If you have enough Bitcoin where you would be upset that it is lost in an exchange hack, get a hardware wallet. If you are buying some new coin that no one has ever heard of because you think it can 10x in price and that becomes meaningful in value, get a hardware wallet. If you want to remove the trust from trusted third parties and become a sovereign individual, get a hardware wallet.
Hardware wallets are much more secure over the apps you can download to your phone or computer as the private keys never touch the internet. If you are already using an app to store your coins, great but treat that like your physical wallet. You wouldn’t keep $5,000 of cash in your wallet, you would keep that in a more secure location. You can set your own threshold but you should have the majority of your coins in cold storage with a hardware wallet compared to a hot wallet on your phone or on an exchange.
Standard Set Up
The device ships blank so the first thing you’ll need to do is install the firmware. Head over to https://trezor.io/start/ and select your device. When you do, it will pop up with a warning about the holographic security seal. Make sure you are using a real Trezor that you bought from a legitimate source. I won’t post a picture of the seal because they have made several improvements over the years and I don’t want to cause panic if this guide is slightly outdated. You can read more about the seal here but check for the most up to date one on the screen.
As soon as you determine that it is real, you’re going to have to tear into the packaging. The packaging is designed to be tamper evident for your own security so rip it open like a 3 year old on their birthday. Try to be somewhat careful because there are some papers and stickers in there you can damage.
Click on the device you purchased, plug it in, and then it will ask you to install the Trezor Bridge. The bridge is software that allows it to connect to your device.
Now that the firmware is installed, click on “Create A New Wallet.”
Once you click on create a new wallet, you’ll be taken to the below screen. I know you want to play around with your new wallet, we’ll get there, but press “Create a backup” then read through the warnings and understand what your backup, also known as mnemonic words or a seed phrase, is and how to not back it up.
In the box you’ll find two pieces of paper that have 24 lines on it. Grab both pieces of paper and write down the 24 words that appear on the device on the first piece of paper. Once you get to the end of the 24 words on the first piece of paper, it will show you the words again. SLOWLY go through all 24 words on the screen and compare it to what you have written down on the first piece of paper. Once you confirm it matches, write it down on the second piece of paper. I suggest doing it this way in case you make a mistake on the first piece of paper.
The next thing you’ll need to do is create a PIN. It can be up to 9 digits. Notice that the PIN keyboard is out of order. This is on purpose to protect you from any program that can monitor your screen. Look at the device, find the number you want to use, then click on the dot on the screen that corresponds to where that number is on your device’s screen. Again, the only thing that ever matters with a hardware wallet, is what is on the device’s screen.
Once you created your PIN, enter it a second time to ensure it is correct, and click continue to name your device.
You can name your device anything you want. This is more for fun than anything else but it does serve two real purposes.
- When you plug it in, you’ll see the name of the device. So if you have multiple devices or someone in your home also owns a device, it makes it easy for you to recognize it before you enter the incorrect PIN over and over. If you enter the PIN incorrectly, it will double the time out time before you can try again for each incorrect entry. It would be rude to do that to someone else’s device.
- To ensure that it is really yours but from a security perspective. Let’s say someone is after your coins and creates a fake Trezor and puts it where you keep it. You go and try and use it and enter your PIN into the fake device and it then logs your device’s PIN. The attacker could then enter your PIN into your real device while you’re stuck thinking your device is broken. You can name it “Dave’s Trezor” because odds are that will never happen, but you can also name it something people wouldn’t guess like “I like spaghetti.”
Once you’re done naming the device. It will suggest you bookmark the website which you should do to prevent a phishing attack. A phishing site is when someone creates a fake site that looks like the real site so you go to the trezor site but the o is really a 0. Or there is an accent on the e instead of the English variant.
The final step in the onboarding flow is it will ask if you want to stay in the know. Trezor doesn’t send out many marketing emails. It is mostly security updates, new features, and the occasional sale.
You may have noticed that your device is outdated despite installing the firmware 15 minutes ago. Trezor installs a base level of firmware then lets you opt into the additional updates it as released since. I would recommend upgrading. Press the “show details” button, unplug your device, and hold down both buttons at once while you plug it back in if you are using a Trezor One. If you are using a Model T, unplug it and then replug it back in while swiping upwards on the device.
It will ask you if you have your seed with you which you should given you set it up moments ago, check the box and update. In the future, make sure you have your seed before updating. Let’s say you update it, there is a power outage or something happens with your wifi so you can’t update all the way, you’ll need to recover your device with your seed. If you do not have your seed, all of your coins WILL be lost.
Once you press update, it will show you a firmware fingerprint which is that string of letters and numbers seen below on the right hand side. Make sure what is on your computer screen matches what is on the screen of the device. Again, the ONLY thing that ever matters is what is on the screen of the device. This fingerprint proves that the software update you are about to download, came from Satoshi Labs, the company that makes Trezors and not from a hacker giving you malicious firmware.
That’s it. You are free to use the device and move your coins off of an exchange into a more secure or self sovereign storage environment.
Next Steps For Added Security
This makes the process longer but it gives you better security as well as gives you the peace of mind that you set it up correctly.
The first thing you should do is go to Advanced, and set up a passphrase. There are two things you should know about setting up a passphrase:
- If you lose it, your coins are lost. There is NOT a reset passphrase option. There is NOT a phone number or email address you can reach out to for support. You NEED to remember it so ideally you would make it a secure complex passphrase but most people cannot remember passwords so if you make it birthday or some terrible password, that is better than nothing.
- There is no wrong passphrase which is why the first point is so important. Each of those 24 words you wrote down earlier correspond to a number. The words are used to make it easier to user and human readable just as Google.com is really an IP address that became more human readable because of DNS. When you use those 24 words, you get a curve that looks like this. All of your public and private keys for all of your past, present, and future addresses are along that curve. When you add a passphrase, it shifts your curve ever so slightly to give you a whole new set of addresses. Since math is infinite, there is no wrong passphrase. If you accidentally type your passphrase with a typo, it will give you a valid address to send your coins to. Later I’ll walk you through a test for this.
You may read both of those points and rightfully ask, “Why in the world would I want to set up a passphrase?” The reason is that your PIN only protects you from physical threats and in the grand scheme of things, that PIN means nothing. What I mean by that is those 24 words you wrote down are from a master list of 2048 words or sometimes referred to as BIP39. Everyone who uses Bitcoin or most other cryptocurrencies use the same list of words. The odds of someone getting the same 24 words, in order, as you is less likely than you winning the lottery. That being said, it is still possible and if someone enters those 24 words into their device, in the correct order, then they have access to all of your coins. A passphrase gives you a completely different set of addresses and private keys despite someone having your seed phrase. So I would encourage you to assess the two points above, and set a passphrase whether that is:
Please memorize it, back it up on paper, ideally not in the same location or on the same piece of paper as your seed, or store it in a password manager but you CANNOT forget it.
Once you set up a passphrase, send small transaction to your passphrase account. If you are using Bitcoin or a chain that uses a UTXO model, I would send an amount that you are comfortable losing without being too small. For most people I would say $10 to $100 is a good range. The reason why I suggest this amount is because if the fees spike on Bitcoin again like it did in late 2017, you don’t want to pay a $50 transaction fee to try and spend $1. There is also something called a dust limit if you try and send a penny. Your $1 will be effectively lost so if you send a higher denomination, it is more likely to be used. If you are using Ethereum or a chain that uses an account based model, you can send any amount as the above concern doesn’t apply. Feel free to send $0.01 to $1. If you hold multiple cryptocurrencies, use the less risky one financially because there is a risk of you doings something wrong and losing it. So go to your coin of choice, click on Receive, and you’ll see the address or a QR code. Paste the address or scan the QR code to send your test transaction. Depending on the chain, it’ll take a 1 to 10 minutes to confirm the transaction but you’ll see a pending transaction appear within a few seconds.
Once you send that small test transaction and you see it pending, unplug your Trezor, plug it back in, and when it asks you for your passphrase, press enter. Don’t freak out when you don’t see anything in there. That is the set of addresses that do not have a passphrase. I wanted to demonstrate the idea of having different wallets within the same seed phrase.
Go ahead and unplug your device, plug it back in, and this time enter your passphrase. You should see that tiny test transaction you sent. If you don’t, you may have typed your passphrase in incorrectly the first or second time. Try it again and unplug your device, enter your passphrase and if you still don’t see it, that is because you entered in your passphrase incorrectly the first time before sending the test transaction. That is fine, that is why we sent the test transaction. It is better to lose a small test transaction than all of your coins. Again, there is no WRONG passphrase. Send another test transaction and see if you can get it correct this time. Type your passphrase in slowly to make sure you are entering it incorrectly.
Check Recovery Seed
Go to Advanced, then click on Check Recovery Seed. You might be asking yourself, “Why am I checking this? I just wrote it down, checked it, then wrote it down again 15 minutes ago” which is true. This is an extra check to make sure you wrote it down correctly and in the correct order based on what is on the device because people still write it down incorrectly. Enter your seed ON THE DEVICE, and see if you saved it correctly.
Seed and Passphrase Storage
Now that you understand what your seed phrase is and the importance of it along with your passphrase, you need to find a way to store it securely.
- Never back up your seed digitally.
- Think about using a piece of paper that doesn’t say Trezor on it in case someone stumbles upon it, Google’s what a Trezor is, and then realizes the potential of what they found.
- Think about laminating that piece of paper in case it gets wet and the ink bleeds of the paper falls apart entirely. If you do, make sure that the chemicals on the plastic doesn’t eat away at the ink or paper.
- Think about imprinting your seed into metal as laminated paper burns and melts. However you should know that not all metal is created equal.
- Place your seeds in a secure location. For some that means under your mattress while others it means in a safe.
- Place your backup seed in a secondary safe location. For some that means with a friend or relative while others that means a safety deposit box. Take into consideration the time to get your seed vs the need for it. Banks are not open 24/7 which limits the window of opportunity for a safety deposit box. If you are not going to need to recover your coins for years, this is a great option.
- Backup your passphrase. If you leave your seed with a friend, family member, or at the bank then you are trusting them to either not know what you are giving them or to use it. A passphrase protects against both so back it up in a separate location than your seed. For some this means the seed goes to someone you trust and the passphrase will be in a safety deposit box. Others may use a password manager like 1Password or LastPass to back up their passphrase then put the seed in a safety deposit box.
- If you are putting it in a safe at home, take into consideration the fire proofness and waterproofness of that safe. When your home catches on fire, it may be put out immediately or it may take an hour. Safes come with a rating of how hot it can withstand and for how long. Also take into consideration that odds are your home would not be left to burn down. That means a paper seed in a safe that is not waterproof can get wet when the fire department comes to put it out.
- If you are not going to go the paranoid route in a serious manner and are going to back up your seed digitally and use a passphrase that you’ll remember like your birthday, then make sure that digital account is locked down. Use 2FA such as Google Authenticator or Authy, ideally a Yubikey, on your Dropbox, iCloud, or Google Drive account. Print out those backup codes and remove your recovery email address and phone number.
Download the Trezor Suite
I would recommend downloading and using Trezor Suite which is the desktop app version of the web wallet. You can download it and start using it at https://suite.trezor.io/. There are some minor additional features with the desktop app but it is more so a safer way to access your coins. By accessing it on the desktop, you remove the risk of going to a phishing website instead.