At-a-glance: What this guide covers
- Self-custody fundamentals: seed phrases, passphrases, backups, and air-gapped signing (PSBT).
- Cold storage hardware and backup schemes, including SLIP-39 Shamir shares.
- Multisig vs. MPC, and when to consider each.
- Custodial options, “qualified custodians,” and what insurance really covers.
- Phishing and supply-chain risks to avoid (pre-seeded devices, fake apps).
- DeFi hygiene: managing token approvals and safer signing with EIP-712.
- Inheritance planning and disaster recovery checklists.
Why crypto security is different
Cryptocurrency ownership is controlled by private keys. If keys are exposed or lost, assets can be stolen or become irretrievable. Industry data shows theft via hacks, drainers, and credential compromises continues to be a leading cause of losses, underscoring the need for robust operational security.
Self-custody: the foundation
Understand seeds, passphrases, and HD wallets
- Modern wallets use BIP-39 mnemonic seed phrases to derive keys; protecting the seed protects all accounts. An optional passphrase (“25th word”) adds defense if the seed is found.
- Hierarchical Deterministic wallets (BIP-32) derive unlimited addresses from one seed, enabling watch-only setups and simpler backups.
Backups that actually survive disasters
- Record the BIP-39 seed and (if used) the passphrase in separate, offline, redundant locations; consider fire-/water-resistant metal backups.
- For higher resilience against theft or loss of a single backup, consider SLIP-39 (Shamir Secret Sharing) to split a secret into threshold-based shares stored in different places or with trusted parties.
- Maintain a clear, offline recovery procedure that a non-expert can follow in an emergency. Bitcoin.org’s security pages emphasize encryption, backups, and offline storage for larger holdings.
Cold storage and air-gapped signing
- Prefer signing transactions on a hardware wallet or fully offline device. For Bitcoin, PSBT (BIP-174) allows crafting a transaction on a networked machine and signing offline, then broadcasting from the networked machine.
Cold storage options compared
| Option | Typical use | Pros | Cons |
|---|---|---|---|
| Hardware wallet (USB or QR) | Long-term storage + periodic spending | Keys stay offline; broad ecosystem support; PSBT/QR workflows | Requires careful backup; supply-chain vigilance |
| Air-gapped laptop w/ wallet | Deep-cold vault; manual PSBT | Flexible, auditable; no vendor reliance | More setup; physical security burden |
| Paper/metal backup only | Last-resort recovery | No firmware risk; durable if metal | Operationally awkward; easy to mishandle |
Multisig vs. MPC: two ways to remove single points of failure
- Multisig requires M-of-N independent keys to spend. It is transparent on-chain, works with diverse devices, and is widely used for shared control and inheritance planning.
- MPC (multi-party computation) keeps a single logical key split across devices or services that jointly compute signatures without ever assembling the full key. Useful for institutions and automation, often combined with HSMs and policy engines. KPMG’s custody overview summarizes multisig, MPC, and HSM-based approaches in institutional contexts.
Practical guidance:
- For individuals and family treasuries, 2-of-3 multisig with different vendors/OSes reduces correlated risk while keeping recovery feasible.
- For businesses and active teams, vetted MPC or qualified custodians with audited controls can streamline operations and access management.
Custody with a third party: how to evaluate “qualified custodians”
If you don’t want the responsibility of self-custody, consider regulated custodians. In the U.S., entities such as Coinbase Custody Trust (NYDFS-chartered) and Anchorage Digital Bank (OCC national trust) operate as qualified custodians under applicable frameworks. Verify licensing and audit posture before committing.
Insurance is not a blanket guarantee
Crime policies often cover a portion of assets in custody under limited conditions and typically exclude losses from compromise of your personal credentials. Coinbase’s legal page is explicit about this limitation; BitGo public materials outline cold-storage coverage limits. Always read exclusions and limits.
Phishing and supply-chain threats to avoid
Never use pre-seeded or “ready-to-use” devices
Only initialize from the official app or on-device flow. Ledger warns about “pre-seeded device” scams; Trezor documents common phishing patterns.
Download software only from official sources
Fake wallet apps and spoofed “Ledger Live” installers have been used to trick users into entering seed phrases. Only download from the vendor domain and never type your seed on a PC or website.
Verify what you sign
Clipboard-hijacking and look-alike address attacks exist; verify full addresses on the hardware screen. Prefer human-readable EIP-712 typed data when interacting with dapps to avoid blind signing.
DeFi approval hygiene
Smart contracts often need token “approvals.” Unused or unlimited approvals can be abused if a dapp or key is compromised. Regularly review and revoke approvals using tools like Etherscan’s Token Approval Checker or Revoke.cash. Expect to pay gas for revocations.
Operational security checklist
Device and login hygiene
- Use hardware wallets for high-value funds; keep firmware current via the official app/site.
- Segment devices: keep a “clean” machine/profile for signing and finances.
- Use strong, unique passwords in a reputable offline-capable password manager.
- Prefer phishing-resistant second factors for exchange/email accounts when available (security keys/WebAuthn), and avoid SMS where alternatives exist.
- Enable withdrawal address whitelists and small first “test sends” when moving funds.
Transaction hygiene
- Sanity-check recipient amounts and addresses on the hardware display.
- For Bitcoin, use PSBT or QR workflows; for Ethereum/dapps, favor EIP-712 signing where supported.
Backup and recovery hygiene
- Keep at least two geographically separated backups of your seed (and passphrase, separately).
- If you adopt SLIP-39 Shamir shares, document the threshold, share locations, and a recovery walkthrough.
Inheritance and disaster planning
Have a plan for a trusted person to recover assets if you are unavailable. Bitcoin.org’s checklist explicitly includes preparing for heirs. Complement this with clear legal instructions and secure, offline documentation of where to find backups and how to use them. Recent guidance and case studies emphasize the importance of explicit instructions and not exposing sensitive data in public probate filings.
Quick recommendations by profile
| Profile | Recommended setup |
|---|---|
| New long-term investor | Single hardware wallet; seed and optional passphrase on metal; simple hot wallet for spending; periodic firmware and approval reviews |
| High-net-worth individual | 2-of-3 multisig across different vendors; SLIP-39 backup of each key or passphrase; written playbook; inheritance plan |
| Small team/DAO treasury | Multisig or MPC with policy controls; segregation of duties; formal incident and recovery runbooks; custodial staking where appropriate |
| Institution | Qualified custodian with SOC reports, segregation, policy engine, and clearly disclosed insurance and withdrawal controls |
FAQs
Is a hardware wallet enough for long-term storage?
For many investors, yes—if backups are robust, firmware stays updated, and transaction signing is verified on-device. For larger sums or shared control, consider 2-of-3 multisig or a vetted MPC provider.
Do custodians insure all my funds?
No. Crime insurance is typically limited and excludes losses from compromise of your personal credentials. Always read the policy details and exclusions.
What’s the safest way to interact with DeFi?
Use a hardware wallet, verify domains, prefer EIP-712 signing, grant only minimal approvals, and periodically revoke unused allowances.
Should I use a passphrase with BIP-39?
A passphrase meaningfully increases security if your seed is found, but introduces another secret to protect. Use it only if you can back it up and recover it reliably.
Compliance and evolving landscape
Regulatory expectations around custody continue to evolve. In the U.S., firms such as Coinbase Custody Trust (NYDFS-chartered) and Anchorage Digital Bank (OCC-chartered) operate as qualified custodians under applicable regimes; verify licensing and disclosures directly.
Final word
Security isn’t a product you buy once—it is a process. Start with self-custody fundamentals, add layers like multisig/MPC as your risk grows, keep your approvals tidy, and have a clear recovery and inheritance plan. The best setup is the one you will consistently maintain.
