This is the walkthrough I’d hand someone who just got the box. It’s the steps in order, the decisions that matter at each step, and the parts most YouTube setup videos skip — anti-tamper-bag inspection, firmware-signature verification, the address-check habit, and the seed-backup-test protocol that prevents the most common “I lost everything” stories.
If you’re still deciding which model, our hardware wallet 2026 buying guide covers the Safe 5 vs Safe 3 vs Coldcard Mk4 vs BitBox02 question. This page assumes you’ve already chosen the Safe 5 and the box is in front of you.
TL;DR. Inspect the anti-tamper packaging. Boot the device offline. Verify the firmware signature shown on the device matches Trezor’s published value. Generate the seed on the device — never type a seed in from elsewhere on day one. Write the 24 words on the supplied card, then immediately stamp them on steel. Send a tiny test amount in, send it back out, verify the address on the device screen before approving. Set up the passphrase only if you understand the failure modes. Estimated time end-to-end: 45-90 minutes the first time.
Before you open the box
A few decisions to make before you open anything:
Are you using Bitcoin-only firmware? The Safe 5 ships with multi-asset firmware by default. Within the first 10 minutes you’ll be asked whether to flash the Bitcoin-only firmware variant. The verify-positioned answer is yes — Bitcoin-only firmware has a smaller attack surface, no incentive for the vendor to add experimental coin-management features that could leak keys, and a more conservative update cadence focused only on Bitcoin protocol changes. The trade-off is that you’ll have to re-flash later if you ever want to manage a non-Bitcoin asset on the same device (which you shouldn’t, but the option exists).
Where will you store the seed? Decide this now, not after you’ve written the seed on the supplied card and put it in a drawer “temporarily”. The default recommendation is a steel backup plate; the BIP-39 recovery phrase guide walks through the threat ladder if you’re unsure. The Trezor Keep Metal 24-word product is purpose-built for this and ships flat-packed in $50-100 territory.
Are you using a passphrase? This is the BIP-39 “25th word” — a salt that turns your 24-word seed into a different wallet entirely. It’s powerful (plausible deniability, decoy wallet) and it’s how people lose Bitcoin (forgotten passphrases). If you’re not certain you can memorise it AND record it separately AND test the recovery, don’t set one up on day one. You can add one later; you can’t recover one you forgot.
Step 1 — Inspect the anti-tamper packaging
The Safe 5 ships in a sealed cardboard box with a holographic tamper-evident seal on the inner package. Before you do anything else:
- Check the holographic seal is intact and matches the photos on trezor.io (Trezor publishes reference photos). A re-sealed package will usually show a glue line or fingernail-edge damage.
- Compare the serial number on the device (visible through the inner window) to the one on the outer box.
- If anything looks off — re-glued seal, mismatched serials, device that boots into an unexpected state — don’t continue. Photograph the issue, contact Trezor support, and return it. A compromised device at first boot is a wallet-drained-at-first-deposit story.
Supply-chain attacks on hardware wallets are rare but documented. The anti-tamper inspection is a 30-second step that closes the most realistic supply-chain attack vector.
Step 2 — Boot the device offline
Connect the Safe 5 to a clean USB-C cable. Don’t plug it into the laptop you use for everything. A laptop with browser extensions, random apps installed, and a history of compromised downloads is exactly what the hardware wallet is supposed to defend you against — and on day one, when the seed is being generated, is when the threat model is at its peak.
Ideal: use a freshly-installed laptop, or one you’ve wiped recently. Acceptable: a daily-driver laptop with no browser extensions enabled and no random apps running. Avoid: the same laptop you use for trading on exchanges and clicking links in Discord.
When the device boots, you’ll see Trezor’s logo and a prompt to install firmware. The device ships without firmware, by design — this is so that the firmware path is freshly downloaded at first boot and the vendor can’t pre-install something compromised.
Step 3 — Install and verify firmware
Trezor Suite (the official desktop app) will prompt you to install firmware. Before you click install:
- Download Trezor Suite from trezor.io/trezor-suite — not Google, not an “official mirror”, not a link from any Discord or email.
- Verify the SHA-256 hash of the installer using our wallet installer SHA-256 verifier. This catches the April 2026 Apple App Store counterfeit Ledger Live scenario where a fake installer impersonates the real one. Trezor publishes signed hashes; verify them before you run anything.
After the firmware installs, the device itself will display a firmware fingerprint — a hash of the firmware that was actually flashed. Compare it to the fingerprint Trezor publishes for that release on trezor.io. If they match, the firmware is genuine. If they don’t, you have a compromised firmware path and should not continue with this device.
This step is the single most-skipped step in setup videos and the single most-important defence against a sophisticated supply-chain attack. It takes 90 seconds.
Step 4 — Choose your firmware variant
After the initial firmware install, Trezor Suite asks whether you want to switch to Bitcoin-only firmware. Choose this.
The Bitcoin-only firmware:
- Removes code paths for non-Bitcoin assets, reducing the attack surface
- Locks the device to Bitcoin operations only — you cannot accidentally interact with a malicious altcoin dApp
- Receives updates focused on Bitcoin protocol changes specifically (Taproot improvements, fee-rate work, etc.)
- Identifies you as a serious Bitcoin self-custodian to the vendor, which matters less than the technical benefit but matters
The flash takes about a minute. The device will show a fresh firmware fingerprint after the variant swap — verify this one too.
Step 5 — Generate the seed on the device
The Suite will offer two options: Create new wallet or Recover existing wallet. Choose Create new.
The device generates 24 words using its on-board hardware RNG. This is the only step where physical randomness needs to be good. The seed is computed on the secure element and never leaves it.
The 24 words display on the device screen, one or two at a time. Write them on the supplied recovery card (the cardboard one in the box) as they appear. Write clearly. Number each word. Double-check by reading them back from the card to the device screen before pressing Continue.
The device then asks you to verify by selecting specific words back (e.g., “what was word 7?”). This is the device confirming you wrote the seed correctly. Take the verification seriously — if you wrote the wrong word and it asks you to confirm word 7, you’ll get word 7 wrong and the seed in the device will not match your card. Better to fail this verification step and re-do it than to ship a wrong seed onto your steel plate hours later.
When the verification passes, the seed is set. The device will erase the screen-displayed seed (it’s gone from the device’s display memory — it still exists on the secure element). You now have:
- 24 words written on the recovery card in your hand
- 24 words inside the secure element of the device
- No other copy anywhere
Don’t take a photo of the card. Don’t type the words into anything. Don’t read them aloud. Every one of those actions creates a copy that you can’t control.
Step 6 — Move the seed to steel within 24 hours
The supplied cardboard card is a starting point, not a backup. Cardboard burns, soaks through, and decomposes. The single highest-ROI security upgrade in self-custody is moving the seed to steel before you fund the wallet.
The protocol I follow:
- Same day: stamp the 24 words onto a steel backup plate. Trezor Keep Metal 24-word is purpose-built; alternatives include Cryptosteel, Blockmit, and Coldti.
- Same day: physically destroy the cardboard card (shred it, burn it, soak it in bleach). Don’t keep both — the cardboard becomes the weakest link, and your security is at the weakest-link level.
- Within 48 hours: stash the steel plate in its primary location (a fireproof safe at home, a safety deposit box, or a trusted family member’s house).
- Within a week: make a second steel copy stored in a geographically separated location.
This step is where most self-custody disasters happen — people leave the cardboard in a drawer “temporarily” and three years later realise it’s gone. The 24-hour rule is a forcing function.
Step 7 — Send a tiny test, verify on the device screen
Before you fund the wallet with anything meaningful:
- Generate a receive address in Trezor Suite. The device will display the same address on its own screen. Verify the two match, character by character. If they don’t match, your computer is showing you a malicious address — close the Suite, do not continue.
- Send a small amount to the address — a few thousand sats is enough. Confirm it arrives.
- Send the same amount back out to a wallet you control. When the Suite shows you the destination address, the device screen will also show the destination. Verify they match before approving on the device. Approve only if they match.
You’ve now done the full receive-and-send cycle. You’ve verified that:
- The seed correctly derives addresses
- The device-screen verification habit works
- Trezor Suite is honestly displaying addresses
This test transaction is the single best protection against the wallet-drainer attack patterns documented in our drainer red flags guide. Once you’ve done it twice, the address-verify-on-device habit is muscle memory. Until you’ve done it, it’s theoretical.
Step 8 — Optional: set up a BIP-39 passphrase
If you understand what a passphrase does, how it can kill you, and how to recover one — set one up now. The relevant section in our BIP-39 security guide goes through the trade-offs.
The short version: the passphrase creates a second wallet from the same 24-word seed. Useful for plausible deniability (decoy wallet at no-passphrase, real stack at passphrase) and for defending against partial seed compromise. Dangerous because forgetting it is irreversible.
If you set one up:
- Memorise it AND record it on a separate physical medium (e.g., a second steel plate, in a different location from the primary)
- Test the recovery with the passphrase BEFORE funding the wallet — see step 9
- Never store the passphrase with the seed; it stops being a passphrase if you do
If you don’t set one up: that’s fine. A standard 24-word seed in a steel plate is the right level of paranoia for most self-custody.
Step 9 — Recovery-test before you fund
This is the step nobody does and everyone regrets not doing.
The protocol:
- Wipe a different hardware wallet, or use a software wallet (Sparrow, Electrum) on a freshly-installed air-gapped laptop.
- Enter the 24 words. If you set a passphrase, enter that too.
- The wallet should derive the same first 5 receive addresses as your primary Trezor Safe 5.
- Verify the addresses match character-by-character. They have to be identical, not “look similar”.
- Don’t move funds. This is a verification, not a migration. Wipe the test device when done.
If the addresses match: your seed is correctly written, your passphrase (if any) is correctly recorded, and you can fund the wallet with confidence. If they don’t match: you have a problem you need to find now, with $0 at stake, rather than five years from now when you actually need the recovery and your house has burned down.
I cannot count the number of people I’ve talked to who never did this step and discovered years later that they had a typo in word 9 of their seed phrase.
Step 10 — Now you can fund it
Send Bitcoin to the wallet. The verification habit you built in step 7 is the muscle memory that prevents the most common drainer patterns.
Going forward:
- Verify every receive address on the device screen before sharing it
- Verify every spend destination on the device screen before approving
- Keep the device firmware up to date, and re-check the firmware fingerprint after each update
- Re-do the recovery test annually (with a wiped secondary device, not the primary)
What this walkthrough deliberately doesn’t include
A few things this guide skips on purpose:
- DeFi connections. The Safe 5 supports Web3 connections via WalletConnect. Don’t enable them on day one. Live with the device for a few months on Bitcoin-only first.
- Multi-account / hidden wallet setup beyond a single passphrase. These features exist; they add complexity; most users don’t need them initially.
- Custom derivation paths. The default BIP-84 (native SegWit) and BIP-86 (Taproot) paths are correct for almost everyone. Don’t change them unless you have a specific reason and have tested recovery on the custom path.
A simpler setup that you understand and have recovery-tested is dramatically more secure than a complex setup that you almost-understand and have never recovered from.
Related reading
- Hardware wallet 2026 buying guide — if you’re still choosing between Safe 5 / Safe 3 / Coldcard / BitBox02
- BIP-39 recovery phrase — the security bible — the seed-storage section in depth
- Cold storage 2026 — hardware vs multisig vs SeedQR — when single-device setups stop being enough
- Wallet drainer red flags 2026 — the attack landscape this setup defends against
- Wallet installer SHA-256 verifier — the verification tool referenced in step 3
- BIP-39 validator — the validator referenced in step 9
- Trezor Safe 5 review — first-person review of the device this guide sets up