes elsewhere — a bank deposit box, a trusted family member, a second property.
A sealed envelope with location, procedure, and enough context that a non-technical heir could actually follow it. Held by an attorney or trusted relative.
Restore onto a fresh, offline device. Confirm the first address matches. Wipe the device. Schedule the next test for one year from now.
Almost every permanent loss this site has documented falls into one of these patterns. None of them is exotic. All of them are preventable, cheaply, this weekend.
Your phone is online. It has been backed up to a cloud. It has been scanned by an OCR pipeline you don't control.
Hand-write it. Stamp it. Never let it touch a screen.
Single location, single medium, single fire away from gone. The most common cause of permanent loss is simply: misplaced.
Two locations. At least one of them on metal.
Human memory is the least reliable storage medium ever invented. You will forget some part of it. Probably more than you'd like.
Memory is a supplement, not a backup. Write it down.
An encrypted cloud backup is only as strong as the password protecting it — and now you have two secrets to keep instead of one.
Cloud is acceptable as a tertiary copy. Never as the primary.
Now there are two people who can be coerced, and one of them might not be careful.
Give them the location of a sealed letter. Not the phrase itself.
An untested backup is not a backup. It's a hope. Hope has a poor track record against fire, flood, and human error.
Restore on a fresh device once a year. Confirm. Wipe.
The most common reason recoveries fail is not that the medium degraded — it's that the procedure was never actually rehearsed. Once a year is enough. Schedule it the way you schedule a smoke alarm test.
The hardest custody question, and the one most people avoid. There are two patterns that work. Both require an afternoon's planning while you're alive, and neither requires telling anyone the phrase.
A printed document — held by your attorney, or in a sealed envelope with a trusted relative — describing where each backup is and how a non-technical person would use them.
A 2-of-3 multisig where one key is held by a professional trustee, who never holds enough to spend alone but can co-sign with the heir once your estate has been settled.
No marketing. No vendor preference. If a question has an unsatisfying answer, the answer is unsatisfying.
A hardware wallet is a convenient, secure interface to your seed. The seed itself — the twenty-four words — is what you're really protecting. If the device dies (and they do), you restore from the phrase. So how you store that phrase is the actual question.
As a tertiary, encrypted, self-hosted copy — fine. As the primary — no. Cloud sync turns your seed into something with a network surface, which defeats the entire premise of cold storage.
Annually. Restore onto a fresh, air-gapped device, confirm the first address matches, then wipe the device. Schedule it like a smoke-alarm check.
A worthwhile additional layer — provided you have an equally serious plan for storing the passphrase. Otherwise you've just doubled the number of things you can lose.
It's a reasonable second location for a redundant metal plate. It is not safe as a single location: banks have flooded, been seized, and lost contents. Always have two.
Not on the landing page. The brand market shifts faster than guides should. Vendor recommendations live in the methods deep-dives with notes on when each was last reviewed.
No. No affiliate links, no products, no newsletter monetisation, no tracking. The hardware costs what hardware costs at whoever you choose to buy it from.
BIP-39 phrases are fine. The keys they derive use ECDSA, which is theoretically vulnerable to a sufficiently large quantum computer. None exist. The community will migrate before that changes; the work to do today does not change.
Set up properly once. Test it annually. Forget about it the rest of the time. That's the whole site.