3.6 Setting Up a 2-of-3 Multisig Vault

A 2-of-3 multisig is the gold standard for self-custody of larger amounts. It requires any 2 of your 3 keys to spend, so losing any single key isn't catastrophic and a thief stealing any single key can't move funds.

Step 1: Get three hardware wallets, ideally from three different brands (e.g. Coldcard + BitBox02 + Foundation Passport). Different vendors protect you in case one ever has a bug or supply-chain compromise.

Step 2: Generate each device's seed phrase offline, on the device itself, and immediately write each one down on paper — and ideally also stamp or engrave it onto a metal backup plate (Seedplate, Cryptosteel, Stamp Seed). Paper burns; metal survives a house fire.

Step 3: On each device, export its public master key (the xpub or descriptor). Combine all three xpubs in a coordinator app — Sparrow Wallet, Nunchuk, or Specter — to create the multisig wallet definition.

Step 4: Save the wallet 'descriptor' or output file. This is the recipe needed to recreate the wallet later; without it plus 2 of 3 seeds, recovery is much harder.

Step 5: Store the three seed phrases and the descriptor in three different secure locations — for example: a home safe, a safety deposit box, and with a trusted relative or attorney in a sealed envelope. The whole point is that no single location compromise can drain your funds.

Step 6: BEFORE sending real money — do a recovery test. Wipe one of the devices, restore it from the seed phrase, and confirm you can still sign a small test transaction with the other two. If recovery works, you're ready. If not, fix it now while you have no money at stake.

Final tip: verify every receive address on at least one hardware wallet's screen before depositing. Malware can swap addresses shown on your computer; the hardware wallet screen is your truth source.