Bitcoin Backup Strategies Compared: Seed, Metal, Shamir

Bitcoin Backup Methods Overview

Losing access to a seed phrase means losing access to your bitcoin permanently. Chainalysis estimates that roughly 3.7 million BTC are permanently inaccessible, much of it due to lost or damaged backups. Choosing the right backup strategy is one of the most consequential decisions in self-custody.

Five main approaches exist: paper seed phrases, metal backups, Shamir Secret Sharing (SLIP39), encrypted digital backups, and multisig-based recovery. Each involves different tradeoffs between durability, security, cost, and complexity. The following table provides a high-level comparison.

For a broader overview of custody models, see our Bitcoin custody solutions comparison and the self-custody vs. custodial guide.

Paper Seed Phrases (BIP39)

The BIP39 standard generates a mnemonic phrase of 12 or 24 words from a list of 2,048 English words. A 12-word phrase provides 128 bits of entropy; a 24-word phrase provides 256 bits. The first four letters of every word in the list are unique, allowing unambiguous identification from a partial record.

Paper is the default backup medium for most wallets. You write the words down during wallet setup and store the paper somewhere safe. The approach is free, requires no special tools, and is universally compatible across HD wallets that follow standard derivation paths (BIP44, BIP49, BIP84, BIP86).

The weakness is durability. Paper degrades over time, is destroyed by fire and water, and can be accidentally discarded. James Howells famously lost access to roughly 7,500 BTC when a hard drive was thrown into a landfill in 2013. Paper also offers no protection against physical theft: anyone who finds your seed phrase controls your funds.

Adding a BIP39 passphrase (sometimes called the "25th word") provides an additional layer of protection. The passphrase acts as a second factor: even if someone finds your seed words, they cannot access your funds without the passphrase. The tradeoff is that you now have two secrets to back up, and losing the passphrase is just as catastrophic as losing the seed.

Metal Seed Storage

Metal backups solve the durability problem by engraving or stamping seed words onto stainless steel or titanium. These devices survive fire, flooding, and physical impact that would destroy paper. Jameson Lopp has conducted six rounds of stress tests on 75+ metal storage products, subjecting them to 2,000°F direct flame, hydrochloric acid submersion, and 20-ton hydraulic press crushing.

50 of 75 tested devices received an "A" grade, passing all three tests with data intact. Products range from $13 to $350, and price does not strongly correlate with durability. The full results are available at Lopp's metal storage review site.

Single-plate punch systems (BlockPlate, SEEDPLATE, Bitplate) have no moving parts, which makes them more resilient in extreme scenarios. Tile- based systems (Cryptosteel, Billfodl) are easier to set up but risk tile displacement under severe physical stress. Both designs passed Lopp's tests, though punch-based designs tend to be cheaper and simpler.

Metal backups share the same fundamental limitation as paper: they are a single physical object. If someone finds your metal plate, they have your seed. Combining a metal backup with a BIP39 passphrase stored separately mitigates this risk.

Shamir Secret Sharing (SLIP39)

SLIP39 implements Shamir's Secret Sharing, a cryptographic algorithm that splits a secret into multiple shares with a configurable threshold. Common configurations include 2-of-3 and 3-of-5: you generate N total shares and require any K of them to reconstruct the original secret. Fewer than K shares reveal zero mathematical information about the secret.

SLIP39 was developed by SatoshiLabs (the Trezor team) and uses a separate word list of 1,024 words. Each share is typically 20 words long. A critical distinction: SLIP39 generates a different master secret than BIP39. They are not interchangeable, and you cannot convert SLIP39 shares back to a BIP39 mnemonic.

Wallet support remains the biggest limitation. Trezor Model T and Trezor Safe 3/5 support SLIP39 natively. Keystone added support in 2021. On the software side, Electrum, Sparrow, and BlueWallet can import SLIP39 shares for recovery. Most other signing devices and wallets do not support SLIP39, creating a potential lock-in risk.

The operational complexity is significant. You must distribute shares to separate physical locations, track which locations hold which shares, and ensure enough shares survive any single disaster. Users sometimes undermine the scheme by storing all shares together, which eliminates the security benefit entirely.

Encrypted Digital Backups

Digital backups store the seed phrase in an encrypted file on a USB drive, local NAS, or cloud storage. When done correctly, the encryption renders the file useless without the decryption password.

Common approaches include:

• VeraCrypt or LUKS encrypted volumes on USB drives
• GPG or 7-Zip (AES-256) encrypted files uploaded to cloud storage
• Hardware-encrypted USB drives (IronKey, Apricorn)
• Offline KeePassXC databases on air-gapped machines

The security of digital backups depends entirely on the encryption password. This creates a recursive backup problem: you now need a secure way to store the password that decrypts your seed backup. Storing the password alongside the encrypted file defeats the purpose.

Hardware-encrypted drives introduce additional risk. Stefan Thomas famously lost access to 7,002 BTC stored on an IronKey drive that permanently wipes data after 10 failed password attempts. He has used 8 of his 10 attempts.

Digital backups work best as a secondary layer, not a primary backup. Encrypt the seed, store it in the cloud, and keep the decryption password on a metal plate in a separate physical location.

Multisig-Based Recovery

Multisig (multi-signature) wallets require M-of-N keys to authorize a transaction. A 2-of-3 configuration, for example, means you need any 2 of 3 keys to spend. If one key is lost or compromised, you can still access your funds with the remaining keys and rotate out the lost key.

This fundamentally changes the backup model: instead of protecting a single secret, you distribute multiple keys across devices and locations. No single key compromise results in fund loss. For a deep dive into the technical details, see our multisig wallets explainer and the multisig planner tool.

Several services simplify multisig setup:

• Casa: 2-of-3 ($250/year) or 3-of-5 ($2,100/year) with inheritance planning. You hold 2+ keys; Casa holds one recovery key.
• Unchained: 2-of-3 collaborative custody ($250/year per vault). You hold 2 keys; Unchained holds 1.
• Nunchuk: free DIY multisig up to assisted 3-of-5 ($2,100/year). Open source, with Taproot multisig support.

The tradeoff is complexity. Multisig wallets require backing up multiple keys AND the wallet configuration (xpubs, derivation paths, script type). Losing the configuration metadata can make recovery difficult even if you have all the keys. Nunchuk's BSMS (Bitcoin Signer Message Standard) files address this by packaging the full multisig configuration into a single encrypted backup file.

For users considering inheritance planning, multisig is often the foundation: you can give a trusted party one key without giving them the ability to spend unilaterally.

How to Choose a Backup Strategy

The right approach depends on the value being protected and your technical comfort level.

For small amounts (under $10,000): a paper seed phrase stored in a secure location is sufficient. Add a BIP39 passphrase for an extra layer of protection against physical discovery.

For moderate holdings ($10,000 to $100,000): upgrade to a metal backup. A $49 to $99 metal plate protects against fire, flood, and corrosion. Store it in a location separate from your signing device. Consider a passphrase stored in a second location.

For significant holdings ($100,000+): use multisig or SLIP39 to eliminate single points of failure. Services like Casa, Unchained, or Nunchuk reduce the operational burden. Store each key or share on its own metal plate in geographically separate locations.

For institutional or inheritance-critical holdings: use a 3-of-5 multisig with keys distributed across secure facilities, combined with a documented recovery procedure and key management policies. Consider a service with built-in inheritance workflows.

Note: Regardless of the strategy you choose, test recovery before relying on the backup. Create the backup, then attempt to restore from it on a separate device. A backup you have never tested is a backup you cannot trust.

Combining Strategies

Most experienced holders layer multiple approaches rather than relying on a single method. A common combination:

1. Primary backup on a metal plate stored in a home safe
2. Secondary backup on a second metal plate in a bank safe deposit box or trusted family member's location
3. Encrypted digital backup in cloud storage, with the decryption password stored separately on metal
4. BIP39 passphrase memorized and also recorded on a separate metal plate in a third location

For cold storage of larger amounts, replacing the single-sig seed with a multisig configuration provides the strongest protection. Each key gets its own metal backup stored in a different geographic location. Even if one location is compromised, the attacker cannot spend funds without reaching the threshold.

Threshold signature schemes like FROST offer an emerging alternative to traditional multisig, producing standard single-sig transactions on-chain while still requiring multiple signers. This reduces fees and improves privacy compared to script-based multisig.

Frequently Asked Questions

What is the best way to back up a Bitcoin seed phrase?

For most users, a metal backup (stainless steel or titanium plate) stored in a secure location is the best balance of durability, cost, and simplicity. Products like BlockPlate (~$65), Coldcard SEEDPLATE (~$49), and Billfodl (~$99) have all passed extreme stress tests including fire, acid, and crushing. Add a BIP39 passphrase stored separately for protection against physical theft. For holdings above $100,000, consider multisig to eliminate single points of failure.

What is Shamir Secret Sharing and how does SLIP39 work?

Shamir's Secret Sharing is a cryptographic algorithm that splits a secret into multiple shares with a threshold: for example, 2-of-3 means any 2 shares can reconstruct the secret, but 1 share reveals nothing. SLIP39 is the Bitcoin implementation developed by SatoshiLabs (Trezor). It uses a 1,024-word list and produces 20-word shares. SLIP39 is not compatible with BIP39: they use different word lists and generate different master secrets. Wallet support is currently limited to Trezor, Keystone, and a handful of software wallets.

Can metal seed storage survive a house fire?

Yes. Most quality metal backup devices are rated to withstand temperatures far exceeding a typical house fire (which reaches roughly 600°C / 1,100°F). Stainless steel melts at approximately 1,400°C to 1,530°C, and titanium at 1,665°C. In Jameson Lopp's stress tests, 50 out of 75 devices survived direct flame at 1,093°C for 10 minutes followed by water submersion (simulating firefighter response), with data fully intact.

Is it safe to store a seed phrase in a password manager?

Most security experts recommend against it. Password managers are designed for credentials you use frequently, not for high-value secrets that need to survive decades. They introduce a single master password as a point of failure, are typically connected to the internet, and may sync across devices in ways that expand your attack surface. An offline-only database (like KeePassXC on an air-gapped machine) is more defensible but still less durable than a metal backup.

How does multisig improve Bitcoin backup security?

Multisig eliminates the single point of failure inherent in standard backups. In a 2-of-3 setup, losing one key does not result in lost funds: you can recover with the remaining two keys and rotate out the compromised one. Similarly, an attacker who steals one key cannot spend your bitcoin. Services like Casa, Unchained, and Nunchuk simplify the setup. The tradeoff is operational complexity: you must back up multiple keys plus the wallet descriptor that defines the multisig configuration. See our multisig planner to evaluate configurations.

What happens if I lose my seed phrase?

If you lose your only copy of a seed phrase and have no other backup, the bitcoin controlled by that seed is permanently inaccessible. There is no recovery mechanism, no customer support, and no reset option. Chainalysis estimates approximately 3.7 million BTC are permanently lost, much of it due to lost or destroyed backups. This is why redundant backups in separate locations are critical for anyone practicing self-custody.

Should I split my seed phrase and store the halves separately?

No. Splitting a 24-word BIP39 phrase into two halves of 12 words each does not provide the security properties of Shamir Secret Sharing. Each half still contains significant information about the full key. An attacker with 12 of 24 words only needs to brute-force the remaining 12, which is computationally feasible. If you want split-share security, use SLIP39, which provides mathematically proven threshold properties, or use multisig with independently generated keys.

This tool is for informational purposes only and does not constitute financial advice. Product pricing and specifications are approximate and based on publicly available information as of mid-2026. Stress test results reference Jameson Lopp's published reviews. Always verify current product details and test your backup recovery procedure before relying on any backup strategy.