BACKUP FIRST

A backup is not real until recovery works.

Don't discover a bad backup after loss. Write the seed, make it durable, and test recovery while the wallet is still tiny.

What to back up

Seed words

The BIP-39 seed restores the wallet. Store it offline, clearly, and preferably on metal. Anyone with the words can spend.

Passphrase, if used

A passphrase creates a different wallet. Forget it and the funds are gone. Record the wallet fingerprint so you can verify you typed it correctly.

Wallet descriptor

For multisig, back up the descriptor. Seeds alone are not enough to reconstruct the wallet policy, cosigner order, paths, and quorum.

Backup options

OptionUse it forDo not confuse it with
Written seedCapturing words during setup.Long-term durability if it stays on paper.
Metal seed backupFire- and water-resistant long-term storage.A complete plan by itself; location and access still matter.
Encrypted MicroSD backupRestoring COLDCARD settings, Trick PINs, multisig registrations, and device state.Your seed words. It only restores on COLDCARD.
SeedXORSplitting seed storage across locations.Threshold multisig. SeedXOR is N-of-N; lose one part and you lose the seed.
Multisig descriptorReconstructing a multisig wallet.A spending secret. It is public key data, but you still need it.

Recovery drill

  1. Fund only a small test amount.

    Keep the first deposit tiny until recovery works.

  2. Restore from the backup.

    Use a spare or wiped device if possible. If you use a passphrase, restore with the passphrase and verify the wallet fingerprint.

  3. Compare receive addresses.

    The restored wallet should show the same first addresses as the original wallet export.

  4. Sign and broadcast a small spend.

    Do a complete PSBT round trip. You have not tested recovery until the restored wallet can spend.

Device rules do not protect a copied seed.

Trick PINs, spending policy, and HSM rules can restrict a COLDCARD device. If someone gets the seed and any passphrase, they can restore elsewhere and bypass device-side rules. Keep durable backups away from day-to-day signing setups.