Skip to main content
Other Assets

Wallets, keys, and seed phrases

Pomegra Learn

Wallets, keys, and seed phrases

Owning cryptocurrency means managing cryptographic keys. A "wallet" is software or hardware that stores your private keys, signs transactions on your behalf, and displays your balances. This chapter covers the full spectrum of wallet security: from convenient hot wallets that keep keys online, to hardware wallets that isolate keys from the internet, to advanced schemes like multi-signature accounts and account abstraction that add layers of protection.

Key management is not glamorous. It lacks the appeal of trading strategies or macroeconomic arguments. But it is fundamental. A stolen private key is irreversible. A lost seed phrase means lost access to funds forever. The cost of secure key management is far lower than the cost of poor key management.

This chapter provides the knowledge required to secure cryptocurrency holdings at any scale—from personal savings to institutional custody. You'll learn why seed phrases exist, how hardware wallets work, when multi-signature addresses are appropriate, how key derivation enables multiple addresses from a single seed, and how to structure inheritance to protect assets across generations.

Hot wallets vs. cold wallets

A hot wallet is connected to the internet. It signs transactions on networked devices (computers, phones). Convenience is high; security is lower. Hot wallets are suitable for funds you actively spend or trade. They're unsuitable for long-term savings or large holdings.

A cold wallet never connects to the internet. Private keys are stored offline. Transactions are signed without network access, then broadcast separately. Cold wallets are slower to use but far more secure. They're the standard for holding significant cryptocurrency.

The simplest cold wallet is a hardware wallet—a specialized device (resembling a USB drive) that generates keys, stores them in tamper-resistant hardware, and signs transactions internally. The device communicates only the public key and transaction signature to the network, never the private key. This design means an attacker would need physical access to the device to steal funds.

Hot wallets and cold wallets are not better or worse; they serve different purposes. A professional cryptocurrency holder uses both: a small hot wallet for immediate spending, a hardware wallet for stored savings.

Seed phrases and BIP39

Your private key is a 256-bit number. This is difficult to remember or write down reliably. Seed phrases solve this through a standard called BIP39 (Bitcoin Improvement Proposal 39).

A seed phrase is a sequence of 12 or 24 English words, derived cryptographically from a random number. This phrase can be converted back into the original number, which generates your private key and all derived keys. A 12-word seed phrase encodes 128 bits of entropy; a 24-word phrase encodes 256 bits.

The elegance of seed phrases is that they're memorable and writeable. A 12-word phrase is difficult to forget; it's also nearly impossible to guess (there are 2^128 possible 12-word combinations). If you memorize or carefully write down your seed phrase, you can recover your private keys even if your wallet device is destroyed.

But this same property makes seed phrases dangerous. Anyone with access to your seed phrase can generate your private keys and drain your account. Seed phrases must be stored offline, ideally in multiple secure locations. Never take a screenshot. Never store them in cloud services. The most reliable method remains writing the words on durable paper and storing it in a safe.

Key derivation and hierarchical deterministic wallets

A single seed phrase can generate billions of private keys. This is possible through a standard called BIP32 (hierarchical deterministic wallets), which specifies how to derive child keys from a parent key.

In practice, this means one 12-word phrase generates your Bitcoin address, your Ethereum address, multiple Bitcoin addresses for receiving payments, and backup addresses if one address is compromised. All of these are mathematically derived from the same seed.

Key derivation enables powerful security patterns: you can generate a public-key-only "watch wallet" that displays your balances and creates unsigned transactions, without ever touching your private keys. A separate device (hardware wallet) signs the transactions. This architecture minimizes the exposure of private keys while maintaining full functionality.

For businesses and institutions, key derivation enables organizational structures: a master key holder can generate keys for individual traders, each with their own address and transaction authority, all mathematically recoverable from the master seed.

Multi-signature accounts

A multi-signature address (or "multisig") requires multiple signatures to authorize a transaction. A common scheme is "2-of-3": three parties each hold private keys, but only two signatures are required to move funds.

This design is powerful for institutional custody. A company might split control between three executives, ensuring that one person cannot steal funds unilaterally but two people together can authorize transactions. For inheritance, a multisig account can require the widow and an executor to both sign before funds move, reducing the risk of fraud.

Multi-signature accounts are also used for security: you might hold one key yourself, another on a hardware wallet, and the third in a secure safe. An attacker would need to compromise two of the three sources to steal funds. This creates layered security that's far superior to a single key.

The tradeoff is complexity. A multisig account requires coordination between parties and careful key management. For personal holdings, a single hardware wallet is often more practical. For institutional holdings or inheritance, multisig adds irreplaceable security.

Account abstraction and modern wallet patterns

Newer blockchain systems like Ethereum are moving toward account abstraction: a model where accounts are simply smart contracts, capable of arbitrary logic rather than being bound to a single private key.

This enables innovations like social recovery (your friends can help you recover access to your account if you lose keys), multi-signature authorization, spending limits, and time-locked transfers. A wallet can require both a biometric and a hardware key before approving transfers above a threshold. Another wallet can automatically revert a transaction if it looks suspicious.

Account abstraction is still emerging. Most users today rely on traditional key pairs and seed phrases. But understanding this trend reveals the direction of wallet security: moving from "one key controls everything" toward "rules govern what transactions are allowed," with multiple redundancies and recovery mechanisms.

Inheritance and key succession

Cryptocurrency holdings must outlive the holder. Unlike bank accounts, which institutions transfer to beneficiaries upon death, cryptocurrency accounts have no failsafe. If you die without sharing private keys or seed phrases, your cryptocurrency is locked away permanently.

Professional practice requires inheritance planning: documenting your seed phrases and wallet locations in a way that survives your death. Common approaches include secure safes (key in home safe, instructions with attorney), multisig schemes (beneficiaries hold keys cooperatively), and timelocked contracts (funds automatically transfer to beneficiaries if no activity occurs for a set period).

These practices are not paranoid—they're standard among high-net-worth cryptocurrency holders. The irreversibility of lost keys creates a fiduciary duty to ensure successor access.

The security spectrum

This chapter emphasizes a core principle: security is not binary. It's a spectrum from convenience to protection. A hot wallet is convenient but vulnerable. A single hardware wallet is secure but has single-point-of-failure risk. A 3-of-5 multisig with keys distributed geographically is highly secure but requires coordination.

The right choice depends on the amount held, the holder's technical sophistication, the frequency of transactions, and the risk tolerance for loss versus theft. Understanding these tradeoffs enables you to structure your key management appropriately.

The articles below explore each wallet type in depth: how to set up and secure a hardware wallet, how seed phrases work and should be protected, how multisig addresses function and when they're justified, and how to plan for inheritance and account recovery.

Articles in this chapter