Your Personal Custody Plan — A Decision Framework

Most people make a single custody decision and never revisit it. They move funds to a hardware wallet after a scare, or leave everything on an exchange out of convenience, and call the problem solved. Neither approach is a plan. A real plan matches where assets live to two variables that are unique to each holder: how much is at risk and how often it needs to move.

The Two Axes: Value at Risk and Access Frequency

Every custody decision reduces to a trade-off between security and convenience. Hot wallets — software wallets connected to the internet — optimize for access. A mobile wallet can sign a transaction in seconds. Cold storage — keys kept offline on a dedicated hardware device or an air-gapped machine — optimizes for security at the cost of that convenience.

The rule of thumb that experienced self-custody practitioners use: funds you expect to spend within days or weeks belong hot; funds you plan to hold for months or years belong cold. The threshold for moving from hot to cold is personal. Most practitioners place it somewhere between one and six months of net income — the point where a loss starts to feel life-altering rather than merely painful.

Using a single wallet type for everything is almost always suboptimal. A single hot wallet holding a year's savings is unnecessarily exposed. A single hardware wallet used for daily transactions means constantly plugging in a device and approving prompts for small amounts — friction that produces mistakes.

When to Add a Passphrase Layer

A BIP-39 passphrase — sometimes called the 25th word — derives a completely separate wallet from the same seed phrase. Anyone who finds the seed phrase but does not know the passphrase sees nothing but an empty wallet. That is the protection it offers.

The passphrase is worth adding in two situations: when the seed phrase is stored somewhere it could be physically discovered, or when cold-storage holdings have crossed a personally significant threshold. Before committing any funds to the passphrase-protected wallet, restore it on a second device using both the seed and the passphrase to verify the derivation works correctly.

The failure mode is severe and irreversible. Losing a passphrase means permanent loss of every coin behind it — there is no recovery path, no customer support, no fallback. Do not add a passphrase if there is any genuine doubt about retaining a second secret reliably.

A useful technique when using a passphrase is plausible deniability: maintain a small but believable balance on the passphrase-free wallet, and hold the main position behind the passphrase. An attacker or coercer who finds the seed phrase and demands access sees only the smaller balance.

When Multi-Signature Is Worth the Complexity

Multi-signature (multi-sig) setups require M-of-N keys to authorize a transaction. The most common individual arrangement is 2-of-3: any two of three keys can spend, so losing one key does not cause permanent loss. A typical physical layout places one key at home, one in a safe-deposit box, and one with a trusted person in a separate location.

BIP-48 standardizes the m/48' derivation path hierarchy for HD multi-sig wallets. The recommended default script type is native SegWit (P2WSH, script type 2'), and BIP-67 deterministic key sorting is used to ensure consistent address generation across all signing devices.

Multi-sig is not the right default for most individuals. It introduces genuine operational complexity: compatible signing devices are required, a single signing device becoming unavailable must be anticipated in the recovery design, and the coordination overhead for routine transactions is non-trivial. New failure modes appear that do not exist in single-key setups.

Multi-sig becomes worthwhile in two cases: when a single point of compromise would be catastrophic — for example, a holding large enough that a house fire or a single physical theft would be devastating — or when shared control across multiple parties is genuinely required, such as a family arrangement or a small organisation's treasury.

For most individuals, a passphrase on a hardware wallet achieves something comparable to multi-sig redundancy with far lower operational overhead. Consider multi-sig only when you have exhausted and understood the simpler options.

Inheritance and Emergency Access Planning

Self-custody creates a problem that custodial systems solve automatically: there is no customer support to call, no estate court process that unlocks a hardware wallet, no institution that will hand assets to next of kin. If heirs do not have the right information, the funds are gone.

The goal is to give heirs enough to recover funds without creating a security risk during your lifetime. A sealed document stored with your will or solicitor — describing seed location, wallet software, derivation paths, and a passphrase hint — is often sufficient for non-technical estates.

For larger holdings or more complex setups, SLIP-39 Shamir's Secret Sharing provides a cryptographic alternative. SLIP-39 splits the master secret into N shares, of which only M are required to reconstruct it. It supports 1–16 groups with 1–16 members per group, and works with both 128-bit and 256-bit master secrets. A 3-of-5 split, for example, means any three of five share-holders can reconstruct the secret, with no single holder having full access.

Avoid placing a seed phrase directly in a will. Wills become public documents on probate, which means the seed phrase would become accessible to anyone who looks.

Whatever approach you choose, test the recovery procedure at least once per year. Software versions change, wallet interfaces change, and a recovery process that worked eighteen months ago may behave differently today.

Concrete Allocation Examples

The following tiers are illustrative. The meaningful trigger in each case is personal — what the amount represents relative to your own financial situation.

Small holdings (under approximately $1,000 equivalent): A reputable non-custodial mobile wallet with a paper seed backup stored in a safe place is adequate. The cost and friction of a hardware wallet is likely disproportionate to the risk.

Medium holdings (approximately $1,000–$25,000): A hardware wallet holds the bulk of the position. A small hot-wallet float covers day-to-day transactions. The seed phrase is stored in two separate physical locations. A passphrase is worth considering if the seed is stored at home or anywhere accessible to others.

Significant holdings (above approximately $25,000, or any amount that would materially alter your life if lost): Hardware wallet with a passphrase. Seed phrase engraved on a metal plate and stored separately from the signing device. For the highest tier of these holdings, a 2-of-3 multi-sig arrangement or a SLIP-39 split adds another layer of redundancy. A written inheritance plan is tested and stored with your estate documents.

Across all tiers: never digitize the seed phrase — do not photograph it, store it in a note-taking app, or type it into any device connected to the internet. Verify that you can restore from backup at least once per year.

The Decision Checklist

Use this sequence when reviewing your setup:

1. Categorize by amount and time horizon. Assign each asset bucket to hot or cold based on how frequently you need access and how much value is at stake.
2. Evaluate passphrase need. If the seed phrase could be physically discovered and holdings cross your personal threshold, add a passphrase stored separately from the seed.
3. Evaluate multi-sig need. If a single device failure or a single person's death should not be able to terminate access, design a 2-of-3 multi-sig or SLIP-39 split for the affected tier.
4. Document for inheritance. Test the recovery procedure. Store it with your estate plan in a form your heirs can act on without technical expertise.
5. Audit annually. Holdings change. Life circumstances change. The right tier today may be wrong in two years.

What to Do Next

• Map your current holdings against the two axes: value at risk and access frequency. Identify any mismatch between where assets live and how often you actually move them.
• If you have not tested a full seed-phrase recovery on a secondary device, do it before anything else. Knowing your backup works is more important than optimizing the tier.
• If your cold-storage holdings have crossed a personally meaningful threshold and your seed is stored at home, research the passphrase option before your next deposit.
• Check whether your family or estate plan has any path to fund recovery. If no one other than you could recover the funds, that is a gap worth closing regardless of the amount involved.
• Revisit this checklist annually. Custody is not a one-time decision.