The first important item in our hardware wallet security checklist is to retain multiple copies of the seed phrase, not just the wallet itself. Seed phrases should be written on paper or engraved in metal, and stored in safe locations. One example might be a home safe, a hidden location in the home, or another location protected from fire/flood/theft. Another offsite location should be chosen, such as a bank safety deposit box, or the home of a trusted family member or friend. Both of these offsite locations require some level of trust — but offsite backups are critical in the event the original is destroyed. A bank safety deposit box may be seized, so a user may consider additional protection like a friend’s home or the addition of a BIP39 passphrase. The use of a BIP39 passphrase, stored in a separate location from the seed, can provide an additional layer of protection if the seed is compromised.

The second item in our checklist is the form of the seed phrase backup. Yes, how you backup your seed phrase is very important to your security. A hardware wallet seed should only be copied into a physical form such as paper or metal, never stored in a PC or mobile phone. If you use a hardware wallet, you should never store a copy of the seed in a picture, document, or even encrypted form such as a password manager. Why?

The entire purpose of a hardware wallet is to generate and store keys offline, on a device that doesn’t have access to the internet. A mobile phone or PC is connected to the internet, and offers general-purpose computing functionality. This offers a higher attack surface — more opportunities for hackers and thieves to gain access to your seed data and steal your cryptocurrency. By storing an offline wallet seed phrase on a general-purpose device like a PC, you break the security model of this offline wallet. So only backup your hardware wallet phrase in physical form!

Device Purchases and Management

Another noteworthy security practice for hardware wallets is how you purchase the wallet. These wallets run open-source software scrutinized by the cryptography and security community. But how can you know that the wallet is loaded with the same open-source software and not a malicious version?

The simplest way to protect against supply-chain attacks is to purchase these devices directly from the manufacturer (for example, Trezor). Do not purchase hardware wallets from third-party sellers such as Amazon or other online stores.

Phishing Awareness

Even though hardware wallets (with offline backups) are very secure, users are often tricked into giving up access to their coins via social engineering. For example, after the Ledger purchase database was compromised, users were targeted with various phishing scams. In one case, users were sent a fraudulent but legitimate-looking email asking them to “update their Ledger”. This led to a website that installs malicious software on their PC. Other similar campaigns prompt users to enter their 12–24 word seed phrases, giving the scammers full access to their wallets.

Never enter your seed phrase into any online form, even one that looks like it came from the manufacturer. Never install software on your device if requested by email, Twitter, etc. Never believe anyone claiming to be a support agent for a wallet. The only place you should read for software updates and support should be the manufacturer’s official website and support channels. Take your time when you need help — scammers want you to act quickly so they can trick you into giving up your coins.

Hardware Wallet Stories

Let’s suppose Alice has purchased 1 Ethereum and 0.5 Bitcoin she wishes to self-custody. Alice is primarily concerned with malware threats as she uses her PC for web browsing, and wants to keep her cryptocurrency wallets separate from her day-to-day devices. Alice purchases a Ledger device directly from the manufacturer, generates her seed, and writes it down on laminated paper. She stores one copy in a quality home safe, and another at her parent’s house. When she decides to sell half of her Ethereum, she connects her Ledger device to her PC to sign the transaction.

Bob is a well-known businessperson in his town and loves to share his passion for cryptocurrency. Bob doesn’t ever talk about his exact holdings, but it is known that he uses Bitcoin and has a fairly high net worth from his successful car business. Bob worries his home may be targeted for theft. Bob purchases a KeepKey device and sets up his seed phrase. In addition to the seed, Bob generates a strong, random BIP39 “diceware” passphrase (rolling dice to pick words from a list). Bob sends 10 Ethereum and 5 Bitcoin to this main wallet. Bob stores the seed phrase on an engraved steel plate in a hidden location in his home, rather than his document safe in the bedroom. Bob also stores a paper copy of the seed in a bank safety deposit box that is kept secure at all times. The BIP39 passphrase is stored in his encrypted password manager, while his seed is only stored in physical form.