Security decays by default
A self-custody setup is perfect exactly once: the day you build it. Then life resumes. Houses get renovated, safes get moved, family situations change, wallets add features, and your own memory of where-what-why softens at the edges. None of this announces itself. The only countermeasure is a scheduled look — one hour, once a year, same as a smoke detector battery.
Pick a date you can't forget (many people use a birthday or New Year's week), put it in your calendar on repeat, and run the checklist below. The first audit takes the full hour. After that, most years it's twenty minutes of pleasant confirmation that everything is exactly where it should be — which is the entire point.
The audit, step by step
1 — The backup still exists and still reads
- Physically retrieve your seed backup from its location
- Inspect it: every word legible, no corrosion, no damage (steel makes this step boring — that's the goal)
- Confirm the storage location itself is still sound — dry, private, undisturbed
2 — The backup still works
- Run your hardware wallet's recovery-check feature against the plate — the plate, not your memory
- Power on the device itself; confirm the PIN works and apply any firmware updates from the official app
- If you use a passphrase wallet, verify you can still access it (and that any escrowed copy of the passphrase is intact)
3 — The paper trail is clean
- Search your photos, cloud notes, and password manager for anything resembling the phrase — there should be nothing, but trust is not a verification method
- Check which devices and browser extensions can currently touch your hot wallets; remove what you no longer use
- Review exchange accounts: balances you meant to move to cold storage, security settings, stale API keys
4 — The people part still matches reality
- Re-read your inheritance letter: is the location current? Are the named people still the right people?
- Confirm your trusted person still knows a plan exists and where to start
- If anything big changed this year — moved house, new relationship, new holdings — update the letter today, not "soon"
The audit follows the same privacy rules as setup day: work alone, no cameras, no reading words aloud, nothing typed into a connected device except a wallet's official recovery-check flow. An audit that leaks the phrase is worse than no audit.
When the audit finds a problem
That's the system working. A faded word, a plate that got moved during a renovation and now sits somewhere worse, an inheritance letter naming someone no longer in your life — every one of these is a five-alarm crisis on the day you need the backup and a minor errand today. If the backup itself is compromised or uncertain in any way, the clean fix is the calm version of an emergency: generate a fresh wallet, make a new verified metal backup, move the funds, retire the old setup. An afternoon, not a tragedy.
If your current backup is the part that wouldn't pass inspection — still on paper, never verified, location you're not proud of — that's a fixable finding too. The Zero To Secure kit turns it into one careful session, and Lesson 04 is the walkthrough.
You've finished the course
Eight lessons, and notice what they add up to: not paranoia, but a short list of careful things done once, plus one hour a year of maintenance. That's the whole discipline. Self-custody isn't a lifestyle of fear — it's the quiet confidence of knowing exactly where your keys are, exactly what protects them, and exactly who could recover them if they had to. Welcome to the small group of people who can say all three.
Key takeaways
- Setups decay silently — a recurring calendar date is the countermeasure.
- Verify four things yearly: the backup reads, the backup works, the digital trail is clean, the people plan matches reality.
- Audit under the same privacy rules as setup day.
- A problem found in an audit is an errand; the same problem found in an emergency is a catastrophe.
- One careful setup plus one annual hour — that's the entire discipline.