Bitcoin Cold Storage

Step-by-Step Path to Self Custody

Move from exchange exposure to sovereign ownership with a practical, human-readable checklist. This guide walks you through each stage—from picking hardware to executing your first withdrawal—so you can hold your own keys with confidence.

Start the Guided Process Browse Hardware & Education

Nine Stages to Confident Self Custody

Each phase builds on the previous one. Take it slow, verify at every checkpoint, and don’t migrate significant funds until you can explain the why behind every step.

Step 1

Acquire Bitcoin the Right Way

Pick on-ramps that let you control custody quickly, regardless of where you buy.

Use reputable exchanges for liquidity, but withdraw immediately after each purchase.
Explore P2P marketplaces (RoboSats, Peach, Hodl Hodl) for privacy—lean on escrow and reputation systems.
Leverage non-custodial brokers like Bitcoin Well that deliver straight to your wallet during checkout.

What’s the best way to buy bitcoin if you want control and fair fees?

Step 2

Understand UTXOs & Plan Withdrawals

Move your stack off exchanges in sensible chunks so every output stays useful later.

Batch small purchases into withdrawals that justify the mining fee and avoid dust outputs.
Label the UTXOs you receive so you know which exchange or purpose they’re tied to.
Schedule regular sweeps before balances grow too risky to leave under someone else’s control.

Why combine multiple small buys before withdrawing to your own wallet?

Step 3

Pick a Bitcoin-First Hardware Wallet

Use devices that are open source, audit-friendly, and laser-focused on Bitcoin.

Prefer Bitcoin-only firmware (Coldcard, Passport, SeedSigner, Jade) that minimizes attack surface.
Choose open-source designs so the community can verify there are no backdoors or insecure code paths.
Validate each device’s supply chain integrity—buy direct or from vetted resellers to avoid tampering.

Why opt for an open-source, Bitcoin-only hardware wallet?

Step 4

Secure Setup Environment

Keep malware and prying eyes out of the equation while you initialize your wallet.

Update the hardware wallet firmware from the official vendor site.
Verify device authenticity (hologram, anti-tamper check, vendor instructions).
Power the device from a trusted source; avoid public USB hubs.

What is the safest first move before you pair the device to software?

Step 5

Secure Your Seed & Xpub

Create your recovery keys offline and harden them against leaks.

Let the hardware wallet generate your 12- or 24-word seed entirely offline.
Add a passphrase (BIP39) to create a hidden wallet layer for simple single-sig setups.
Export the Bitcoin xpub from the device offline to use in watch-only wallets; never reveal the seed.

Why generate the seed and xpub on the hardware wallet itself?

Step 6

Back Up Your Backups

Protect the seed, passphrase, and xpub redundantly so no single incident wipes you out.

Engrave or stamp the seed (and passphrase) into metal backups stored in distinct locations.
Keep the xpub separate so watch-only wallets can track balances without exposing spending keys.
Document recovery instructions in plain language for a trusted heir or executor.

How do you make sure a single disaster doesn’t destroy your recovery data?

Step 7

Set Up a Software Companion Wallet

Pair a watch-only desktop or mobile app with your hardware wallet to monitor balances and craft PSBTs safely.

Install an open-source companion like Sparrow, Specter, or Nunchuk on a trusted device.
Import the xpub via QR, SD card, or USB so the app can derive receive addresses without the seed.
Verify every displayed address on the hardware wallet screen before sharing or receiving funds.

Why use a software companion app with a hardware wallet?

Step 8

Run a Low-Stakes Rehearsal

Practice the entire flow with a meaningful, but not mission-critical, amount of bitcoin.

Withdraw a small test amount from the exchange to your new receive address.
Wait for on-chain confirmations, then label the transaction in your software wallet.
Create and send a return transaction back to the exchange to validate spending.

What’s the purpose of the rehearsal transaction?

Step 9

Test Recovery Before Full Migration

Run a full restore from your backups so you know your private keys—and only your private keys—control your bitcoin.

Factory reset (or use a spare device) and recover using your seed words plus passphrase before moving the full balance.
Confirm the regenerated wallet matches your watch-only xpub and produces the same receive addresses.
Once the drill succeeds, transfer the remaining funds; your private keys are the sole proof of ownership.
If you ever import the seed into hot software for testing, treat it as compromised and restart the cold-storage process.

Why complete a recovery drill before sending your entire stack?

Next Steps

Keep Building Your Self-Custody Skillset and Support This Project

You made it through all nine steps. If you feel like you got value, consider supporting this open-source project, and if you still need additional help with your setup, book a 1-on-1 coaching session with me.

⚡ Donate to Plebtools using Bitcoin & Lightning 🤝 Book a 1:1 Bitcoin Session

Pre-Migration Checklist

1Hardware wallet unboxed, verified genuine, and firmware updated.
2Seed phrase written twice, cross-checked, and secured in two separate places.
3Passphrase (if used) memorized, recorded in a secure, sealed envelope, and backed up multiple times.
4Software wallet installed, paired, and displaying the correct receive address.
5Test send a transaction, confirm it on a block explorer, and restore the wallet from your backup to verify full control.
6Instruction letter drafted for trusted beneficiary explaining recovery steps.

Trusted Resources

🔐 Coldcard - Bitcoin-Only Hardware Wallet
🟧 Blockstream Jade - Official Store
🛠️ Stamp Seed - Durable Seed Backup Use code BTCNOTCRYPTO15 for 15% off the Stamp Seed kit.
🖥️ Start9 - Self-hosted Node & Services Use code BNC5 for 5% off Start9 gear.
🎥 Bitcoin Not Crypto - Tutorials & Walkthroughs

Threat Modeling Tips

Self custody is a spectrum. Match your setup to the value at risk and the threats you actually face.

Keep hot wallet balances minimal; treat phones as convenience tools, not vaults.
Beware of social engineering—never plug a hardware wallet into an unknown computer.
Consider multisig with geographically separated backups once balances become life-changing.
Practice recovery annually from written instructions to ensure nothing has degraded.

Self Custody FAQ

Do I need multisig right away? Start with single-sig until you can run through a recovery from memory and documentation. Multisig adds security but also complexity—graduate to it once single-sig feels trivial.
What if I’m not ready to move everything? Move a percentage on a set schedule. The rehearsal stage is the perfect time to discover friction without risking your entire stack.
How should I brief family or business partners? Write plain-language recovery steps and store them alongside legal documents. Ideally, rehearse with a trusted party so they have muscle memory if they ever need to execute.
How often should I refresh my setup? Review quarterly. Confirm firmware updates, test backups, and ensure your instructions still match your hardware and wallet versions.

Want to buy and secure your Bitcoin?

These are affiliate/discount links

Where to buy

Bitcoin Well

Where to store

Blockstream Jade

How to protect

Stamp Seed

USE CODE: BTCNOTCRYPTO15 for 15% off

How to validate

Start9

CODE: BNC5 for 5% off

1:1 Coaching

Bitcoin 1:1

Where to learn

YouTube

⚡

Support Plebtools

Enjoying these tools? You can help keep them free and open source by donating sats. Every contribution fuels more Bitcoin-first development.

Donate ⚡

Open Source

Plebtools is fully open source. Fork the code, submit improvements, or deploy your own instance to track Bitcoin operations your way.

View on GitHub