The Infosec Basics: How to Keep Your Bitcoin Seed Phrase Secure
When it comes to self custodying your bitcoin, there is one inescapable fact: the buck stops with you. You are responsible for your own funds, you are responsible for keeping them safe, you are responsible for everything. This can be a daunting prospect, but there are ways to approach self-custody simply.
Securing your Bitcoin can be thought of similarly to building a house. First, you have to lay a foundation, then you build a frame on top of that, from there you fill in the walls, insulation, utilities, etc. For each piece of the house you want to add, you need to have completed the previous piece properly or the entire house will be unsafe and unstable.
When it comes to Bitcoin security, your seed phrase is the foundation of your security. It is simultaneously the most important yet potentially weakest point in security. Just like the foundation of a house impacts its stability, your seed phrase impacts your wallet’s security.
So how do you store a seed phrase securely? Here are some core considerations to take into account when figuring out how to secure your seed phrase.
Sharing Is Bad
Your seed phrase is your money. Every private key needed to authorize spending, every address and every Bitcoin account in your wallet: all of these pieces are generated from your seed phrase. Anyone who has access to your seed phrase has access to any funds stored in that wallet. Thus, creating and securing a backup of this seed phrase is imperative.
If something happens to your hardware wallet, or the device you installed your software wallet on, your only hope is your seed phrase backup. If you lose that seed phrase backup your money is gone. Your money is accessible in two ways when self custodying your funds, either the wallet you are using, or your seed phrase backup. Your bitcoin wallet protects a copy of your keys on that device, but it can’t help you protect the seed phrase backup.
No one should be given access to your seed phrase; as cold and callous as it sounds, you can’t be sure they will handle it responsibly. They can still misplace a copy of your seed phrase, or leave it lying around unsecured, without any malicious intent on their part.
So, rule one: never share your seed phrase with anyone. Any exception to this rule under any circumstances should be thought through long and hard before breaking it. After all, being too trusting could put your Bitcoin at risk.
Computers Are Not Your Friend
It is critically important to avoid recording your seed phrase in any digital format. Computers are incredibly complicated machines and thus are prone to a litany of security issues. People’s devices are hacked on a regular basis. Copies of your seed phrase can be put at risk when stored digitally. In short, your laptop or smartphone is vulnerable to malware and spyware. If a hacker gains access to your device, they may be able to read your files and extract your seed phrase from any type of digital storage they can access. For this reason, you should avoid storing your seed phrase digitally.
This goes especially for storing anything in a remote digital service, like a cloud storage provider. If your email account was ever compromised, the hacker could use your credentials to log in to any cloud storage service and access your seed phrase.
Under no circumstances should you ever:
Store your seed phrase on a cloud storage site such as iCloud or Google DriveTake pictures of it with your phone or other digital cameraSend it over any digital medium, such as email or text messageEnter it into anything but the bitcoin wallet you are usingHandle it in front of any cameraSay it out loud near a microphone
The only copy of your seed phrase should be physical, and completely isolated from the internet.
This is why keeping sizable amounts of Bitcoin in a software wallet on your computer or mobile phone is not recommended either. To put it simply, your internet connected devices are vulnerable to hackers. Thus, if you want to keep your Bitcoin safe, you should invest in a hardware wallet.
Use Durable Seed Phrase Backups
One important decision should jump out at you when it comes to making a backup of your seed phrase: what do you write it on? This may seem like a silly question if you’re new to this space, but unless you stop using Bitcoin you will need to secure your seed phrase for the rest of your life.
Durability is incredibly important. You could just write your seed phrase on a piece of paper and stuff it in a drawer, but how long will that stay safe? Paper is flammable: it degrades. If you spill water on it the ink could bleed and your backup could become unreadable. Paper is not suitable for longer-term storage.
Metal is a much better option, and numerous products on the market are designed to store your seed phrase on metal.. Some solutions use tiny individual metal tiles with letters on them, so you can slide them into a frame and lock them in place to record your words, such as the BillFodl.
Metal tile backups are reusable, so over time if you generate and move to new wallets the same backup kit can be reused for the new seed phrase. It’s also possible to “destroy” your backup easily if needed by removing the tiles. If you move somewhere you can’t take your backups with you because of the risk of someone else finding them, for example going through an airport, you might not want to leave your backup intact.
Other metal backups use etching tools to scratch or impress the words directly into a flat metal surface, providing even stronger protection against threats like fire. This is extremely secure, but destroying a copy of your seed phrase etched into metal is extremely difficult. To really be certain it is destroyed you have to grind down the entire face of the metal plate until no trace of the words are left.
Lastly, there are capsule based solutions. These use little steel tiles with letters on them, but instead of sliding them into a flat frame, they are loaded into a steel tube around a rod to hold them in place. This can give the benefits of reusability while ensuring that any fire warping does not scatter and dislodge the letter tiles.
When picking between metal tiles or steel plates, weigh the pros and cons of both carefully. But remember: use something metal. Don’t trust your Bitcoin to a flimsy piece of paper.
Physical Safety
Now that we’ve established how to store your seed phrase, where should you store it? Keeping the seed phrase on a robust piece of material is important, but so is keeping it in a place that is difficult to access physically. It should be stored somewhere you can keep locked, such as a safe or a lockbox. A safe is better than a lockbox, as that is bulkier and harder to physically carry. A safe attached to a wall is even better yet, requiring the destruction of a wall to remove the safe.
If you don’t have a safe or a lockbox, keep your seed phrase out of sight. Put it in a filing cabinet or desk drawer in a room not accessible to other people. The important part is making sure that wherever it is, no one else can access it.
Splitting Your Backup
You might not have a single place that can be safely secured to house your backup seed phrase. Two options exist that can allow you to maintain a safe backup without keeping your seed phrase in a single location. If you are considering splitting your seed phrase backup, follow a well known protocol or don’t do it at all.
Splitting your backup yourself
Seed XOR is one mechanism. It is a process that allows you to take a pre-existing seed phrase and split it using a mathematical process into two (or more) new seed phrases. These new seed phrases are fully valid and can later be recombined to regenerate the original seed phrase they were created from. This allows you to divide your seed phrase into pieces and store it in multiple locations. It is very important to keep in mind though, you must have 100% of the split seed phrases, if you lose a single one you cannot regenerate the original seed phrase. A big benefit of XORing is you can do it by hand.
Shamir’s Secret Sharing
The second is Shamir Secret Sharing. Similarly to seed XORing SSS breaks your seed phrase into multiple pieces, but it uses a very different mathematical process to do so. Unlike seed XORing, Shamir shares allow you to recover your original seed phrase with less than 100% of the shares. It can be set up like a multisig, i.e. as long as you have 3-of-5 backup shares you can regenerate your seed phrase. The only downside is that only certain wallets support using Shamir, and it cannot be done by hand.
Under no circumstances should you split up your seed phrase manually. If you are not following a safe and widely scrutinized protocol like Seed XOR or Shamir Secret Sharing, don’t even consider it. Naively splitting your seed phrase into multiple pieces can drastically reduce the security of your bitcoin. Guessing 12 or 24 words randomly and happening to guess someone’s seed phrase is statistically impossible, but if someone has 4 of those words? Or 6 of those words? It starts actually becoming practical to guess the rest of your seed phrase.
Another alternative, if you use a Ledger, is the Ledger Recover service. This paid optional service uses a variant of shamir’s secret sharing called Pedersen Verifiable Secret Sharing (PVSS). This allows you to backup access your wallet without a seed phrase after going through an identity verification process with your government ID.
Social Recovery
If you are in a situation where you do not have a secure place to store your seed phrase backups, alternative solutions exist. Wallets and services such as Unchained, Casa, and Nunchuck Wallet offer multisig solutions where a third party can hold one of your keys for you. For instance if you have a 2-of-3 multisig, they can hold one key. This ensures that as long as you don’t lose both of the keys you keep yourself, they can assist you in moving your funds to a new wallet.
Keep It Secret, Keep It Safe
At the end of the day securing your bitcoin is your responsibility. It is something you need to take seriously and put in the proper effort to maintain, no one is going to come and save you if you don’t take it seriously. As Gandalf warned Bilbo in the Lord of the Rings, “Keep it secret, keep it safe.”
That is your job as a Bitcoiner, to keep your seed phrase hidden from other people and safe from those who would wish to take it from you. The simple advice in this article is the vast majority of what you need to do to accomplish that.
Don’t try to reinvent the wheel. Just record your seed phrase on a durable medium like metal, and keep it physically safe from prying eyes and thieving hands. Keep it locked in your safe or a room other people do not frequently access. Check on it from time to time. That’s all you have to do.
Don’t over complicate things in your head, just keep it simple and your bitcoin will be safe.