Sharing the strategy I’m using to protect my own hardware wallet backups.
I’ll be happy for any comments.
STEP #1: Keep Your Recovery Seed 100% Offline – ALWAYSI created multiple physical recovery seed backups (wrote my recovery seed on a paper) and stored it in different places, 100% offline.
I tested the recovery seed I wrote on the paper to make sure I made no mistake.
Here is how you can test your recovery seed:
For Trezor wallet:
https://wiki.trezor.io/User_manual:Dry-run_recoveryFor Ledger wallet:
https://support.ledger.com/hc/en-us/articles/360007223753-Recovery-CheckAlso I’m considering buying a Cryptosteel or other “indestructible” metal seed storages:
https://medium.com/@lopp/metal-bitcoin-seed-storage-stress-test-21f47cf8e6f5Finally, I scheduled regular reminders to check all my backups and make sure they are okay (not stolen/destroyed).
STEP #2: Enable Passphrase On Your Hardware WalletThe passphrase is widely recommended by cybersecurity professionals and has multiple security effects as:
· If you do not use a passphrase, your recovery seed is all that is needed to access your coins
· Passphrase protects your recovery seed and is not stored anywhere. This means that even if somebody compromised your recovery seed, they would not be able to access your accounts unless they knew the passphrase as well
· Do not store passphrase right next to the backup of your seed. Consider choosing a memorable passphrase and setting up reminders to refresh your memory every few months
· A passphrase or more passphrases can be used with the same device to create the so-called “hidden wallets”
· You can share your account with the rest of the household or your team members at work. You can generate and distribute a recovery seed which would give everyone access to the “mutual”, “seed-only” wallet. Every member of this group can then separate their own secret wallet by using their custom passphrase – this is especially useful for inheritance planning
Read more about the passphrase security benefits from official Trezor wallet resources (similar also for other hardware wallets):
https://blog.trezor.io/passphrase-the-ultimate-protection-for-your-accounts-3a311990925bhttps://blog.trezor.io/seed-pin-passphrase-e15d14a0b546According to these recommendations, I activated a passphrase to protect my recovery seed.
Let’s say my passphrase is “my-super-secret-passphrase-20190414”
STEP #3: Backup First Passphrase Part OfflineEven if I can remember my passphrase, I am aware that I might forget it due to the passage of time, disease or accident. Not likely, but it might happen.
That’s why I wrote down the first passphrase part (“my-super-secret-“) on a paper and stored it in a different place than the recovery seed is stored (to keep recovery seed and the first passphrase part separated).
Then I scheduled regular reminders to refresh my memory, not to forget my passphrase and check all my backups.
STEP #4: Schedule Recovery / “Inheritance” Email Containing Second Passphrase PartAnd now the most important thing.
I scheduled my recovery email containing the second passphrase part (“passphrase-20190414”).
What does it mean?
If I am inactive longer then a waiting period I choose (e.g., 3 months), my family will receive the recovery email containing the second passphrase part.
In my recovery email, I put important details on where my family can find my physical backups (recovery seed and first passphrase part), plus it also includes the second passphrase part itself, which they need to access my digital assets.
You can use this recovery email template as an inspiration:
https://seedcret.com/kb/recovery-email/Besides Seedcret free account, you can schedule your second recovery email (as a backup) also with Google Account Inactive Manager:
https://support.google.com/accounts/answer/3036546?hl=enWHAT ARE THE BENEFITS? WHY I DID IT?BENEFIT 1 (for myself) – peace of mind: Even if I would forget my passphrase, I know where to look, to refresh my memory
BENEFIT 2 (for others) – inheritance plan: In advance, I can let my family know where both physical backups are (the recovery seed and the first part of the passphrase) and also that they would receive the recovery email containing the second passphrase part in case of an accident/death
Of course, I can give the second passphrase part to my family right away but I don’t want to do it because:
· The more people know the passphrase, the higher the risk is, that it will be compromised (even by accident)
· I want to make sure that my family will access my assets once I am not here anymore but not before (when I am still here:))
BENEFIT 3: No need for lawyers or any third party that you have to trust.
BENEFIT 4: Passphrase backup in separated into two parts stored offline and online – a criminal visiting your flat won’t be able to find the whole passphrase in one place (because the second passphrase part is stored online)
