How to store a bitcoin seed phrase in a safe deposit box

With some bitcoin custody models, such as singlesig, your seed phrase is a single point of failure. In these cases, you shouldn’t store your backup where someone else could access it. With multisig, however, you can set up your security model such that a single backup will not allow anyone to spend funds—allowing you to choose trusted third parties to help secure seed phrases.

One place to store a bitcoin seed phrase is in a safe deposit box or private vault. Let’s take a closer look at how to do this and some factors you should consider in the process.

When should I use a safe deposit box?

There are near-infinite ways you can secure your bitcoin keys and nuances to each approach. No matter your approach, you shouldn’t use a safe deposit box to store a seed phrase in situations where that seed phrase could allow unauthorized persons to access and spend your funds. Conversely, you can use a safe deposit box or private vault when a seed phrase can’t unilaterally compromise your funds.

Situations where you shouldn’t use a safe deposit box

Singlesig

For singlesig, the risk is obvious: One rogue bank or private vault employee could snap a picture or copy down your seed phrase, restore that backup, and sweep your funds—causing them to be lost permanently.

Singlesig + passphrase

For singlesig with a passphrase, it’s also unwise in most cases to use a safe deposit box to store a seed phrase because a safe deposit box can expose you to the risk of confiscation. Confiscation of the only copy of a seed phrase or a passphrase can make your bitcoin permanently inaccessible to you, even if a malicious actor cannot steal your funds.

In some cases, it could be reasonable to use a safe deposit box or vault as a means of storing additional copies of a seed phrase or a passphrase, but if you’re considering this, you may want to consider using multisig. Remember that increasing redundancy when using singlesig with a passphrase also increases your attack surface.

Situations where you can use a safe deposit box

Multisig

Safe deposit boxes or private vaults are acceptable storage solutions for seed phrase backups for keys used to construct multisig wallets, provided that the multisig quorum you choose involves the right balance of redundancy and security. In the most common multisig quorum for securing long-term savings, 2-of-3, you can leave at least one seed phrase in the hands of a trusted custodian with confidence that your funds could not be compromised with just one unlawful (or lawful!) security breach.

There are considerations to take into account even with multisig, however. You should avoid storing all the necessary keys to spend (e.g., two seed phrases in a 2-of-3 multisig) with the same company/bank. While unlikely, it would be possible in these cases for bank employees to collude to expose multiple items. Thankfully, even in a 2-of-3 multisig scenario where two seed phrases were compromised, attackers would still need specific information about the construction of the multisig wallet (wallet config file).

Shamir’s Secret Sharing Scheme

Another method for protecting your bitcoin is Shamir’s Secret Sharing Scheme (SSSS), which allows you to split a singlesig seed phrase into a collection of other mnemonic phrases. Considerations for SSSS and safe deposit boxes are very similar to multisig, since storing your SSSS seed words can allow one or multiple of them to be lost or stolen without compromising your funds.

Bank safe deposit boxes vs. private vaults

You have two options when storing seed phrases in secure boxes: a safe deposit box at a bank, or with a private safekeeping company.

The trade-offs relevant to seed phrase storage include:

• Recordkeeping and reporting requirements: Banks are often subject to regulations that include audit, recordkeeping, and reporting requirements. Banks are obligated to file SARs that could lead to law enforcement obtaining a warrant, drilling your box, and seizing the contents, even if you have not done anything unlawful. A private safekeeping company is usually subject to complying with a lawful warrant as well, but they don’t typically have the same degree of recordkeeping and audit requirements.
• Accessibility: Access to a safe deposit box at a bank is limited to banking hours, which usually excludes evenings, weekends, and bank holidays. Private safekeeping companies often have better hours of availability.
• Privacy: Banks necessarily collect ample amounts of personal information about all their customers, meaning larger amounts of information that could be misused or stolen. Private safekeeping companies generally store your personal belongings with lesser requirements of personal information—sometimes allowing anonymity.

Remember, both options are generally safe for storing just one key in common multisig quorums of multiple keys (2-of-3 for example), since they eliminate all individual keys as single points of failure.

Steps to store your seed phrase securely

Multisig is the most common scenario where it is safe to store a seed phrase in a safe deposit box, but how do you do so? There are many factors to consider; let’s walk through the basic steps.

1. Choose a safe deposit box provider

If you already have a relationship with a bank that offers safe deposit boxes, it’s probably not worth shopping around to consider other banks. Most banks have similar security standards when it comes to safe deposit boxes because of strict adherence to regulations.

If you don’t have an existing relationship with a bank or your bank doesn’t offer safe deposit boxes, you may wish to weigh various factors: bank safe deposit box vs. private vault (described above), price, and the reputation of the institution. Keep in mind that a single seed phrase does not unilaterally allow anyone to spend funds, so while you want to choose a company or institution that you deem low-risk, this decision is not of critical importance to your fund security.

Notably, not all banks offer safe deposit boxes; newer branches oftentimes don’t have them. If you choose to use a bank, older branches that were more likely to have been built with a physical vault that includes safe deposit boxes are your best shot.

2. Prepare your seed phrase

Next, you should prepare your seed phrase for storage. There are many considerations for preparing your seed phrase to be stored:

• Paper vs. metal backups: Consider whether you want to use paper or metal seed phrase backups. Paper backups typically allow you to be more discreet, for instance storing a seed phrase in a book or other inconspicuous item. However, metal seed phrases will protect you in the event of flood or fire.
• Tamper-evident bags: Consider a tamper-evident bag for either metal or paper backups, in order to alert you in the case that a seed phrase might be compromised.
• Privacy: Place your seed phrase backup in a sealed envelope or box to protect your privacy.

3. Store your seed phrase in the box privately

Once your seed phrase is secured and prepared for storage, physically travel to the bank or private vault location and place it in the secure safe deposit box or vault. You should go by yourself unless you wish to add a joint renter (see step 4 below), which may require their physical attendance.

The first risk to avoid is bank employees knowing that you’re storing private key material in the first place. Don’t say anything about what you’re storing or why; banks generally allow you to place and remove items in private. If a bank or private vault employee comes to know what it is you’re storing by accident, consider withdrawing the items and moving them to another location or institution.

4. Maintain your seed phrase security

Now that your seed phrase is securely stored in the box, your final job is to ensure its ongoing security:

• Consider adding a joint renter: You may wish to add a joint renter to your safe deposit box. In the case of your demise, it can be a hassle getting banks to release box contents to family. By preemptively adding a second person to the rental agreement, they can immediately get physical access to your seed phrase/hardware wallet in the event of your death.
• Check on the physical security of your seed phrase: While there is no single best way to do this, you should on a regular cadence check the security of seed phrase stored with custody partner—every six months to one year is good. When doing this, you should take into account all the security considerations when initially placing the seed phrase in the box as described in step 3 above.

More multisig security best practices

Safe deposit box storage procedures are not the only thing to consider when it comes to seed phrase storage best practices. If you use multisig, you should also consider the trade-offs of paper vs. metal seed phrase backups, proper security of your wallet config information, and how you might pass your bitcoin on in the event of your demise.