A seed phrase (also recovery seed, mnemonic seed or recovery phrase) is a short sequence of words that serves as a human-readable representation of a cryptographic key. This phrase can be used to restore the private keys and thus access to wallets and the bitcoins stored in them.
How does the seed phrase work technically?
Seed phrases are based on the BIP-39 standard: a random entropy (e.g. 128-256 bits) is converted into a sequence of words from a fixed word list. From this seed phrase, a deterministic wallet (BIP-32/BIP-44) generates a hierarchy of private keys and addresses so that all accounts can be reconstructed from a single phrase.
Length and word lists
- 12 words: usual compromise between security and usability (128 bit entropy).
- 24 words: higher security (256 bit entropy).
Word lists are language-specific (e.g. English, Spanish, German), but compatible implementations usually use the English list.
Meaning of password (passphrase) vs. seed phrase
In addition to the seed phrase, an optional passphrase (also known as BIP-39 passphrase or "25th word") can be used. This increases security by adding an additional secret component. Without the correct passphrase, recovery is not possible - this increases security, but also the risk of irrevocable loss.
Security risks and best practices
Never store your seed phrase digitally - no photos, screenshots, text files or cloud backups - as digital copies can be easily compromised. Instead, store the phrase physically, ideally on durable materials such as engraved or embossed metal that is fire and corrosion resistant. Make multiple copies and store them in securely separated, geographically distant locations (such as a safe in the garden or at home) so that a single damaging event does not lead to total loss. Never share the seed phrase with others: anyone who knows the phrase has full access to your resources. After you have created a backup, you should test the restore in a separate wallet without deleting existing wallets to ensure that the backup is correct. Be vigilant against phishing: rogue wallet software, browser extensions or websites may try to get you to enter the seed phrase - a legitimate wallet will only ask for the phrase once during setup or restore. If you also use a passphrase (BIP-39 passphrase), treat it as a separate, equally securely stored secret and document it separately from the seed phrase, because without both components, recovery is impossible.
Tip
Do not use a safe deposit box. In the future, there is a risk that you will be denied access, the safe deposit box will be confiscated or - as has already happened in several cases - safe deposit boxes will be looted.
Common mistakes that lead to loss
Are often easily avoidable in practice. Many users store their seed phrase insecurely - digitally, as a photo or unencrypted file - and thus make themselves vulnerable to theft. Mistakes when transcribing or typing errors when restoring also prevent access to the funds. Forgetting or losing an optional passphrase often makes recovery impossible, so this must also be stored separately and securely. In addition, distrust unreliable wallets or hardware with untested or manipulated firmware, as such devices may contain security vulnerabilities or backdoors. Finally, passing on the seed phrase to third parties or using it in insecure environments regularly leads to compromised accounts - anyone who knows the phrase has full access.
Seed phrase and hardware wallets
Hardware wallets (Bitbox, Trezor, etc.) generate seed phrases offline and never store private keys in the device in readable form. They offer additional protection mechanisms such as PIN protection, firmware signatures and limited attack surfaces against malware. Nevertheless, the same backup and security rules apply to the seed phrase.
24 words in steel, passphrase separated
The safest, practical basic rule is to permanently stamp the complete 24-word BIP39 seed phrase in steel and store this copy in a safe place. Steel resists fire, water and decay much better than paper and reduces the risk of a single damaging event destroying your backup. You should never store the optional passphrase (the "25th word") together with the punched seed phrase. Store the passphrase separately - for example, in a verified password manager with a strong master passphrase or physically with a trusted person (such as a close family member) in a sealed envelope. This separation ensures that a break-in or fire does not compromise both the seed and the passphrase at the same time.
Tip
Trezor Keep Metal: https://trezor.io/de/trezor-keep-metal-single-share
On Amazon with 24 words: https://amzn.eu/d/08XrVz2z
Recovery test checklist
Before you rely on the security of your backups, carry out a recovery test. Prepare an isolated, clean device for this - ideally an air-gapped laptop or a freshly installed smartphone/computer on which no wallet data or key remnants are present. For the test, either create a dedicated test seed with a small amount of money or, if you are testing the real seed, use a copy of the physical backup strictly in a controlled environment. Start a new wallet instance, select the correct word list language (BIP-39) and enter the 24 words in the exact order. If you are using a passphrase, be sure to test its input as well - different character sets, capitalization and leading/trailing spaces are common sources of error. Synchronize the wallet and send a small amount to a receiving address to verify that transactions are possible. Note any problems that occur (e.g. typos, incorrect word list, passphrase errors) and correct your storage documentation. Document the date, wallet software and version used, device type and test history. Repeat this test at least once a year and after every change - new backups, moving backup locations or firmware updates.
Alternative concepts for secure storage
Multisignature (Multisig)
Distributes your assets across a wallet that requires multiple signatures (e.g. 2-of-3). No single seed grants access on its own, loss of a backup is not catastrophic. Secure each signature copy separately on robust material and in different locations.
Shamir's Secret Sharing (SSS)
Split the seed phrase cryptographically into several parts, of which only a defined number is required for recovery (e.g. 5 parts, 3 for reconstruction). This increases resistance to theft, but requires careful management of the individual parts - ideal on different media and locations.
Metal + safe combination
A combination of stamped steel and several fireproof safes offers physical protection against fire, water and burglary. For example, store one copy in your home safe and another in a bank safe deposit box; different locations reduce the risk of simultaneous loss.
Split backup with SSS instead of manual splitting
Avoid simple manual splitting of words (splitting in half is unsafe). Instead, use SSS or proven deterministic methods if you want to split the seed into parts so that individual parts have no value on their own.
Passphrase + physical seed backup
Store the 24 words physically in steel, the passphrase encrypted in a locally encrypted password manager or as a sealed letter with a trusted person. This combination combines physical robustness with convenient but secure handling of the passphrase.
Threat model analysis
Decide on your measures based on specific threat scenarios. Opportunity theft (burglary) requires physical robustness and geographical separation - i.e. steel plates in separate safes. Targeted attacks or insider threats are reduced by separating seed and passphrase, by multisig or by SSS, because a single compromised location does not allow access. Digital compromise (malware, phishing, cloud leaks) is prevented by not using digital copies, by using verified hardware wallets and by practicing secure input processes. Disasters such as fire or flooding require fireproof metal backups and different geographical locations. For government or forensic risks, the distribution principle (multisig with independent custodians) and legal advice are worthwhile; bear in mind that coercive measures raise complex legal issues. Finally, there are self-inflicted risks - forgetting the passphrase, typos, outdated firmware - which are minimized by regular testing, documented processes and redundancy. Weigh probability against damage: the higher the amount, the more costly the protection.
Multisig implementation
Multisig greatly changes the risk profile, but increases the complexity. Basic principle: Transactions require k out of n signatures (e.g. 2 out of 3). Architectures should combine different device types and storage locations - for example, a hardware wallet at your home, a second copy with a lawyer/trustee and a third in a vault or with a second trusted person. When setting up, use wallet software with multisig support (Electrum, Sparrow), generate keys on separate, preferably air-gapped devices and physically secure each key copy (steel, safe). Test the reconstruction with exactly k signatures in a controlled environment. Planned maintenance: firmware updates only after checking compatibility, regular recovery tests and a documented procedure for the loss of a signature (e.g. replacement key, redistribution). Disadvantages include greater operational complexity, possible higher fees and dependence on compatible software; however, for medium to high volumes, the security gain is often worth the expense. For institutions, 3-of-5 or combined multisig with trustees are common; for private users, 2-of-3 is a pragmatic compromise.
Usability vs. security
The most secure solution is not always the most practical. Multisig and SSS offer strong security, but require understanding, coordination and regular maintenance; a technically sophisticated method is of little use if no one can perform the recovery without errors. For beginners and small amounts, the workable combination of 24 words in metal plus a separate passphrase is often sufficient - it is easy to understand, testable and robust against most risks. For higher values, a step-by-step approach is recommended: first physical metal backups and separate passphrase, then add multisig or SSS. Choose a solution that you can test regularly, document and hand over to heirs in a traceable manner in an emergency. Think about usability: clear instructions, labeled backup containers (without secret contents), and a realistic assessment of who can carry out the restoration in an emergency.
Emergency protocol for heirs
Plan a clear, legally compliant emergency protocol in the event of an emergency. Document where backups are located and who should be notified in what order in a separate, securely stored location (e.g. in the will with the notary or in a sealed deposit) without specifying the actual secret data. Use sealed envelopes or locked files with instructions: which documents (death certificate, power of attorney) are required, which person(s) are to be notified and how technical restoration is to be carried out. Combine physical indicators (e.g., notice to attorney) with technical finger pointers (e.g., wallet type name, location of safe) without disclosing seed or passphrase. Consider multisig constructs where heirs must combine keys with each other and with a trustee; this allows an attorney to coordinate the release without having sole access. Have clear step-by-step instructions ready: Identification of storage location, contact information for trusted parties, recommended hardware/software, and an authorized recovery path. Have the protocol legally checked (notary, lawyer) and update it in the event of relocation or personnel changes.
Examples of errors from practice
Many losses are avoidable and follow typical patterns. A common case: Seed as a photo on the smartphone - after cloud sync or a hacked account, the words were compromised. Lesson: no digital copies. Another example: User with 24 words, but who had used a passphrase and never wrote it down - money irretrievably lost. Lesson: always document the passphrase securely and separately. In another case, the only copy was in the home safe; everything was lost in an apartment fire. Lesson: geographical distribution. In the case of manipulated devices, hardware with compromised firmware leaked seeds; as a result, several users fell victim to targeted attacks. Lesson: only verified devices, reputable supply chains and firmware verification. Finally, simple manual splits (halving words) failed during recovery - an SSS solution would have been necessary here. The lesson from every incident: document, test, diversify.
Concrete short solution for private users
Punch the 24-word seed phrase into a robust metal tool and store the disk in a fireproof safe. Store the passphrase separately - encrypted in a high-quality password manager or physically as a sealed letter with a trusted person (e.g. mother or other close relative).
Optional
Supplement the solution with Multisig or SSS if you want greater redundancy and protection against individual points of failure.
Key management policies
The policy is aimed at companies and wealthy private individuals with significant holdings. It defines clear roles (asset owners, key custodians, recovery officers, multisig operators, auditors), segregation of duties, physical and digital safeguards and formalized recovery and audit processes. The aim is to prevent loss, theft and misuse through redundant, shared storage (e.g. multisig/SSS), regular tests, audits, change management and legally secure emergency/legacy regulations. But now in detail:
A clear key management policy defines how private keys, seed phrases (BIP-39) and optional passphrases are generated, backed up and restored in an emergency. The aim is to prevent loss, theft and misuse; the scope includes all physical and digital backups, multisig configurations, hardware wallets and the persons entrusted with custody and recovery.
The distribution of roles must be clear. The asset owner has overall responsibility for inventory management, security levels and transaction decisions. Key custodians physically store individual key copies or hardware wallets (e.g. in a home safe) and are responsible for secure storage, access documentation and regular recovery tests of their copy. A recovery officer coordinates recovery processes and maintains logs; this role should be independent of those who authorize daily transactions. Multisig operators manage multisig setups, take care of configuration and signature processes. Auditors - internal or external - check compliance and report to the asset owner. Designated emergency contacts or heir representatives receive documented instructions in the event of death or permanent loss of the asset owner, without automatically having access to the secret data.
Access control and segregation of duties are key security principles. The principle of least privilege ensures that only people with a specific need have access to seeds or passphrases; temporary access is limited in time and subject to logging. The separation of initiator and signatory (segregation of duties) prevents one person alone from initiating transactions and controlling the necessary signatures - particularly important for multisig. Physical access to safes or lockers should be linked to identity checks and every opening should be fully logged. All access, withdrawals or tests on backup copies are logged with details of who, when, why and, if possible, an accompanying person.
Secure storage combines physical and digital measures. Physically, 24-word seed phrases in stainless steel (stamped or etched) and multiple copies in geographically separated, fireproof locations such as home safes are recommended. Digital photos, cloud backups or unencrypted text files should be strictly avoided. The optional passphrase should always be stored separately from the seed, for example encrypted in a locally operated password manager with a strong master passphrase or as a sealed letter with a trusted person; never in the same place as the steel backup. For key generation and signatures, verified hardware wallets with verifiable firmware should be used; where possible, critical operations should take place on air-gapped devices. For large volumes, the use of multisig or Shamir's Secret Sharing (SSS) on verified implementations is also recommended, whereby parts or signatures are distributed to different custodians.
Recovery processes must be formal and documented. A written recovery plan describes step by step which documents (e.g. death certificate or power of attorney) and which persons are required, how backups are recovered and how seeds are reconstructed in a fresh wallet. Recovery tests must be carried out at least once a year and repeated immediately in the event of any significant change (new copies, change of location, firmware update). Test logs contain the date, participants, wallet software and firmware version used as well as the result; any errors and corrections that occur are documented in a traceable manner. Escalation paths regulate the procedure in the event of missing or damaged copies; replacement copies may only be created in accordance with a defined, secure procedure and ideally with witnesses.
The operation of multisig increases security, but also complexity. Multisig architectures should combine heterogeneous device types and storage locations - such as different hardware wallet manufacturers and geographically dispersed signers - to avoid single points of failure. The setup includes generating keys on separate devices, creating the multisig configuration and testing the reconstruction with the required number of signatures. Key rotations and replacement of failed signers must have formalized processes and be retested after each change. Disadvantages include increased administrative effort and potentially higher transaction costs; however, for medium to high volumes, the security benefits outweigh the additional effort.
Audits, monitoring and change management create revision security. Internal checks should take place every six months, external security audits at least once a year or in the event of structural changes such as a new multisig setup. Audit checkpoints include physical storage, logs, recovery test results, firmware status and role staffing. Continuous monitoring generates alerts for unauthorized safe openings or inventory discrepancies; inventory reconciliations occur at set intervals. Changes to storage locations, responsible parties, multisig configurations or passphrase storage require a written change request with risk assessment and approval, while historical inventories and logs are securely archived.
Training and awareness are crucial for practical maturity. All key custodians, recovery officers and selected heirs should receive regular training on secure procedures, phishing attack detection and recovery processes. Practical recovery drills under realistic conditions (without actually disclosing secrets) increase the ability to act correctly in an emergency.
Emergency and inheritance arrangements must be legally secured. File an index without secret data with the notary or lawyer, listing the locations of the backups, wallet types, names of those responsible and contact details. Combine legal instructions with technical mechanisms such as multisig so that heirs are only granted access after defined conditions have been met. Provide clear, secure instructions for heirs: Identification of the find, required documents, contact to technical support persons and the authorized recovery path.
Technically and organizationally, redundancy and diversification are essential: multiple copies in separate locations, but never all in one place; combination of different technologies (multiple hardware wallet vendors, multisig, SSS) and defined continuity plans for key custodian failure (death, abroad, incapacity) with clear replacement processes. Data protection principles require that personal information is not unnecessarily linked to the secrets; local legal requirements regarding inheritance law and safekeeping must be observed and, if necessary, legally reviewed.
For practical implementation, we recommend a written key management manual that documents roles, processes and emergency plans. Formally appoint asset owners, key custodians, recovery officers and auditors, carry out initial recovery tests and implement physical metal backups, verified hardware wallets and separate passphrase storage. Establish regular audits, training, drills and formal change management. This creates a traceable, verifiable and manageable level of security for the secure storage of Bitcoin.
Conclusion
The seed phrase is the central element of control over Bitcoin holdings: it enables recovery and full access, but at the same time represents a single point of failure. Careful physical security, the use of proven hardware and procedures such as multisig and optional passphrases reduce the risk of loss.
Glossary of technical terms:
Seedphrase / Mnemonic
A human-readable sequence of words used to derive all the private keys of a deterministic wallet.
BIP-39
The standard for generating and encoding seed phrases, including word lists and checksum mechanism.
Passphrase (BIP-39 Passphrase)
An optional, additional secret component; without it, recovery of the associated key is not possible.
Private key
The cryptographic key with which transactions are signed; derived from the seed.
Multisig (multisignature)
A wallet concept in which several keys are required to sign a transaction (k-of-n).
Shamir's Secret Sharing (SSS)
A cryptographic method that divides a secret into n parts, whereby only k parts are required for reconstruction.
Hardware wallet
A physical device that securely stores private keys and signs transactions, often with a PIN and optional passphrase.
Air-gapped
A device that is permanently or temporarily disconnected from the network to reduce digital attack surfaces.
Recovery/test wallet
A fresh wallet instance that is used to check whether the seed and passphrase are correct.
Disclaimer
The information presented in this article on Bitcoin custody methods - in particular the seed phrase and the use of a passphrase - is for informational and educational purposes only and does not constitute legal, tax or financial advice. It is not a substitute for individual advice from a qualified professional who is familiar with your personal situation.
We assume no liability for the completeness, accuracy or timeliness of the content. To the extent permitted by law, we accept no liability for damage or loss arising directly or indirectly from reliance on or use of the information described here (e.g. due to theft, incorrect operation, technical errors, loss of access data or damage to backup materials).
The use of specific products, manufacturer names or procedures is not to be understood as a recommendation. Please check the security features, guarantees and liability conditions of the respective providers yourself. Please also note that legal and tax regulations on cryptocurrencies vary from jurisdiction to jurisdiction and may change; please consult a lawyer or tax advisor for binding information.
The safekeeping of Bitcoin and the handling of seed phrases is at your own risk. Take appropriate precautions (physical security, secure storage, access restrictions, redundancy) according to your individual security needs.
---
