Sounds about right.

Utilise a seed + passphrase for plausable deniability, or a multisig distributed over different locations so that it's impossible to forfeit keys even when under duress.

Some signing devices also have a "brick me" PIN, which might be worth setting up too.