LEDGER SETUP PROTOCOL

Official Getting Started & Critical Security Guide (V2.0)

01. Unboxing and Integrity Verification

Welcome to the first layer of digital security. Before connecting your device, physical verification is paramount. This initial procedure ensures your Ledger Nano has not been tampered with or compromised in transit. This is the foundation of the 'trust nothing, verify everything' security model. Examine the packaging: the plastic sleeve should be intact and the anti-tamper seals (if applicable to your model, e.g., Nano S Plus or X) must be perfectly flat and undisturbed. Any signs of tearing, previous opening, or re-sealing are a red flag. Only proceed if the physical packaging integrity is 100%. Never accept a device if the recovery sheet is pre-filled. The Ledger device itself does not contain any pre-installed private keys. The security element is blank until you perform the setup below. This step alone validates the security chain of custody.

Setup Environment Checklist

  • A quiet, private location where you will not be disturbed.
  • The official Ledger recovery sheets (paper) and a non-erasable pen.
  • A trusted, clean computer for installing Ledger Live.
  • Do NOT take pictures or screenshots during this process.

02. Initializing the Device and Setting Your PIN

Connect the Ledger Nano to your computer using the supplied USB cable. The device will power on and display a welcome message. The buttons (usually one on the left, one on the right, or both together to confirm) are your only interface. Navigate through the instructions until you reach the option to 'Set up as new device'. If the device prompts you to 'Restore from Recovery Phrase,' stop immediately; it is not new, and you must factory reset it before continuing. Setting the PIN code is the first security barrier. The Ledger screen will display numbers, and you use the left/right buttons to change the digit and both buttons to confirm the digit. The PIN must be between 4 and 8 digits. Choose a complex, non-obvious number (avoid dates of birth or sequential numbers). Remember this PIN; three incorrect entries will permanently wipe the device (though your funds are safe, recoverable only with the 24-word seed). Confirm the PIN a second time when prompted. This procedure ensures a physical action (button press) for every digit selection, minimizing the risk of digital compromise.

03. Generating the 24-Word Recovery Seed — The Master Key

This is the most crucial step. The device will generate and display 24 words, one after the other, forming your recovery phrase. This phrase is the cryptographic backup of your private keys and the only way to access your cryptocurrency if your Ledger device is lost, damaged, or stolen. Treat this phrase like cash, gold, or a highly sensitive document. As each word appears, **write it down meticulously** on the provided recovery sheet. Double-check the spelling of every single word. The words are from the BIP-39 word list, and the order is critically important. A single mistake in spelling or sequence renders the entire backup useless. Use a pen that won't smudge or fade. Do NOT use a pencil. Once all 24 words are written, the device will prompt you to verify the phrase. You will be asked to confirm specific words (e.g., "Word 12 is..."). Use the buttons to navigate and select the correct word on the screen. **This verification step is non-negotiable.** It is the only way to be 100% certain you have recorded the phrase correctly. Never skip this verification step. After successful verification, the device will confirm, "Your device is ready." At this point, **immediately store the physical recovery sheet in a secure, fireproof, and waterproof location, separated from the Ledger device itself.** Never, under any circumstances, take a picture of it, email it, store it in a cloud service, or type it into any electronic device, even if encrypted. The entire security model relies on this phrase *never* interacting with a connected environment.

Mnemonic Security Drill:

If you are asked for your 24-word phrase by *anyone* (a support agent, a website, an application), it is a scam. Ledger will **never** ask for your seed phrase. Only enter the phrase when restoring a device (factory reset or new device) and only directly onto the Ledger hardware screen, never on a computer keyboard.

04. Integrating with Ledger Live and Receiving Funds

Ledger Live is the official desktop and mobile application that acts as the secure interface for your device. Download it ONLY from the official ledger.com website. Install the application and open it. The application will walk you through three checks: the genuine check, the PIN check, and the Recovery Phrase check. The genuine check uses a cryptographic challenge to ensure your hardware is authentic and running genuine Ledger firmware. This is a critical security step and should never be skipped. Once set up, you need to install the applications for the cryptocurrencies you wish to manage (e.g., Bitcoin, Ethereum, Solana). Navigate to the 'Manager' section in Ledger Live, connect and unlock your Ledger device with your PIN, and install the required apps. To receive funds, click 'Receive' for the desired crypto account. Ledger Live will display an address. The final and most vital check: **The address displayed on your computer screen MUST be verified against the address displayed on your Ledger Nano device.** The Ledger screen is tamper-proof and the only trustworthy source. If the addresses do not match, discontinue the transaction immediately, as your computer may be compromised by malware designed to swap wallet addresses. This step, known as **On-Device Address Verification**, confirms that the secure chip has generated the address, not the potentially compromised computer.

05. The 25th Word: Advanced Passphrase Security

For users requiring the absolute highest level of plausible deniability and security, Ledger supports the "Passphrase" feature, often referred to as the 25th word. This is an entirely new, custom word (or sentence) that you create. It acts as a powerful modifier to your 24-word recovery phrase, creating a completely separate, hidden set of private keys and a new wallet. This feature is typically used as a protective layer against sophisticated threats, such as a physical attack where an attacker coerces you into unlocking your device. You can set up one PIN for the main 24-word wallet (the 'decoy' wallet) and a separate PIN that, when entered, requires the 25th word, unlocking the highly secure, hidden wallet where the bulk of your assets are stored.

**How it works:** The 24 words generate the *Master Seed*. When you add a Passphrase (25th word), it cryptographically modifies the Master Seed to create a *Hidden Seed*. The Hidden Seed controls all the accounts you access under that specific Passphrase.

**CRITICAL WARNING:** This 25th word is **NOT** recorded on your 24-word recovery sheet. It must be memorized or stored separately and securely. If you forget this 25th word, the funds associated with the hidden wallet are irrevocably lost, even if you still have your 24-word seed. Only use this feature if you fully understand its security trade-offs and risks, as it introduces a new point of failure (the passphrase memory/storage). The security is immense, but the complexity increases proportionally. Always test restoring access to the hidden wallet on a secondary device before relying on it for large holdings.