How to Safely store your Hardware Wallet Seed Phrase
Some good practices to safely store your Cold Wallet Seed Phrase.
In our Where to store your bitcoin keys? previous post we learned that a hardware wallet is the most secure and recommended place to store your bitcoin keys.
If you don’t have a hardware wallet yet, you can visit our website comparing the best wallets available:
Now, let’s explore some good practices to safely store your hardware/cold wallet seed phrase.
What is a Mnemonic phrase?
A mnemonic phrase (aka seed phrase or seed) is a collection of between 12 and 24 English words that are used to backup up your own wallet.
You can find a detailed explanation in this video:
Seed Phrase Generation
The hardware wallets generate your seed phrase for you and display it on its screen. It’s very important to remember some security rules:
- NEVER save your seed phrase on any online service (GDrive, Dropbox, Google Docs, etc)
- NEVER save type your seed phrase on your phone/computer or any other digital device. DON’T store your seed phrase even on a Password Manager
- NEVER take a screenshot of your seed phrase
Just copy it directly from the hardware wallet screen to a paper.
Highest Risks
Now that you have control of your seed phrase, it’s time to talk about the risks and how to protect yourself. Loss, damage, and stealing are the highest risk factors for storing a recovery seed. So, let’s explore some techniques to protect your seed and improve your security.
Shamir Backup
Shamir’s secret sharing (SSS) is a cryptographic technique formulated in 1979 by the Israeli cryptographer Adi Shamir. The essence of Shamir’s scheme lies in the ability to back up, share and recover a secret by breaking up the secret into multiple shares that are individually useless and leak no information about the secret or the scheme setup.
You can choose how many recovery shares you want to generate, and decide how many of them you want to use for recovery. Individual shares do not leak any information about the shared secret, as long as the number of compromised shares does not reach the required threshold. For example, if you use a 3-of-5 scheme and 2 of your shares get compromised, the attacker has no chance to reconstruct your wallet and cause trouble.
Applying Shamir’s secret sharing to your seed phrase is a good idea because it increases your security and also gives you the ability to better support inheritance planning.
Here you will find all the hardware wallets supporting Shamir Backup:
Passphrase
Passphrase is an optional feature of hardware wallets that allows users to create hidden wallets. Passphrases serve as a function of second-factor protection of the recovery seed and are an ultimate protection against attacks involving physical access to the device or the recovery seed.
There is no such thing as an “incorrect passphrase” and you can create an unlimited number of wallets. This can be quickly turned to your benefit when you decide to redistribute your balances to give you a “cover”.
Consider leaving some pocket change, funds you would use for smaller everyday purchases, on your unprotected account (just the PIN, no passphrase). Then, move a moderate chunk of your savings under a passphrase of your choosing. Lastly, you can move the greater part of your balance to a completely different passphrase.
In a situation where you are physically threatened by burglars, border security agents, or pretty much anyone else, you can now safely give up your PIN number (which can be changed anyway). If the assailants keep you under duress and demand a passphrase, you can give out the one with the lesser amount.
As a plus, using passphrases can also add an extra security layer when some exploit are found on a hardware wallet. For example, Kraken Security Labs identified a Trezor security issue in 2020. Here you can read the details.
But the good news is that if you use a Passphrase, the issue can’t be exploited. Here is the Trezor response to the security issue with the details:
Passphrase Generation
A simple 4 to 6 English words as a passphrase is enough to protect your seed.
Using the BIP39 word list, in lowercase and with a blank space between words is a good idea because some hardware wallets are adapted to input those words in a simple way.
Use dice to pick the words 100% offline and with good entropy.
Shamir + Multiple Passphrases
The combination of Shamir Backup + Multiple Passphrases gives you strong security. The expert Andreas M. Antonopoulos talks a bit about this in this video from minute 11:41:
How to protect your phrase seed?
According to the technical complexity you can handle, there will be different options to protect your phrase seed.
DON’T use a Password Manager to backup your hardware wallet seed phrase:
DON’T use one seed for all your wallets:
Take into account that the seed phrase and the passphrase should be backed up in two different locations.
Backup on Metal
Engraving your seed phrase on a stainless steel backup plate could be a good idea because they are able to last much longer than paper in the event of a fire or flood. Here you have some good options:
Cryptosteel Capsule Solo
The capsule features adjustable separators, offers more capacity — 123 instead of 96 characters most other solutions provide — and comes with a full ASCII-character-set supporting random passwords with numbers and symbols. All of the characters are deeply stamped into the tiles to provide maximum longevity. This means that the capsule can securely store a random password without separators, an unabbreviated 12-word mnemonic seed, or the first four letters of a mnemonic seed made up of 25-word phrases.
Cryptosteel Cassette
The Cryptosteel Cassette is the product that started it all and established the market for offline metal wallets. The Cassette is a pocket-sized stainless steel unit designed to securely store the alphanumeric data of your choosing with no need for specialized tools or third-party involvement. Each device comes with its own kit of stainless steel tiles engraved on each side.
Cryptotag Zeus
Protect your recovery seed with this virtually indestructible 6mm thick titanium backup system. With the new number punch system you can easily record up to 24 BIP39 recovery words that back up your bitcoin hardware wallet in five minutes, and hodl in peace forever.
The Billfodl
Using a randomized set of character tiles, you recreate your recovery phrase in the steel unit, creating an almost indestructible backup.
- Fire Proof: Forged to withstand more than double the average house fire
- Water Proof: Marine grade 316 stainless steel means it will never rust
- Shock Proof: Shockproof up to 1,000,000 volts means serious protection
- Hacker Proof: Seeds and keys remain completely offline so no hacker can touch you
- You Proof: Unlike a piece of paper, You will never accidentally throw away your Billfodl
You can also visit our Seed Backup section at The Bitcoin Hole site, where you will find more options:
Backup on Paper
If you want something cheaper and simpler, you can just back up your seed phrase on paper. You could laminate the paper to protect it against humidity, water, or fungus, and save multiple copies in different locations to protect it against fire.
Tamper Evident Seal
It’s important to use any kind of tamper-evident seal, so you will have a quick way to know if someone read your seeds.
Risks Mitigation
These are the main risks and how you can mitigate them:
Destruction
If you store several copies of your backup at different locations, you are reducing the chance of any event that destroys all your backups. If you use proof bags or plastic lamination you have protection against water/humidity. If you use a metal backup you have extra protection against water and fire.
Stealing
If you use Shamir Backup, thieves can steal you some Shamir shares and even your passphrases, but they can’t do anything if they don’t have all the needed shares. If they steal all your seed shares, you are still protected by your passphrases.
If you are physically threatened by burglars, the multiple passphrases can help you to protect your bitcoin.
If someone steals your hardware wallet, you are still protected by your PIN. If they can find an exploit and access your private keys bypassing your PIN, you still have your passphrase protection.
What could fail?
Case 1
- If someone steals your hardware wallet and your passphrases, could potentially bypass your PIN with any exploit on the wallet.
ADVICE -> Put your hardware wallet and your passphrases in different locations.
Case 2
- If someone steals enough Shamir shares to recover your wallet and your passphrases, they could recover your wallet on a new hardware wallet.
ADVICE -> Put each Shamir share and your passphrases in different locations.
Loss
Saving multiple copies of each Shamir share and passphrases gives you multiple opportunities to recover any missing share.
Forgot passphrases
If you don’t remember your passphrases, you can use your passphrases backups.
Hardware Wallet broken/loss
In this case, you just need to order a new one and use the Shamir shares + passphrases to restore all your bitcoin.
Death
If you die, your family can use your Shamir shares + passphrases backup to recover your money. Let them know where are those backups or distribute some Shamir shares.
Security checklist
Let’s resume all the actions to improve your seed’s security:
- Create multiples copies of your backup and put them in multiple locations
- Store your backup with any kind of tamper-evident seal
- Create multiple passphrases and backup them in multiple locations
- Communicate to your family where are those backups or distribute some Shamir shares.
You can also read more security recommendations in this article:
Sources
Some sources we used to write this post:
Visit our Website
With so many hardware wallets on the market, it can be challenging to choose the right one for your needs. That’s where our Hardware Wallet Comparison TheBitcoinHole.com website comes in. You will find the most comprehensive and honest resource for comparing the features of the top hardware wallets.
Support Us
There are different ways to support our work:
Related Articles
If you enjoyed this article, you might get value out of these as well!
