Where should I buy a hardware wallet?

Direct from the manufacturer. Never Amazon, never eBay, never a third-party reseller — supply-chain tampering is a real and documented attack on Ledger and Trezor devices.

How long does proper setup take?

Plan 90 minutes for first-time setup, including testing recovery. Don't rush.

Should I buy two devices?

For holdings over $10K, yes — one for use, one as a tested backup. Both seeded from the same seed phrase via the device's recovery flow.

Hardware wallet setup — the right way for presale tokens

A 12-step setup that catches the mistakes most retail makes — from supply-chain attacks to seed-phrase backup to test recovery.

The single most common cause of total losses in self-custody isn’t the device. It’s the setup. Here’s the process that catches the typical mistakes.

Step 1 — Buy direct

Order the hardware wallet from the manufacturer’s official website only. Not Amazon. Not eBay. Not a “trusted reseller”. Supply-chain tampering is a documented attack — Ledger and Trezor devices have been intercepted, modified, and re-shipped multiple times.

When the package arrives:

Tamper-evident seal should be intact.
Box should be sealed in shrink-wrap (Trezor) or have a holographic seal (Ledger).
Anything that looks resealed: stop, contact the manufacturer.

Step 2 — Set up offline if possible

Do the initial setup on a freshly-restarted computer, ideally one not used for general browsing. Disconnect from the internet for the seed-generation step if your wallet supports it.

The seed is generated on the device, not on the computer. The computer’s job is just to relay UI clicks. But malware on the computer can spoof the wallet’s screen output if you’re not vigilant.

Step 3 — Initialize the device

Follow the device’s flow to “Create new wallet” (not “Recover wallet”). The device generates 24 words.

The 24 words appear only on the device’s own screen. They never appear on your computer. If your computer ever shows them, you have malware — abort.

Step 4 — Write the seed on steel, not paper

While the seed is on the device’s screen:

Have a steel-stamp seed plate ready (Cryptosteel, Billfodl, etc.).
Stamp each word as you read it from the device.
Double-check each stamped word against the device.
Have a second person verify if possible.

Do not:

Photograph the screen.
Type the words into the computer.
Speak the words out loud near a recording device (smart speakers, phones).

Step 5 — Test the steel backup before trusting it

After the device confirms the seed, before doing anything else:

Wipe the device.
Re-initialize using “Recover wallet” with the words from the steel plate.
Confirm the wallet recovers correctly.

This catches stamping errors before you’ve sent funds. People consistently skip this step and discover their backup is wrong only when they need it.

Step 6 — Set a strong PIN

8 digits or longer. Random. Not your birthday, not 12345678. The device wipes itself after a number of wrong PINs (configurable on Trezor).

Step 7 — Set a passphrase (optional but recommended)

A passphrase is a 25th word that’s not on the steel plate — it’s something only you know. With a passphrase:

Your seed alone gives access to a different (decoy) wallet.
Your seed + passphrase gives access to the real wallet.

This protects you against:

Seed-phrase theft (the thief gets the decoy wallet, not the real one).
“$5 wrench attack” (you can credibly hand over the seed without the passphrase, revealing only the decoy).

The passphrase must be memorized. Don’t write it down. Don’t tell anyone. If you forget it, the funds are gone forever — even with the seed.

Step 8 — Send a small test amount

Send $5-10 of the cryptocurrency you’ll be storing to the wallet’s address. Confirm it arrives. Send a small amount back out. Confirm the send transaction works.

This validates:

The wallet is correctly initialized.
You know how to receive and send.
The address you copy is the address that gets used (no clipboard-hijacker malware).

Step 9 — Disable unused functions

Most hardware wallets support multiple chains. Disable the ones you don’t use, especially “experimental” ones — fewer enabled features = smaller attack surface.

Step 10 — Geographic separation of backup

The steel plate stays at home. A second steel plate (also tested) goes to a different physical location:

A relative’s house with a fireproof safe.
A bank safety deposit box.
A second property.

If both plates are at home, a fire takes both. Geographic separation is the single most important physical-security choice.

Step 11 — Document what your heirs need

Write down (somewhere your heirs can find but not hack):

That a hardware wallet exists.
Where the steel plate is located.
That a passphrase exists (if used).
Generic instructions for recovery.

The passphrase itself — don’t write down. Memorize, or use a Shamir-shared trustee scheme.

This avoids the most common “lost forever” outcome: you die, your family knows you had crypto, but they can’t access it.

Step 12 — Re-test recovery every 6 months

The steel plate is fine. Your memory of the passphrase isn’t. Every 6 months:

Wipe the device (or use a second device).
Recover using the steel plate + passphrase.
Confirm access.
Restore.

If you can’t recover, the passphrase is forgotten — fix it now while the funds are still accessible.

What kills people who do steps 1-11 right

Forgetting step 12. The seed and passphrase exist; the human’s memory of the passphrase decays. Test recovery on a schedule, not just once.

The honest summary

A properly set-up hardware wallet protects against 95% of how retail loses crypto. Buy direct, test the backup, use a passphrase, geographic separation, document the path for heirs, re-test recovery on a schedule.

The device costs $80. The setup costs 90 minutes. Both are cheaper than the alternative.

Research, not advice. This article is editorial. We are not your financial adviser. Crypto presales can lose 100% of capital.