How to store your Bitcoin wallet backups

Learn about Bitcoin

How to store your Bitcoin recovery seed

Tips for keeping your backup safe for the long term

Storing your Bitcoin properly is essential if you plan to hold on to it for years or decades to come. Using a Trezor to create and store keys safely offline keeps you safe from remote attacks and your recovery seed protects those keys if the electronics get damaged. Keeping that seed safe for the long term can be daunting, so here’s some tips to help you choose a safe place for your backups.

Contents

• Define your threat model
• Storing a standard recovery seed
• 12 and 24 word seeds
• Using Shamir backup
• Choosing the right material for your backups

Define your threat model

Before getting too worked up about the potential risks facing your Bitcoin, take a moment to assess the most probable threats you face.

Remote attacks

The biggest threat most of us are vulnerable to is a remote attack, where an attacker will try to steal keys using malware or phishing over the internet. Physical theft is statistically much less common but still poses a risk to anyone identified as a worthwhile target.

Hardware wallets mitigate remote attacks by keeping your keys offline at all times. They also let you see exactly what you are signing, unmasking more sophisticated attacks. Starting to use a hardware wallet is the biggest security improvement you can make.

Physical attacks

A person holding 100 Bitcoin in their Trezor will be a much more desirable target than someone holding a few million sats, but only if the amount is known. Simply being outspoken about owning Bitcoin can put you at risk, no matter how much you own.

It may seem trivial to talk about owning a small amount right now, but the value could increase, or a potential attacker may simply jump to their own conclusions. By keeping a low profile, you are far less likely to find yourself under threat.

Addressing the physical threat vector takes some discipline. A hardware wallet will stop a physical attacker from getting to your keys, but it’s best to never get into that situation. Don’t talk about how much Bitcoin you own, be careful with sharing other data, and secure your keys where only you can access them.

Storing a standard BIP39 recovery seed

A recovery seed, also known as a seed phrase, is a way to restore keys and recover access to your funds if a wallet is lost or damaged. It is a single point of failure, and therefore must be kept well protected at all times.

The standard backup created by Trezor wallets, called a recovery seed, uses the BIP 39 standard which we helped to create. This is now used across the industry to back up most wallets, and usually takes the form of a list of 12 or 24 words in specific order.

There are two points to focus on when storing a recovery seed: it must be stored somewhere only you can access, and it should be durable. The durability issue is commonly solved by engraving the seed in a tough material, such as stainless steel or titanium, which will survive a disaster. Securing the backup is a more difficult task for the average person to manage.

There are pros and cons to each option for storing your seed, so consider your threat model to decide on a solution that works for you.

Using a home safe

Storing your seed in a hidden safe at your house is one of the only ways to control who has access to it. Seeing a safe is enough to raise the interest of any potential thief, so if using this storage method you should find a discreet place to install the safe, obscured from view of guests, housemates or cleaners.

If there is a likelihood that your bitcoin holdings are known by others and somehow connected to your home address, this option may not be viable for you. A more flexible recovery method such as Shamir backup might be better suited, so even if the seed in your safe were compromised your funds would remain protected.

If you have multiple wallets, it’s also possible to use them in a multisignature setup, where each wallet acts as one key and the seed for each can be held in different locations, meaning a compromised safe would not be so disastrous. This is more complex to set up than Shamir, but offers advantages if custody of the funds are shared by multiple people.

A hidden location on your property

While not as secure as a hidden safe, you may have a hard-to-access and discreet location on your property, such as hidden in a locked loft, or out of reach and out of sight somewhere in a locked room. There are many options here, and you will need to assess the layout of your property to determine if there is any truly secure location to use.

Burying your recovery seed

Storing your recovery seed underground is often referenced as an option, but there are several reasons it may be a bad idea. Many materials will degrade faster in a damp, acidic environment, so precautions have to be taken to transcribe the seed to a durable material and to limit exposure to dirt and humidity.

Another issue when burying a seed outdoors is choosing a good location. You choose should be in control of who can access the land, and must take steps to prevent it from being uncovered accidentally, and to make sure you will remember where you left it.

12 and 24 word seeds

Recovery seeds are commonly generated as lists of 12 or 24 words in specific order. These words are part of a limited set of 2048 words defined in the BIP39 standard. In terms of probability, correctly guessing 12 words in the correct order is a chance of around 1 in 2¹²⁸ while a 24 word seed is a 1 in 2²⁵⁶ chance.

Obviously, the 24 word seed is much harder to guess, but even a 12 word seed generates a number so large it would be impossible to brute-force. Trezor hardware wallets can be configured to use 12, 18, or 24 words, but each model has a different default setting, because of how the seed is entered into the device.

The Trezor Model One will by default provide a 24-word seed, because restoring the device requires the user to enter the words into their computer. On the Trezor Model T, keys are restored by entering the seed directly into the device using the touchscreen, which means a 12-word seed is more than sufficient to protect your funds.

A 12-word seed will keep your funds safe, while also being convenient to use and with practice it can even be memorized. While a 24-word seed will technically be more secure, it is not necessary if you are entering your recovery seed directly on your hardware wallet.

How to Memorize a Seed Phrase: Building Narratives from Nonsense

It is possible to configure the number of seed words using the trezorctl command-line tool, but this is not recommended unless you know what you are doing, as overcomplicated security setups can also put your funds in danger.

Whatever length of seed you use, never attempt to split the word list into sets. This weakens your security model by revealing some of your words and greatly reducing the effort taken to brute force the rest of the seed. To distribute your backups among multiple locations, use Shamir backup instead.

Limitations of a recovery seed

While BIP39 recovery seeds made it much easier to secure Bitcoin offline, they are still not ideal since they must be heavily protected and are a single point of failure that could lead to loss of funds. You can take precautions against this by using passphrases to create hidden wallets. Assets in hidden wallets can only be accessed with the recovery seed and a passphrase, which can be memorized or stored in a different location than the recovery seed.

SatoshiLabs also created a new standard called Shamir backup that improves upon BIP39 and lets you securely generate multiple lists of words that must be combined together to restore access to the funds. Using Shamir backup, there is redundancy that allows one or several lists to be lost or stolen without security being affected, making it simpler and safer for the average person to protect, even without access to highly secure storage.

Using Shamir backup

Recovery seeds are widely used but can be problematic to secure. Shamir backup makes it easy to safely store a backup of your keys across multiple locations, lessening the risk of losing access to your Bitcoin through theft or damage.

Shamir backup, also known as SLIP39, is a feature available on the Trezor Model T that lets you create up to 16 shares, where each share is a list of 20 words. You then choose a threshold, which sets how many shares are needed to recover the keys. With these two options, you can customize your setup in many ways to suit your threat model.

There are two configurations of Shamir backup that are most commonly used, known as two-of-three and three-of-five. The naming of these systems is formatted as threshold-of-total shares, so the first scheme is three shares in total and a threshold of two shares needed for recovery. Three-of-five means five shares in total and any three needed for recovery.

It is best not to overcomplicate a Shamir backup. Unless you have a specific use case that needs any other configuration, it is best to stick with two-of-three or three-of-five setup. A two-of-three setup offers redundancy where one share can be lost, destroyed or stolen, while three-of-five allows two shares to be lost without affecting your funds.

Using Shamir backup means less paranoia and more practical physical security. While it’s good practice to keep shares locked away, with Shamir backup you can distribute your shares between your home, a relative’s house, your office, and so on, so even if one location is compromised it does not impact your ability to recover your funds.

Limitations of Shamir backup

Shamir backup is a more robust solution than a BIP39 recovery seed, but it is not as widely supported as BIP39. That means to recover a wallet using Shamir backup you will need to use another Trezor Model T or one of the other third-party wallets that support the standard.

Shamir backup is open source, meaning we gave this standard to the community so anyone can use it, and we believe support of SLIP39 will continue to grow. Should Trezor cease to exist, there are open tools available to recover Shamir backups.

It’s also easy to be complacent with Shamir backup, but you should still hide your shares securely to prevent someone from covertly tracking them down, and regularly check on the state of your shares in case they get damaged. While you may be able to lose several shares without endangering your funds, you must always have enough to meet the recovery threshold.

Choosing the right material for your backups

Paper backups, where you write down your recovery seed in pen or pencil, are susceptible to disasters such as fire or flood. As covered above, a BIP39 recovery seed is a single point of failure, meaning if it gets destroyed and you lose your Trezor, you will never be able to recover your funds. Anyone using a 12 or 24-word recovery seed will benefit from engraving or punching their seed into a metal backup, to offset the risk of disaster.

If you use a Shamir backup, the redundancy allowing for shares to be lost or damaged means a metal backup might not offer significantly more protection. Depending on how you distribute the shares, you may choose to invest in several metal backups where there is a higher risk of the share becoming damaged, such as if buried or kept somewhere that may not be possible to access for a long time.

Types of physical backups

Physical seed storage solutions come in many forms and materials. The most common types are paper and metal. For a thorough guide to dozens of metal backups available for purchase, check out Jameson Lopp’s Metal Seed Storage Reviews, where storage solutions from different brands are put through a gauntlet of endurance tests.

Metal Bitcoin Seed Storage Reviews

Metal backups can also be put together using equipment from a hardware store, such as stainless steel bolts and nails. Engraving tools can be used too, but it is important that the seed is engraved or punched in the metal in a way that it will be readable even if the metal is heavily deformed or heat-damaged.

How to store your Bitcoin wallet backups was originally published in Trezor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.