Bitcoin is sovereign money; it gives you ownership over your own financial destiny. There is a common expression in the Bitcoin world: not your keys, not your coins! Whether you own Bitcoin as an investment, as a censorship-resistant currency, or as a convenient way to transact on the Internet, it is important that you store your own private keys (and we can help with that).

Exchange hacks and losses of funds are common occurrences in the Bitcoin world, and no exchange is too big to fail. The more Bitcoin owned by a single exchange, the larger the incentive for attackers to try to steal your coins – whether external hackers or malicious insiders.

All hardware wallets make tradeoffs between usability, security, and openness. Below is a brief explanation of the tradeoffs from the leading hardware wallet vendors.

Ledger’s hardware and firmware are closed source, with a closed source operating system running on the device. This makes it more difficult for security researchers to discover vulnerabilities that may exist on Ledger’s hardware. Many find Ledger devices difficult to use, as there are only two buttons to navigate and a small screen. And Ledger devices are not airgapped; they use USB and/or Bluetooth. This has been shown to cause certain vulnerabilities .

Trezor’s hardware and firmware are Open Source, but they do not use a security chip (more specifically a secure element). This means that an attacker can extract the private keys in only 15 minutes with commonly available hardware (this can be mitigated by using a strong passphrase).

Coldcard has, in our opinion, the best security model, with source available hardware and firmware plus a secure element for storage of private keys. Coldcard also has great security features, such as a phishing-resistant PIN entry process and security lights. However, Coldcard is designed for the hardcore Bitcoiner and is challenging for normal users. Passport uses the same security architecture as Coldcard, with Open Source hardware and firmware plus a secure element, but places a significant emphasis on intuitive design and ease-of-use.

Passport’s larger display, alphanumeric keypad, and navigation pad create a pleasant user experience. Its camera and microSD slot ensure airgapped operations alongside a rechargeable and removable lithium ion battery meaning you don’t need to be tethered to a wall outlet or external battery pack to use it.

For new users, Passport is designed to be intuitive and approachable. The navigation pad and familiar interface make it easy to set up and use Passport. If you’ve previously found hardware wallets to be intimidating or difficult, we think you’ll have a better experience with Passport.

For expert users, Passport uses the same general security architecture as Coldcard and Bitbox02, but introduces (1) rechargeable + removable batteries and (2) a camera for more convenient airgapped transactions. Passphrase entry is also a breeze with Passport’s alphanumeric keypad.

Bitcoin is Open Source software, and we believe Open Source software should run on open source hardware. Bitcoin necessitates a completely new type of hardware security model – since transactions are immutable, there is no recourse if your Bitcoin are stolen or lost. Today’s hardware is mostly closed source and uses proprietary designs with confidentiality agreements.

This model worked in a world where thefts could easily be reversed by your bank or credit card company. But in a Bitcoin world, this model is fundamentally broken. Open Source hardware means that security researchers can more easily identify vulnerabilities in our products. It also means that we can adopt best practices from other Open Source hardware projects – and other Open Source hardware projects can adopt our best practices too! This leads to a healthy, more secure hardware ecosystem and means that your Bitcoin will be safer.

Please see here for a detailed breakdown of the Passport menu structure.

Passport makes it easy to segregate your Bitcoin into different ‘sub-wallets’ or ‘sections’ for different purposes. These ‘sections’ or ‘sub-wallets’ are called ‘Accounts’. Passport is capable of generating as many as you need, with all Accounts being included in the encrypted backup file. Passport accounts follow the BIP-32 standard, meaning any account derived can also be re-applied in any other compatible wallet using only your seed words.

Upon setup, Passport begins with just one ‘Primary’ account. To apply add additional accounts to Passport, move right with the directional pad until you see the MORE menu.

Passport, by design, has no ability to communicate directly with the outside world. This creates an optimum security model, making remote attacks impossible, but also means that is has no way of knowing when any of its Bitcoin addresses have received a transaction. For this to happen, Passport much be connected or ‘paired’ with a software wallet that runs on an internet connected device like a phone or computer.

As part of this connection process, the software wallet is given enough information to monitor (using its internet connection to the rest of the Bitcoin network) all of the receive addresses Passport can generate.

Crucially, this software wallet does not have enough information to spend any Bitcoin. This authority remains firmly with Passport.

First you’ll need to initiate Passport, then connect it with a compatible wallet software such as Envoy . From there, receiving Bitcoin directly to your Passport wallet is as simple as tapping ‘Receive’ in the connected wallet software and sharing the generated receive address with the person wanting to send you Bitcoin.

As mentioned above, Passport, has no ability to communicate directly with the outside world. Your chosen software wallet monitors for incoming transactions and has the ability to create spend transactions for Passport to authorize. This information is shared to and from Passport via one of two methods. Which you use will depend on your preference and chosen wallet software. We recommend using QR codes as the default and easiest solution wherever available.

After setting up Passport, connecting it with your chosen software wallet eg Envoy , and receiving some Bitcoin to your Passport wallet, you can choose to authorize transactions via QR codes or microSD. See the transaction signing flow using QR code and Envoy here .

A passphrase is an additional word or combination of words that can be added to your mnemonic seed as an additional layer of security against physical attacks. Passphrases are not passwords. They do not grant access, instead, when applied, they are used as one of the pieces of information that constructs a wallet. Without the exact same passphrase, you cannot reconstruct a wallet.

A passphrase can be as short or as long as you like and can contain any combination of letters (upper and lower case), numbers or special characters. Passphrases are case and order sensitive, for example Passphrase123, 123passphrase, passphrase123 and 123Passphrase will all result in completely different wallet with its own set of accounts and unique addresses.

All passphrases are valid. Please exercise extreme caution when using them.

Passphrases are never stored on Passport, or in any encrypted backup. To access your passphrase wallet(s), you need to enter it into Passport upon boot.

To apply a passphrase to Passport, move right with the directional pad until you see the MORE menu. You can also read our in-depth article on passphrases to learn more.

We have a full page dedicated to backups, but here’s a quick primer.

Passport can create an Encrypted Backup of your Bitcoin wallet, as well as all accounts, names, multisig configurations and device settings onto any microSD card. This backup file uses the 7z encryption format and is protected by the 20-digit passcode shown to you at the time you create the backup.

The beauty of this type of backup is that you can keep the microSD card containing the encrypted backup at different locations(s), that may not suitable for the storage of traditional plain text seed words. Each microSD backup is useless to anyone without the 20-digit backup to to unlock it. The backup code should be stored in a separate secure location.

Updating the firmware on Passport will ensure your device benefits from the latest features and security updates. Our latest firmware versions are linked below and should only ever be downloaded from Envoy, our GitHub or this support site.

The easiest way to update your Passport firmware is via Envoy , our mobile companion app. Advanced users that want to manually download, verify and install their firmware can follow the instructions on our firmware updates page.

Your seed words can be viewed on device at any time after logging in with your 6-12 character PIN by going to Settings > Advanced > View Seed Words.

You can change your device PIN at any time after logging in with your current 6-12 character PIN. Simply head to Settings > Device > Change PIN.

The extensions menu on Passport offers a simple way to enable extra features on Passport. Enabling extensions from this screen creates menu items that allow you to use Passport with specific types of third party software.

Extensions are enabled and disabled in Settings > Extensions Once enabled, each extension will have its own custom screen at the default menu level. To view them, scroll right from the Primary Account screen.

Yes you can use Passport in stateless mode where the device never saves its private key or seed words permanently to the device. You can also use a hybrid mode where you use the device in the typical fashion, with a single master set of seed words and accounts, but also use the Temporary Seed or Key Manager to temporarily interact with other wallets without them being permanently saved to the device.

Absolutely. Passport abides by the BIP39 Bitcoin wallet standard. This means that after setup, if you decide you want to use a different hardware or software wallet to manage your Bitcoin, all you need to do it import the 12 or 24 word seed from your Passport into your new wallet of choice.

No, Passport only supports Bitcoin. We do not have any immediate plans to support other cryptocurrencies, and are laser-focused on building the best Bitcoin hardware wallet.

We recently launched Envoy , our mobile companion app. Envoy offers the easiest and most intuititve way to setup and manage Passport to. However, Envoy is completely optional and not a requirement to use Passport in any way.

Passport is designed instead to work with most popular Bitcoin wallets and services. This ensures that you have the ability to select your preferred software wallet , instead of being forced to use our software or services. And it also ensures that Passport strives for mass-compatibility with the Bitcoin ecosystem.

Passport is compatible with a range of mobile and desktop wallet software applications. This is achieved via the widely adopted PSBT (partially signed Bitcoin transactions) format.

See a full list, including video tutorials here .

Yes, Passport supports both single-sig and multisig PSBTs.

From version 2.3.0 Passport will display OP_Return transaction information when signing.

Passport uses the same general security architecture as many other Bitcoin hardware wallets, with a processor by STMicroelectronics and a 608b secure element by Microchip. The Bitcoin private keys are encrypted on the processor and stored on the secure element to minimize trust in a single chip. All circuit designs and firmware are Open Source and auditable.

Passport is completely airgapped, with only a camera and microSD slot for communications, no wireless functionality of any kind. This is important because it closes off numerous attack vectors and ensures that Passport can never communicate directly with an Internet-connected device.

Our Founders Edition device is powered by AAA batteries, while Batch 2 devices use a removable and rechargeable standard form factor lithium-ion battery, typically found in older Nokia phones. This is charged via the power only USB-C port on the bottom of the device. This port is not capable of passing any data since the connectors inside the port required to do so are simply not there.

Foundation Devices is based in the USA, and we believe it is important to have as close a control over our supply chains as possible. By assembling Passport in the USA, we can ensure that (1) we are on the factory floor and closely overseeing assembly, (2) our manufacturers are held to higher regulatory and transparency standards.

Bitcoin represents sovereignty, privacy, and freedom. We believe it is important to build our products in jurisdictions which represent these same values. This is why Foundation will never assemble our products in China.

You can order Passport here or through one of our resellers .

We offer payments via credit card or Bitcoin. Credit card payments are processed by Stripe and Bitcoin payments are processed by our self-hosted BTCPay Server. Foundation encourages Bitcoin payments.

We also have a blog post on how you can purchase Passport more privately using Bitcoin.

Yes, Passport includes a one year warranty to cover manufacturing defects only. Accidental damage, such as drops or liquid exposure, is not covered. Nor is accidentally bricking the device!

You can read the entirety of the warranty offered with Passport here .

Envoy is a Bitcoin mobile wallet and Passport companion app, available on iOS and Android. Download links available here .

Envoy is designed to offer the easiest to use experience of any Bitcoin wallet, without compromising on your privacy. With Envoy Magic Backups, set up a self custodied Bitcoin mobile wallet in 60 seconds, without seed words!

Passport users can connect their devices to Envoy for easy setup, firmware updates, and a simple Bitcoin wallet experience.

Get on boarded and set up with a new mobile wallet, complete with automatic backups, in under 60s! Get guided Passport setup and management and receive notification when a new firmware update is available. You can even install it right from your phone!

Envoy also enables you to receive into your offline cold storage from anywhere in the world, or to build spend transactions, ready for authorization by Passport. Envoy will also notify you of company announcements such as blog posts, special offers, security upgrades or new hardware and software releases.

Magic Backups is the easiest way to set up and back up a Bitcoin mobile wallet. Magic Backups stores your mobile wallet seed (not your Passport seed) end-to-end encrypted in iCloud Keychain or Android Auto Backup. All app data is encrypted by your Envoy seed and stored on Foundation Servers.

Set up your mobile wallet in 60 seconds, and automatically restore if you lose your phone.

Magic Backups are completely optional for users that want to leverage Envoy as a mobile wallet. If you prefer to manage your own mobile wallet seed words and backup file, choose ‘Manually Configure Seed Words’ at the wallet set up stage.

The Envoy backup file contains app settings, account info and transaction labels. The file is encrypted with your mobile wallet seed words. For Magic Backup users, this backup file is stored fully encrypted on the Foundation server.

Manual backup Envoy users can download and store their backup file anywhere they like. This could be any combination of your phone, a personal cloud server, or on something physical like a microSD card or USB drive.

No, Envoy’s core features, including mobile wallet functionality, backups and Passport management will always be free to use. In the future we may introduce paid tiers or subscriptions for additional features.

Yes, like everything we do at Foundation, Envoy is completely Open Source. Envoy is licensed under the same GPLv3 license as our Passport Firmware. For those wanting to check our source code, click here .

Downloading and installing Envoy requires zero personal information. Envoy also offers users the ability to connect the internet via Tor, a privacy preserving protocol. When enabled, this means that Foundation has no way of knowing who you are or even your approximate geographical location. Envoy also allows more advanced users the ability to connect to their own Bitcoin node to remove any reliance on the Foundation servers completely.

Yes! From v1.7 you can now purchase Bitcoin within Envoy and have it automatically deposited to your mobile account, or any connected Passport accounts. Simply click the Buy button from the main Accounts screen.

Absolutely, there is no limit to the number of Passports you can manage and interact with using Envoy.

Yes, Envoy makes multi-account management simple.

Yes, Envoy connects using the Electrum server protocol. To connect to your own Electrum Server, scan the QR or enter the URL provided into the network settings on Envoy.

When a user opts to connect use Envoy over the Tor network, Envoy will display a Shield at the top of all main screens. The color or status of this shield dictates the current status of Envoy’s connectivity:-

• Shield is pulsating = Envoy is trying to establish a connection to Tor
• Shield is solid = Envoy has successfully connected to Tor
• No shield = Tor has been disabled from the settings
• Shield is red = Envoy cannot connect to a user specified custom Electrum server

Learn more about Envoy and Tor here .

Envoy supports Coin Control , but not batching (yet).

Yes. Envoy has three fee settings for the user to choose from when spending, ‘Standard’, ‘Faster’ and ‘Custom. Standard aims to get your transaction finalized within 60 minutes, faster within 10 minutes and the custom fee slider allows you to select any fee rate you like. These are estimates based on the network congestion at the time the transaction is built and you will always be shown the cost of both options before finalizing the transaction.

No, we pride ourselves on ensuring Passport is compatible with as many different software wallets as possible. See our full list, including tutorials here .

No, anyone is still free to manually download, verify and install new firmware. See here for more information.

Yes, just be aware that any wallet-specific information, such as address or UTXO labeling, will not be copied to or from Envoy.

This may be possible as most QR enabled hardware wallets communicate in very similar ways, however this is not explicitly supported. As Envoy is Open Source, we welcome other QR-based hardware wallets to add support!

At this time Envoy only works with ‘on-chain’ Bitcoin. We hope to support Lightning in the future.

Anyone finding your phone would first need to get past your phones operating system PIN or biometric authentication to access Envoy. In the unlikely event they achieve this, the attacker could send funds from your Envoy Mobile Wallet and see the amount of Bitcoin stored within any connected Passport accounts. These Passport funds are not at risk because any transactions must be authorized by the paired Passport device.

If you use Envoy as a mobile wallet, where the private keys reside on your mobile phone, then an attacker would need to break your device PIN/biometrics and Envoy’s PIN/biometrics (if you enable this) to be able to spend funds. Envoy wallets is mobile, meaning it’s something you take with you everywhere you go for day to day spends. We recommend never storing more funds in your Envoy wallet than you would physical cash in your traditional wallet. For everything above that limit, use Passport.

Envoy communicates predominantly via QR codes, however firmware updates are passed from your phone via a microSD card. Passport includes microSD adapters for your phone.

If used with a Passport, Envoy acts as a ‘watch-only’ wallet connected to your hardware wallet. This means Envoy can construct transactions, but they are useless without the relevant authorization, which only Passport can provide. Passport is the ‘cold storage’ and Envoy is simply the internet connected interface!

If you use Envoy to create a mobile wallet, where the keys are stored securely on your phone, that mobile wallet would not be considered cold storage. This has zero effect on the security of any Passport connected accounts.

When you query any data on any Bitcoin explorer that is not your own, you are sharing information with the explorer provider. What information you share depends on the queries you make and how you connect to the explorer. For exmaple, if you connect to an explorer using the traditional internet, without a VPN and paste in a transaction ID, the explorer provider can theoretically tie together and store those pieces of information. The explorer provider learns that a person at X approximate geographical location (derived from your IP address) is interested in a certain address or transaction. If you make multiple queries from the same IP address, the provider can cluster them together.

If you choose to query a third party explorer like the one we host at Foundation, you should do so on a device running a VPN or with access to the Tor network. Both of these options will protect your IP address from us. Foundation does not log any requests made to our hosted explorer.

Early Access units are estimated to ship at the end of March 2025. Pre-orders will be fulfilled as soon as all Early Access units are shipped.

We’ll be in touch via email around March 2025.

Of course. Please contact our support with your order number and requirements.

The Early Access Program (EAP) is a way for you to be one of the very first to get their hands on Passport Prime. The EAP is limited to 1000 units, which at launch will ship with the first beta version of our new operating system, KeyOS. As a sign of our appreciation for being one of the first to test Prime, we are giving all EAP customers 3 free gifts:

• A lifetime subscription to Envoy+ (details on this page)
• A free bumper case to protect your device
• An extended no questions asked 2 year warranty

Early Access Program customers get an extended 2 year warranty. All other orders receive our standard 1 year manufacturing warranty.

This will be similar to the existing Passport Gen 2 and will be something similar to ’electronic data storage device.'

Passport Prime enforces device locking with a 6-12 digit PIN or an alphanumeric password. Passport Prime also has an anti-tamper feature that factory resets the device any time it detects that there has been an attempt to remove the screen, or tamper with the PCB or chassis in any way. This provides protection against advanced attackers that attempt to extract the private key from the device. As soon as there is a tampering attempt detected, all secrets are immediately erased.

That’s completely up to you, but if you want to leverage things like the 2FA codes or Security Keys apps to access your accounts on the go, then yes. Want to use the device in a more focused way, perhaps as a signer in a bitcoin multisig wallet? Perhaps you don’t need or want to daily carry.

The multi-functional nature of Passport Prime does bring with it a new set of security challenges, but we have set precautions in place to ensure maximum protection from most theoretical attacks presented by the device’s rich feature set and multiple connectivity options. These include:

• Device hardware and software being open source.
• The user has complete control over which apps they install and run.
• Thanks to KeyOS , the device has full app sand-boxing. No app can communicate with, or see the data of, any other app on Prime without explicit permission from the user.
• Each app receives its own hardened child key, completely removing the need for it to interact directly with the master key of the device.
• All apps built for Prime, including any third-party apps featured in the Envoy app catalog, must be fully open source and reproducible.
• QuantumLink encrypted Bluetooth running on a dedicated chip ensures that even if the chip were malicious, all it receives and sends are encrypted blobs of data.

That depends on how you prefer to use the device. The device has the capability to be plugged into your phone or computer to transfer files or sign transactions, but this is completely optional and not a requirement. If you prefer to use the device in a more focused way, perhaps by only ever using it to sign transactions via QR code, for example, you can.
At launch, Passport Prime’s QuantumLink Bluetooth connection will be a requirement for initial setup, connection to Envoy, and firmware updates. We plan to introduce other setup methods that do not require this later in 2025.

No. We still recognize the value of an air-gapped, more focused bitcoin-only device like Passport Gen 2 and will continue to develop and sell this alongside Passport Prime.

No. We believe that these alternative PINs cause more harm than good. There are many things that could go wrong with alternative PINs, notably:

• User error: Users could get their PINs confused, leading to a loss of funds or accidentally wiping their devices.
• Duress concerns: Well-researched assailants would know if the device possesses alternative PINs, and may therefore expect them. This could cause perverse incentives. For example, an assailant may expect that a duress PIN exists, while the user may not have set a duress PIN – which could lead to a violent outcome.
• We also offer a passphrase feature for more advanced users who understand the security trade-offs.
• Alternatively, advanced users can employ a multisig setup, with keys stored in different locations, in order to dissuade attackers in duress scenarios.

Disk encryption is implemented by applying sector-wise hardware-accelerated AES in XTS mode.

At launch Envoy will be required for firmware updates, but users are free to then connect and interact with their Bitcoin wallets only via alternative applications. Not having the QuantumLink Bluetooth connection with Envoy will limit Prime’s functionality, but we will never prevent users from achieving this.
After launch we plan to add the option for users to update their firmware manually, without Envoy.

Apps are typically installed via the upcoming Envoy app catalog. Thanks to Passport Prime’s QuantumLink Bluetooth, app installation will be a very similar experience to the one you are used to with apps on your phone. Find the app you want in Envoy, tap install, everything then happens automatically over Bluetooth.

Absolutely not. You may want to direct install or ‘side load’ an app straight from a developer. We cannot and will never prevent users from being able to do this. In this scenario, you as the user would be responsible for ensuring the integrity of the app. You’d also need to install the corresponding developer pubkey so that Prime can verify the app signature upon installation.

All apps listed in the Envoy app catalog must be open source and fully reproducible. The Foundation team will also give each app a basic functionality check before listing, but due to the hardware level sand-boxing Passport Prime uses, a malicious app cannot access the data from any other app without prior permission from the user. Each app is also given its own child private key and has no access, at any time, to the master key.

Thanks to Passport Prime’s KeyOS operating system Prime has the capability to support any cryptocurrency application. As a small and focused bitcoin-centric team, we have no plans to produce these apps ourselves, but would love to hear from interested developers that want to build or integrate their app so that their customers can leverage our Passport Prime hardware for their assets.

Yes. At launch Passport Prime will have Bitcoin feature parity with Passport Gen 2.

All app installations are entirely optional. We also plan to allow users to remove any of the pre-installed applications, but this will not be ready at launch.

Passport Prime will have a touch keyboard that appears any time you open a text entry field.

Yes, with our Seed Vault app you can store, manage and sign with an unlimited amount of different seeds.

Not at launch, but the team behind the first 3rd party Prime application, Cake Wallet, have already expressed intent to add this to their Prime application.

Stateless mode allows your Passport Prime to be devoid of any sensitive information when not in use. This means that anyone with physical access to the device is unable to even attempt to remove any information from the device as there is none present. However, this does mean that you’d need to perform a recovery every time you want to use the device. This would include restoring the master seed as well as any additional metadata stored as part of the Magic Backup for Envoy+ users, or kept offline on an external storage medium for all other users.

Because Passport Prime is your digital Swiss-army knife, you’ll likely already have it with you, so no need to remember that USB drive to log into your important accounts. You can easily create and label multiple virtual FIDO2 keys, which can be easily backed up, unlike existing solutions that lack a backup method and force you to buy multiple devices for redundancy.
Thanks to Envoy+ and Magic Backups, your security keys are automatically encrypted and backed up for you. This means you don’t need to purchase multiple keys to back each other up. There is also no more fear of losing those USB sticks and locking yourself out of your accounts.

Passport Prime stores your 6-digit TOTP codes in an offline environment. Perfect for securing access to the most important accounts in your life.
Thanks to Envoy+ and Magic Backups, your TOTP codes are automatically encrypted and backed up for you.

After launching, our main focus is to finalize our developer SDK. This will open the door to all of the incredible developers who are keen to build their app for Passport Prime.
Alongside the SDK, our other key focus will be introducing support for more advanced Bitcoin features like MiniScript and Taproot-based multisig schemes.
Got a feature or app request? Be sure to make your voice heard in our community .

• KeyOS is an advanced microkernel operating system developed in Rust, designed as a secure, open-source alternative to closed systems like Ledger’s BOLOS. KeyOS enables enhanced resilience and modularity by ensuring processes are self-contained to minimize system-wide vulnerabilities. Learn more about KeyOS in our blog post here .
• KeyOS ensures apps run in secure sandboxes, preventing malicious or buggy apps from compromising the system.
• KeyOS ensures processes interact through controlled, secure message-passing, reducing attack risks.

Yes, KeyOS is fully open source and will be licensed under GPLv3. The source will become public on our GitHub before we ship any units to customers.

Passport Prime is ‘water resistant’, and potentially even waterproof to a certain depth pending certification. To achieve this we must use an internal battery with an adhesive gasket.

We expect a minimum of 5-year battery life, but in the future, we plan to offer a kit for users to replace their batteries at home. The device will always work when plugged directly into a power source, irrespective of the battery health.

We expect Passport Prime’s battery to last 2-4 weeks with typical daily usage.

There are diminishing returns for multiple SEs; for example, is it better to have 1 or 10? At some point, it doesn’t matter. We have one separate SE because we are using a specific security microprocessor, the Microchip SAMA5D2 series, which is almost like an SE itself. The processor includes features like ARM Trustzone (to which we are bringing KeyOS in 2025), active anti-tamper, and more.

The main seed is split between the SAMA5D2 MPU and 608C Secure Element, but, in fact, the seed is not even stored on Passport Prime. Instead, we store the value XORd with a hash of the user’s PIN or password. This means brute force hashing and then checking the Bitcoin blockchain for transactions is required even if an attacker managed to get complete access to the MPU and Secure Element.

Passport Prime does not have a fingerprint reader. It will be unlocked by either a 6-12 digit PIN or an alphanumeric password.

We source our parts from all over the world, but Passport Prime is proudly assembled, provisioned, and quality checked at our facility in New Hampshire, U.S.A.

QuantumLink is our encrypted and quantum-resistant secure Bluetooth communications protocol. It enables Passport Prime to communicate seamlessly with the Envoy app on your phone in an extremely secure and trust-minimized way. Learn more with our blog post here.

We achieve the quantum resistance via the following main properties:

• The private/public keypair is generated randomly on each Passport Prime device just before you start the onboarding process.
• The private/public keypair is based on CRYSTALS-Kyber rather than ECC to gain quantum resistance for the main keys.
• The public key is provided to Envoy out of band via a QR code, which means the Bluetooth chip cannot see the value.
• Every message sent over QuantumLink from that point on uses a unique AES-256 encryption key (AES-256 is considered quantum resistant).
• This symmetric AES-256 encryption key is, itself, encrypted using the recipient’s public key and an ephemeral public key from the sender.

The CRYSTALS-Kyber Key Exchange Mechanism is an important part of QuantumLink’s quantum resistance properties. CRYSTALS-Kyber uses math that is hard even for quantum computers to solve - specifically, it relies on the difficulty of finding particular patterns in multidimensional lattices (think of trying to find a specific point in a vast, complex crystal structure). Even if a powerful quantum computer came along, it wouldn’t be able to crack CRYSTALS-Kyber’s mathematical puzzle any better than a regular computer.

The Bluetooth implementation on Passport Prime uses a dedicated chip that is physically separated from the rest of the hardware of the device. All that is sent through the Bluetooth chip is encrypted, meaning that even if the chip was malicious, it cannot decrypt the data flowing through it.

Bluetooth and NFC can be disabled from the device control center at any time, but this will limit device functionality.

There is no native microSD slot, but users can easily interact with data saved on SD cards by using a USB-C adapter (not included).

Passport Prime does not have any WiFi functionality.

At launch, Passport Prime’s Bluetooth connection will only work with Envoy. For users that want to leverage the Bitcoin features of the device, you are free to do so via USB, NFC, or QR codes.
Once our SDK is available, Prime will be able to connect to any third-party mobile or desktop app. We will provide documentation for the protocol along with our Flutter and Rust libraries.

Passport Prime ships with 3 NFC KeyCards and 3 Faraday sleeves to store the cards inside. These cards are used to create a simple and secure 2-of-3 Shamir backup of the Passport Prime master private key. Under the default setup, 2 of the KeyCards secure a share each, with the third being stored securely in the Envoy app on your phone. Advanced users that do not wish to secure a share in Envoy can leverage the third KeyCard to store the third share.

Some non-Foundation NFC cards may work with Passport Prime, but these are not tested and not officially supported. The NFC cards we ship with Prime and will subsequently sell separately have a custom NFC antenna and are optimized to work in harmony with the Prime hardware.

We plan to sell additional NFC KeyCards in packs of 3.

• Default setup (Magic Backups):

  • Sign into your Google or iCloud account, have Envoy installed on your phone, and then tap one of your NFC cards to the back of Passport Prime. That’s it!

• Manual setup (without Magic Backups):

  • Tap two of your NFC KeyCards to the back of the device, and optionally load an encrypted backup file to restore metadata.
  • Alternatively, enter your BIP39 seed words and optionally load the encrypted backup file to restore metadata.

While the details are still being finalized, we plan to provide an independent tool for recovering the seed from two NFC cards without Foundation or a Passport Prime. This will likely consist of an open-source desktop or mobile application.

Absolutely. Your BIP39 seed words will be accessible from the device settings.

Magic Backups are a feature of the Envoy+ subscription service. They store critical Passport Prime private key data in a 2-of-3 Shamir setup:

1. Two shares are stored on the provided NFC KeyCards.
2. The third share is securely stored on your phone and backed up to your iCloud keychain or Android auto-backup through Envoy.

Here’s how Magic Backup works during recovery:

1. Install Envoy on your phone and sign into your iCloud or Google account.
2. Tap a single NFC KeyCard to the back of your Passport Prime.
3. Prime combines the Shamir share from your phone with the share from the NFC KeyCard to restore your master private key on the device.
4. Envoy hashes its mobile wallet seed to authenticate with the Foundation servers and downloads the associated encrypted metadata.
5. Envoy sends this encrypted data back to Passport Prime via QuantumLink.
6. Passport Prime decrypts the data with the restored private key.

Result: All device settings and app data are fully restored, and your Prime looks exactly as it did before.

Envoy+ is a paid subscription service that increases the functionality of Envoy and any connected devices. At launch it will include magic backups for all Prime metadata (see above for details) and priority support. We plan to increase the feature set of Envoy+ significantly over time. This includes exclusive access to future products, Lightning services and educational material.

Envoy+ will be $5 per month, with discounts for annual or multi-year purchases. Prime Early Access customers will receive a free lifetime subscription to Envoy+. All other Prime customers will receive a free 6 month trial of Envoy+.

Absolutely not. Users are free to store their own Passport Prime metadata backups manually.

The details of this are still being worked out, but we are aiming to achieve this in such a way that we are completely unable to tie a user to a specific piece of encrypted data stored on our servers.

No. Envoy+ will be purely additive to the existing free features available in Envoy today.

Delivery times for orders outside of the US vary depending on the destination and shipping method selected. Generally, international orders take between 7–21 business days to arrive. We’ll provide tracking information so you can monitor the shipment along the way.

While we can ship to many locations, we are unable to verify individual delivery addresses or whether certain items can be received at a specific location. It is your responsibility to ensure your address is accurate and suitable for delivery before placing your order.

All taxes for orders shipped to the U.S and E.U are collected at checkout. For all other jurisdictions, additional taxes or customs fees may apply depending on your country’s import regulations. These fees are typically due upon arrival and are set by your local customs authorities. We recommend checking with your local customs office for an estimate of potential costs.

If your package is delayed beyond the expected delivery timeframe, please check the tracking details for any updates. Occasionally, packages may be held at customs, which can cause a delay. If the tracking hasn’t updated or if it appears to be lost or stuck, please contact the shipping provider directly in the first instance. After exhausting this method, contact us and we’ll attempt to help investigate.

If your order hasn’t shipped yet, we may be able to update the shipping address. Please contact our support team as soon as possible with the correct address details. Once a parcel is in the courier’s custody (e.g., UPS), we have limited control over the process. To make changes such as rescheduling delivery, placing a hold, or updating the address, you must contact the courier directly. For UPS shipments, you can use the UPS My Choice account to manage delivery preferences.

If a parcel is refused (either by you or someone at your receiving address), it will be returned to sender. If the refusal was made in error, you will need to contact the courier directly to request an exception.

In most cases, we handle insurance claims with the courier. However, you are required to report the issue to the courier and file your claim first. This helps streamline the process and improves the chances of a successful outcome, as we can reference your claim when submitting ours.

Not at all. Whilst we do everything we can from a regulatory perspective to prevent the need for packages to be opened on a regular basis, it does happen occasionally. This is why we include a software based security check as part of every onboarding. This check ensures that the firmware running on the device has not been tampered with before you carry out any critical operation.

Once your order ships, we’ll send a confirmation email with tracking details. We recommend subscribing to the courier’s tracking notifications to receive real-time updates at each step along the way. This will keep you informed about the status and estimated delivery time of your package.

Carriers vary based on location but may include UPS, DHL, FedEx, and local postal services such as USPS.

If you need to cancel your order, please contact us as soon as possible. We’ll do our best to accommodate your request if the order hasn’t already shipped.

Orders shipped to EU member countries are fulfilled by our EU fulfillment center, allowing for faster delivery times and minimal customs processing. Typically, shipments arrive within 2–7 business days, depending on the destination within the EU. Tracking information will be provided for you to monitor your package’s progress.