Module 7: Self-Custody and Hardware Wallets

Goal: Guide clients toward secure direct ownership

Learn how private keys, hardware wallets, and backup strategies enable direct Bitcoin ownership — and how to help clients implement self-custody without costly mistakes.

Why Self-Custody Matters for Advisory Clients

In Module 6, you saw how exchange custody introduces counterparty risk — FTX being the starkest example. Self-custody eliminates that risk entirely. For clients with meaningful Bitcoin allocations, the question is not whether to move toward self-custody, but when and how.

The Core Principle: Key Ownership = Bitcoin Ownership

Bitcoin ownership is defined by who controls the private keys. There is no institution to call, no account recovery form, and no customer support line. Whoever holds the keys can spend the Bitcoin.

Public key: Like a bank account number — safe to share for receiving payments
Private key: Like the vault combination — never share, never photograph, never type into a website
Seed phrase (BIP39): 12 or 24 words that regenerate all keys — the master backup for the entire wallet

When to Recommend Self-Custody

Use these allocation thresholds as a starting framework:

Under $50K: ETF or exchange custody acceptable while client builds understanding
$50K–$250K: Hardware wallet self-custody strongly recommended; schedule a guided setup session
$250K–$1M: Hardware wallet with geographic backup separation; begin discussing multisig (Module 8)
Over $1M: Collaborative multisig custody recommended — no single point of failure

Hardware Wallet Landscape

A hardware wallet stores private keys offline on a dedicated device. Transactions are signed on the device itself, so keys never touch an internet-connected machine.

Trezor

Models: Safe 3 / Safe 5

Open source: Full firmware

Air-gapped: No (USB)

Secure element: Yes (Safe 3+)

Best for: Transparency-focused clients

Coldcard

Models: Mk4 / Q

Open source: Full firmware

Air-gapped: Yes (MicroSD)

Secure element: Dual

Best for: Security-maximalist clients

Ledger

Models: Nano S+ / Nano X / Stax

Open source: Partial (app layer)

Air-gapped: No (USB/BT)

Secure element: Yes

Best for: Broad asset support

Foundation Passport

Models: Batch 2

Open source: Full firmware

Air-gapped: Yes (QR + MicroSD)

Secure element: Yes

Best for: UX + security balance

Key Selection Criteria for Advisors

Open-source firmware: Allows independent security audits. Coldcard, Trezor, and Passport are fully open. Ledger's secure element firmware is closed.
Air-gapped operation: Devices that never connect to a computer (signing via QR codes or MicroSD) reduce attack surface significantly.
Secure element: Tamper-resistant chip protecting keys even if the device is physically stolen.
Supply chain: Always buy direct from the manufacturer. Never secondhand or from third-party marketplaces.
Multisig compatibility: If the client may graduate to multisig, choose a device that supports PSBT (Partially Signed Bitcoin Transactions).

The Setup Process: What Advisors Must Know

You do not need to perform the setup for clients — and should not hold their seed phrase. But you need to understand every step well enough to guide them confidently.

Step-by-Step Setup

Verify authenticity. Check tamper-evident packaging. Verify firmware signature. If anything looks pre-configured, do not use it.
Initialize the device. Set a PIN (6+ digits). The device generates a new seed phrase using its internal random number generator.
Record the seed phrase. Write 12 or 24 words on the provided card — or stamp them into a steel plate. Never type the seed into any digital device.
Verify the seed. The device asks you to confirm specific words. This ensures the backup was recorded correctly.
Test with a small amount. Deposit a small amount. Wipe the device. Recover from the seed phrase. Confirm the balance reappears. This proves the backup works.
Store seed backup separately. Different physical location from the hardware wallet. Fireproof safe, bank safety deposit box, or trusted person's secure location.

Backup Strategies

Backup Materials

Paper: Low cost, but vulnerable to water, fire, and fading. Acceptable only as a temporary backup.
Steel plates (stamped/engraved): Survive fire, flood, and physical damage. Cryptosteel, Billfodl, SeedPlate. Recommended for all clients.
Shamir's Secret Sharing: Seed split into multiple shares where a threshold can reconstruct it (e.g., 2-of-3). Eliminates single-point backup risk.

Geographic Separation

The seed backup must never be stored with the hardware wallet. A single fire, theft, or flood should not destroy both.

Minimum: Seed in a separate building (bank safety deposit box)
Better: Seed split across two locations (home safe + trusted family member)
Best: Multisig eliminates single-seed risk entirely (Module 8)

Optional Passphrase ("25th Word")

An optional passphrase creates a separate wallet from the same seed phrase. Adds plausible deniability and protection against physical coercion.

Benefit: Even if the seed is compromised, the passphrase-protected wallet remains hidden
Risk: Forgotten passphrase = permanently lost funds. No recovery possible.
Recommendation: Only for clients who can reliably store both seed and passphrase in separate secure locations

Critical Mistakes That Lose Bitcoin Permanently

Photographing or digitally storing the seed phrase. If it touches the internet — photo, email, cloud note, password manager — it is compromised.
Not testing the backup. A seed phrase recorded with one wrong word is worthless. Always test recovery before depositing significant funds.
Buying hardware wallets from unofficial sources. Pre-loaded devices with attacker-generated seeds are a known vector.
Storing seed and device together. A single theft or disaster loses everything.
No inheritance plan. If the client dies and no one can access the seed, the Bitcoin is permanently lost. Covered in Module 10.

Advisor Exercise: Guided Setup Walkthrough

Time: 45 minutes

Scenario: Your client, a 52-year-old physician, holds $180,000 in Bitcoin on Coinbase. She wants to move to self-custody but is nervous about making a mistake.

Your Task:

Device selection: Which hardware wallet would you recommend? Why? Consider her technical comfort level.
Pre-session prep: What should the client purchase or prepare before your guided session?
Setup guidance: Walk through each step. At what point do you leave the room or turn away? (Seed phrase generation.)
Backup plan: Design a specific backup strategy. Where does the steel plate go? Who else knows it exists?
Migration plan: Move $180K from Coinbase — all at once or in tranches? What does the first test transaction look like?
Follow-up: What do you check at 30 days? 90 days?

Discussion: Should Advisors Ever Touch Client Keys?

Argument for hands-on help: Reduces client errors. Some clients struggle with technical steps.
Argument against: Creates liability. If Bitcoin is later lost, the advisor is a suspect. Violates "your keys, your Bitcoin." Regulatory risk.
Best practice: Guide verbally. Screen-share for software. Leave the room during seed generation. Document in writing that you never saw the seed phrase.

Group question: Where do you draw the line between helpfulness and liability in your practice?

Client Tool: Self-Custody Readiness Checklist

Use before scheduling a setup session. If the client cannot check every item, they are not ready.

☐ Understands that losing the seed phrase means losing the Bitcoin permanently
☐ Has purchased a hardware wallet directly from the manufacturer (unopened)
☐ Has purchased a steel seed backup plate
☐ Has identified two separate secure locations for device and backup
☐ Has blocked 90 minutes of uninterrupted time for the setup session
☐ Has informed a trusted person that a backup exists (for inheritance — Module 10)
☐ Understands they will test recovery before transferring the full balance

Client Tool: Wallet Software Pairing Guide

Hardware wallets pair with desktop or mobile software for managing transactions:

Coldcard + Sparrow Wallet: Best privacy and control. Fully air-gapped. For technically comfortable clients.
Trezor + Trezor Suite: Clean interface, beginner-friendly. Works well for most clients.
Passport + Envoy: Mobile-first with air-gapped QR signing. Good UX/security balance.
Ledger + Ledger Live: Familiar interface for clients who also hold other digital assets.

Key Takeaways

Self-custody eliminates counterparty risk — the most significant operational risk in Bitcoin ownership
Hardware wallets keep private keys offline and are the standard tool for self-custody
The seed phrase backup is the most critical step — and the most common point of failure
Advisors should guide the process but never handle client keys or seed phrases
Every setup must include a tested backup and a plan for inheritance access (Module 10)
For allocations above $250K, consider graduating to collaborative multisig (next module)

← Previous: Exchange & ETF Custody Next: Collaborative Custody →