Most guides to owning Bitcoin dive straight into specific topics or debates. “Hot wallet vs. cold wallet”, “passphrase or no passphrase”. It’s harder to find an explanation of self-custody from first-principles; to get a sense of where on the spectrum you want to sit.
If you’ve read my primer on what Bitcoin is and how it works and are now wondering what to actually do, this page is for you. There is no one-size-fits-all solution, so you should approach self-custody deliberately - knowing the strengths and weaknesses of your chosen setup, where it sits in the wider spectrum, and where you’re aiming to get to.
- Tier 0: ETFs and ETNs
- Tier 1: Exchange custody
- Tier 2: Software wallet
- Tier 3: Hardware wallet
- Tier 4: Steel backup and passphrase
- Tier 5: Where the ladder ends
How the tiers are defined
Each tier is defined by one thing: who holds the keys, and how well those keys are protected. Not how much bitcoin you own. Owning 0.01 BTC on a hardware wallet with a steel backup puts you at a higher tier than someone with 100 BTC on an exchange — and that holder is more likely to still own their coins in ten years. The tiers are cumulative: each one addresses a specific class of risk that the previous tier leaves open. You don’t need to reach the top, but you should know which class of risk you’re currently exposed to.
Bitcoin self-custody involves real trade-offs. The biggest threat to your coins is you — the most technically impressive setup in the world is worthless if your heirs can’t access it when you die. Be honest with yourself about your threat model.
Tier 0: ETFs and ETNs
You own zero bitcoin. You own a security whose price is linked to bitcoin.
A spot Bitcoin ETF (exchange-traded fund) or ETN (exchange-traded note) is a financial product that tracks the price of bitcoin - normally by holding bitcoin through a custodian and issuing shares against it. You buy and sell those shares through a broker, like a stock, and at no point do you touch the underlying asset.
Almost every reason you might cite for owning bitcoin - censorship-resistance, self-sovereignty, a monetary policy that isn’t answerable to anyone - disappears the moment you hold it through a wrapper. An ETF share is a promise from a chain of intermediaries: the fund, its custodian, your broker, and whatever regulatory regime governs them. Each link is a point of failure that bitcoin-on-the-network was designed to eliminate.
Some contexts justify the wrapper - a pension or ISA, a corporate treasury that can only hold regulated securities - where a product like BlackRock’s IBIT is a reasonable tool when the alternative is holding nothing. Just don’t mistake it for Bitcoin custody. It’s equity exposure to a fund, with all the counterparty risk that implies.
Tier 1: Exchange custody
Your bitcoin exists. Someone else controls it.
You’ve bought bitcoin on Kraken, Coinbase, or similar, and left it there. The coins are real, they just aren’t yours in any sense that survives scrutiny. “Not your keys, not your coins” isn’t just a slogan; it’s a statement about how the protocol actually works.
The problem is the one I flagged in my Bitcoin primer: in Bitcoin, the ability to sign is the ability to spend. An exchange balance is not bitcoin - it’s a line in a database saying the exchange owes you some bitcoin. If the exchange goes bust (FTX, 2022), gets hacked (Mt. Gox, 2014), gets frozen by regulators, or simply decides your withdrawal is suspicious, the coins sitting in the exchange’s wallet are legally theirs to deal with.
Exchange custody has its place. If you don’t trust yourself to use a wallet, then pick the exchange you trust the most and use them. If you dollar cost average your bitcoin buys using an exchange, by all means let the balance accumulate for a while before withdrawing. But if you’re holding long-term, or hold enough that losing it would hurt, then you should strongly consider getting your own wallet and moving to Tier 2.
Tier 2: Software wallet
Your keys, but exposed.
At Tier 2, you control the keys. They’re managed by a wallet app on your desktop or mobile device. These are known as “hot wallets”, because the keys live on a device that connects to the internet. With your own wallet, you can send, receive, and hold bitcoin without asking anyone’s permission. This is a genuine step up.
You might’ve guessed the flaw already: it’s the internet connection. Even if the private keys are encrypted, they have to be decrypted whenever you use the wallet, on a device that’s also running your web browser, email client, and whatever else. A sufficiently capable attacker - using malware like a malicious browser extension - can reach them.
That doesn’t make hot wallets bad. They’re not a place for long-term savings, but they’re an excellent first step into self-custody and a convenient way to store short-term spending money.
Some quick recommendations:
- For a mobile wallet, Blue Wallet (iOS/Android) is an excellent choice.
- For a desktop wallet, Sparrow is the one to learn. It is the best open-source Bitcoin wallet in existence, it will grow with you as you move up the tiers, and it’s what you’ll use when you graduate to a hardware wallet at Tier 3.
Otherwise, the Tier 2 threat model is the usual one - malware, phishing, device loss without a backup. Don’t jailbreak your phone, don’t reuse passwords, and don’t install software you don’t trust.
Tier 3: Hardware wallet
Your keys, offline.
A hardware wallet is a small, purpose-built device that generates and stores your private keys, and signs transactions without ever exposing the keys to the device it’s connected to. This is cold storage: the separation between your keys and the internet is the defining upgrade over Tier 2.
The workflow looks like this. You use a “watch-only” wallet on your laptop to construct an unsigned transaction. This can be done using software provided by your wallet manufacturer - Trezor Suite, Ledger Live - or a third party solution like Sparrow. Either way, you pass the unsigned transaction to the hardware wallet via USB, bluetooth, or even QR code (for an air-gapped approach). After you’ve confirmed details on the physical device, the newly signed transaction is handed back for broadcast.
This is a step-change in security. Malware on your laptop can no longer steal your keys; the worst it can do is try to trick you into signing a transaction you didn’t mean to. And because the hardware wallet has its own screen, it shows you the real destination address and amount before you’ve signed.
My recommended setup:
- A hardware wallet - I’d suggest Coldcard Mk5 or Trezor Safe (3 / 5 / 7) as starting points, but there are many solid options out there. Always buy direct from the manufacturer, never from Amazon or a reseller.
- Sparrow as the interface - by all means start with the manufacturer’s own software if you feel more comfortable doing so, but I’d recommend finding a mentor who can teach you proper use of Sparrow. It unlocks coin control, can connect to your own node (see below), and doesn’t nudge you towards services you don’t need.
- A seed phrase written on paper; two copies in separate secure locations.
One last thing: do not try to memorise your seed phrase. Your brain is a hostile environment for 256 bits of entropy.
Tier 3 is the rung of the ladder which I hope most Bitcoiners will get to. Properly implemented, the security and privacy afforded by Tier 3 is genuinely excellent, and your self-custody setup will be far more robust than the systems most of the world uses for storing fiat money.
Tier 4: Steel backup and passphrase
Hardened against physical threats. A second factor protecting your backup.
Tier 4 is the “I’m taking this seriously” tier. It adds a more robust backup and a BIP39 passphrase, which together address the main weak points of a Tier 3 setup. I’ll cover them in turn.
Steel backup
Paper is vulnerable to fire, water, mould, and a dozen other things. If you truly want to be your own bank, it is not an ideal material to protect your family’s life savings.
A steel backup protects your seed from physical threats. You take your 12 or 24 seed words and either stamp them into a steel plate yourself, or slot pre-engraved tiles into a capsule made for this purpose. The resulting object is effectively fireproof, flood-proof, crush-proof, and rot-proof for any timescale you’ll need.
Cryptosteel’s Seed24 capsule and Bitbox’s Steelwallet plate are good options, both priced at around £80 / $100. They include everything you need to get started, and preparing your backup typically takes less than an hour.
BIP39 passphrase
A BIP39 passphrase is an optional extra word - a 13th or 25th word - that your wallet adds to the seed phrase to derive the final keys. Enable a passphrase, and you get a completely different wallet from the same seed words. The base wallet (with no passphrase) continues to exist; an effectively infinite number of “hidden” passphrase-derived wallets live alongside it.
What does this solve? Imagine someone burgled your house and stole or copied your steel plate. Without a passphrase, they have your bitcoin. With a passphrase enabled - typically memorised and stored in a separate physical location - the thief has nothing useful, because the words alone don’t map to the wallet where your funds live. This cuts both ways; losing or forgetting a passphrase can mean your coins are permanently irretrievable. Study the links below before deciding if a passphrase is right for you.
Steel backup and passphrase belong in the same tier because they’re often adopted together, but they solve different problems: the steel backup protects the seed against environmental damage, the passphrase protects against discovery by someone who shouldn’t have it. You can do either without the other; doing both is my baseline for Tier 4.
Tier 5: Where the ladder ends
Where it gets personal.
If you’ve reached Tier 4 and you’re still reading, the next steps depend more on your situation than on any universal ladder. Threat model, holdings, technical comfort, and inheritance requirements all pull in different directions. There isn’t a single Tier 5; there are a handful of paths, and the right one for you is a judgement call rather than a next rung.
Two worth covering here are multisig and inheritance planning. Others exist - DIY stateless signers like SeedSigner are worth knowing about for the more technically inclined - but in my experience, these are the two that matter most.
Path A: Multisig
A multisig wallet requires multiple keys (a quorum) to authorise a transaction - most commonly 2-of-3, but other configurations are possible. Each key can live on a different hardware wallet, in a different location, ideally from different manufacturers, or even in the care of a specialist collaborative-custody service. No single device or location is a point of failure.
The tradeoff is that recovery becomes dramatically more complicated. A single-sig wallet needs one seed phrase to restore. A 2-of-3 multisig needs at least two of the three key records, plus the full wallet descriptor - the file that tells the software which keys belong together and how.
As such, multisig is not automatically safer than Tier 4 single-sig. For someone who isn’t patiently, methodically technical, it can introduce more risk than it removes. The people who most need the robustness that multisig provides - high holdings, meaningful threat models - are generally also the people best-placed to maintain the discipline it requires.
If you want to explore it, Sparrow supports native multisig with clear documentation; Unchained offers a collaborative-custody product where they hold one of the three keys as a recovery option; Casa offers a fully managed variant with various key-service tiers.
Path B: Inheritance and succession
This is the gap almost everyone ignores. If you die tomorrow, can your heirs access your bitcoin?
The security that protects your coins from attackers can also protect them from the people you love. A seed phrase etched onto steel in a safe deposit box is useless to a spouse who doesn’t know the box exists and doesn’t know there’s a passphrase on top of it. For your heirs, technical sophistication is a liability.
The first move doesn’t require multisig or a legal structure. It’s a clearly-written, physically-stored letter to one trusted person, explaining what you own, where the seed phrase lives, what the passphrase is and where it’s kept, and how to recover the funds. You can store this in a sealed envelope and leave it with a solicitor, in a safe deposit box, or in a home safe.
If you want to go further - multisig with one key held by a professional custodian, a trust structure, a dead-man’s-switch - the tooling exists. But the letter is the first move, and by far the most important one.
A closing note
The point of this guide isn’t to push you up to Tier 5. It’s to help you identify where you currently sit, understand what that tier does and doesn’t protect you against, and move up the ladder deliberately - when you’re ready, and with a clear sense of what the next rung adds and what it costs.
For most people, Tier 3 is genuinely excellent. A hardware wallet, a carefully-stored paper backup, a verified test restore, and a bit of discipline will put you ahead of the overwhelming majority of bitcoin holders. Tier 4 is worth reaching if you’re holding for the long term, or in meaningful amounts. Tier 5 is a judgement call.
The mistake to avoid is staying at Tier 0 or Tier 1 by default, while assuming - because you “own bitcoin” - that you’ve absorbed the security properties Bitcoin offers. The protocol is remarkable. You have to meet it halfway.
Thanks for reading. If this guide was useful, consider supporting my work:
Scan with Tap to open your Bitcoin wallet, or copy the on-chain address below.
Scan with Tap to open your Lightning wallet, or copy my Lightning address below.