ShopOnce your seed phrase backup material chosen, where you store it determines whether a fire, flood, or theft eliminates your only recovery path.
How to Store Your Seed Phrase covers the full picture, while Paper vs Metal Seed Phrase Backups covers why metal is the right choice for savings wallets.
What Physical Threats Does Seed Phrase Storage Need to Defend Against?
Evaluating how to store a seed phrase starts with the backup material itself. For a long-term savings wallet, the most durable option is steel. It survives fire at temperatures far above any residential structure fire and is impervious to water.
Seed phrase storage needs to defend against four main physical threats.
-
Fire. Steel survives fire well, so the risk is more about access rather than material. A fire that collapses a building can bury or trap a backup, making it unrecoverable or lost even though the steel itself is intact. A second copy at a separate location removes this dependency entirely.
-
Flood. Water does not destroy a metal backup, but there is a risk of displacement. A flood can submerge or physically move a safe, putting the backup temporarily or permanently out of reach. A second copy at a geographically separate location means a local flood cannot become a permanent loss.
-
Theft. A stolen singlesig backup provides full access to funds in the absence of a passphrase. An attacker who finds the backup does not need the hardware wallet to steal all the funds. Theft resistance comes from a combination of physical security (a locked, bolted safe), concealment, and not disclosing the backup's location to people who do not need to know it.
-
Discovery. Someone finding the backup without specifically knowing what it is can still cause a problem if they know enough to recognise it. A backup labelled "Bitcoin seed phrase" in a desk drawer is a higher-risk placement than an unlabelled metal plate stored inside a locked safe. Contextual discretion is a meaningful layer of protection.
Any one of these threats, applied to a single storage location, can permanently end access to funds. Two copies at geographically separate locations is the minimum standard for a savings wallet.
Where Should I Store My Seed Phrase Backup?
Storage of your seed phrase backups depends on your setup. Singlesig and multisig wallets have different storage requirements, and the reasoning behind each is different.
Singlesig
With singlesig, your entire wallet is recoverable from a single seed phrase. A single backup at a single location is a single point of failure, so the minimum standard is two copies at two geographically separate locations. Having two copies does not protect against theft, since either copy provides full wallet access, but it protects against fire, flood, and physical loss at one location.
Primary location (home). A combination or key safe bolted to a wall or floor provides strong theft resistance. A safe with a fire rating adds an additional layer on top of what the metal backup medium already provides, though a correctly executed metal backup will survive a residential fire even in an unrated safe. A well-hidden location without a safe is a lower-cost option, but one that trades theft resistance for concealment. The right choice depends on the physical setup of your home.
Secondary location (off-site). A bank safety deposit box provides great physical security. The bank building provides fire and flood protection beyond what a home location typically offers, and access requires physical presence. Its limitations include business hours, the possibility of closure with limited notice, and complications for heirs. A secured location at a trusted family member's home is an alternative, with physical security that depends on their setup rather than institutional infrastructure. A second property is another option.
| Location type | Fire mitigation | Flood mitigation | Theft resistance | Institutional risk | Access constraints |
|---|---|---|---|---|---|
| Home safe (bolted) | Moderate (if rated) | Moderate | High | None | Immediate |
| Home fireproof box | High (if rated) | Moderate | Low (portable) | None | Immediate |
| Bank safety deposit box | High | High | High | Low but real | Business hours only |
| Trusted off-site (family/friend) | Variable | Variable | Variable | None | Requires contact |
| Commercial vault | High | High | High | Low | Scheduled access |
The combination of a home safe and a safety deposit box covers the gaps that each option leaves. The home copy provides immediate access and no institutional dependency. The off-site copy survives home-specific disasters.
One rule applies regardless of which combination you choose. Do not store the hardware wallet and its seed backup at the same location. If both are in the same place, a single theft event takes both simultaneously.
Multisig
With multisig, each signing device has its own seed phrase, and each needs its own storage decisions. The difference from singlesig is that the quorum structure itself provides the redundancy that backup copies provide in singlesig. For a 2-of-3 setup with each seed phrase stored at its own separate location, you can lose any one location entirely and still have enough backups to reconstruct a signing quorum. One copy per seed phrase at one location is therefore the standard recommendation for multisig, rather than two copies each.
The critical constraint is that no single location should hold more than one seed phrase from the same multisig set. If one location held two of the three seed phrases in a 2-of-3 setup, anyone who accessed that location would have a signing quorum and effective control over the wallet. Strict geographic separation between all seed phrase backups is what keeps the quorum structure working as a security property.
Additional options include a trusted family member's home, a second property, or a commercial storage facility.
What is the Role of Anonymity in Physical Security?
The most effective protection against being physically targeted for bitcoin holdings is simply avoiding disclosing that you hold bitcoin. Physical coercion directed at bitcoin holders is targeted, not opportunistic.
Victims are typically identified through public posts about holdings, hardware wallet photos on social media, known involvement in Bitcoin events or companies, or data exposed in breaches. The Ledger customer database breach in 2020 exposed approximately 270,000 records including home addresses, providing a direct example of how a purchase record alone creates targeting exposure.
The primary mitigation is operational security, or OPSEC: do not post about holdings publicly, do not confirm or deny the amount you hold when asked, and do not photograph hardware wallets in identifiable locations.
Secondary technical mitigations are more detailed and nuanced. A "duress wallet" is a separate wallet with a small plausible balance that provides a credible response to physical coercion without revealing the location of the main funds.
Coldcard's trick PIN feature implements this directly, creating a separate wallet that loads when a specific PIN is entered under duress. A passphrase adds a second factor to the seed phrase, so that even a discovered backup does not provide access without it. Multisig distributes signing authority across multiple keys, making single-point coercion less effective. Anonymity remains the primary defence.
For more on the threat landscape, Bitcoin Self-Custody and Your Threat Model covers the full threat taxonomy. For the passphrase and multisig options, see What is a Bitcoin Passphrase? and What is Bitcoin Multisig?.
How Should I Maintain Physical Security Over Time?
Physical security is not a one-time setup. Storage locations change and backups may be misplaced or become inaccessible. The people who know where your backups are may no longer be the right people to have that knowledge. Annual verification is the minimum maintenance habit.
-
Verify that backups are readable. Once per year, inspect each physical backup. For metal, confirm that the characters are legible and that no corrosion or physical damage has occurred. For paper, confirm that the ink has not faded and that the medium is still intact. A word that cannot be read during recovery is a failed recovery.
-
Verify that the backup generates the correct wallet. Checking legibility is not the same as verifying accuracy. Each year, confirm that the backup generates the correct receive address. The simplest approach is a full recovery test: wipe the device, restore from the written backup, confirm the same address is generated. How to Store Your Seed Phrase covers the full step-by-step test sequence.
-
Confirm that off-site access is still intact. A safety deposit box may have been subject to a bank policy change. A trusted person's address or circumstances may have changed. A second property may have had boxes and storage rearranged. The off-site copy only provides protection if it remains accessible when needed.
-
Review who knows where the backups are. If something happened to you today, could a trusted person locate and use the backup to recover the funds? This is where physical security planning meets inheritance planning. The backup needs to be findable by the right people under the right circumstances. Bitcoin Inheritance Planning covers how to structure that access without compromising security.
The backup system works when it is both secure and accessible to the right person at the right time. Annual verification is what keeps those two requirements in balance.
Related articles
How to Store Your Seed Phrase
The complete backup system this article supports, including the recovery test sequence and two-location model.
Paper vs Metal Seed Phrase Backups
Why metal is the right choice for savings wallets and how fire and water resistance compare.
Bitcoin Inheritance Planning
How to ensure trusted people can access your funds when needed without compromising security.
Common Bitcoin Backup Mistakes
Physical storage errors and how they connect to the broader backup mistake taxonomy.