Passport
Why Passport?
Bitcoin is sovereign money; it gives you ownership over your own financial destiny. There is a common expression in the Bitcoin world: not your keys, not your coins! Whether you own Bitcoin as an investment, as a censorship-resistant currency, or as a convenient way to transact on the Internet, it is important that you store your own private keys (and we can help with that).
Exchange hacks and losses of funds are common occurrences in the Bitcoin world, and no exchange is too big to fail. The more Bitcoin owned by a single exchange, the larger the incentive for attackers to try to steal your coins – whether external hackers or malicious insiders.
All hardware wallets make tradeoffs between usability, security, and openness. Below is a brief explanation of the tradeoffs from the leading hardware wallet vendors.
Ledger’s hardware and firmware are closed source, with a closed source operating system running on the device. This makes it more difficult for security researchers to discover vulnerabilities that may exist on Ledger’s hardware. Many find Ledger devices difficult to use, as there are only two buttons to navigate and a small screen. And Ledger devices are not airgapped; they use USB and/or Bluetooth. This has been shown to cause certain vulnerabilities
.
Trezor’s hardware and firmware are Open Source, but they do not use a security chip (more specifically a secure element). This means that an attacker can extract the private keys in only 15 minutes
with commonly available hardware (this can be mitigated by using a strong passphrase).
Coldcard has, in our opinion, the best security model, with source available hardware and firmware plus a secure element for storage of private keys. Coldcard also has great security features, such as a phishing-resistant PIN entry process and security lights. However, Coldcard is designed for the hardcore Bitcoiner and is challenging for normal users.
Passport uses the same security architecture as Coldcard, with Open Source hardware and firmware plus a secure element, but places a significant emphasis on intuitive design and ease-of-use.
Passport’s larger display, alphanumeric keypad, and navigation pad create a pleasant user experience. Its camera and microSD slot ensure airgapped operations alongside a rechargeable and removable lithium ion battery meaning you don’t need to be tethered to a wall outlet or external battery pack to use it.
For new users, Passport is designed to be intuitive and approachable. The navigation pad and familiar interface make it easy to set up and use Passport. If you’ve previously found hardware wallets to be intimidating or difficult, we think you’ll have a better experience with Passport.
For expert users, Passport uses the same general security architecture as Coldcard and Bitbox02, but introduces (1) rechargeable + removable batteries and (2) a camera for more convenient airgapped transactions. Passphrase entry is also a breeze with Passport’s alphanumeric keypad.
Bitcoin is Open Source software, and we believe Open Source software should run on open source hardware. Bitcoin necessitates a completely new type of hardware security model – since transactions are immutable, there is no recourse if your Bitcoin are stolen or lost.
Today’s hardware is mostly closed source and uses proprietary designs with confidentiality agreements.
This model worked in a world where thefts could easily be reversed by your bank or credit card company. But in a Bitcoin world, this model is fundamentally broken. Open Source hardware means that security researchers can more easily identify vulnerabilities in our products. It also means that we can adopt best practices from other Open Source hardware projects – and other Open Source hardware projects can adopt our best practices too! This leads to a healthy, more secure hardware ecosystem and means that your Bitcoin will be safer.
Passport Features
Passport makes it easy to segregate your Bitcoin into different ‘sub-wallets’ or ‘sections’ for different purposes. These ‘sections’ or ‘sub-wallets’ are called ‘Accounts’. Passport is capable of generating as many as you need, with all Accounts being included in the encrypted backup file. Passport accounts follow the BIP-32
standard, meaning any account derived can also be re-applied in any other compatible wallet using only your seed words.
Upon setup, Passport begins with just one ‘Primary’ account. To apply add additional accounts to Passport, move right with the directional pad until you see the MORE menu.
Passport, by design, has no ability to communicate directly with the outside world. This creates an optimum security model, making remote attacks impossible, but also means that is has no way of knowing when any of its Bitcoin addresses have received a transaction. For this to happen, Passport much be connected or ‘paired’ with a software wallet that runs on an internet connected device like a phone or computer.
As part of this connection process, the software wallet is given enough information to monitor (using its internet connection to the rest of the Bitcoin network) all of the receive addresses Passport can generate.
Crucially, this software wallet does not have enough information to spend any Bitcoin. This authority remains firmly with Passport.
First you’ll need to initiate Passport, then connect it with a compatible wallet software such as Envoy . From there, receiving Bitcoin directly to your Passport wallet is as simple as tapping ‘Receive’ in the connected wallet software and sharing the generated receive address with the person wanting to send you Bitcoin.
As mentioned above, Passport, has no ability to communicate directly with the outside world. Your chosen software wallet monitors for incoming transactions and has the ability to create spend transactions for Passport to authorize. This information is shared to and from Passport via one of two methods. Which you use will depend on your preference and chosen wallet software. We recommend using QR codes as the default and easiest solution wherever available.
After setting up Passport, connecting it with your chosen software wallet eg Envoy , and receiving some Bitcoin to your Passport wallet, you can choose to authorize transactions via QR codes or microSD. See the transaction signing flow using QR code and Envoy here .
A passphrase is an additional word or combination of words that can be added to your mnemonic seed as an additional layer of security against physical attacks. Passphrases are not passwords. They do not grant access, instead, when applied, they are used as one of the pieces of information that constructs a wallet. Without the exact same passphrase, you cannot reconstruct a wallet.
A passphrase can be as short or as long as you like and can contain any combination of letters (upper and lower case), numbers or special characters. Passphrases are case and order sensitive, for example Passphrase123, 123passphrase, passphrase123 and 123Passphrase will all result in completely different wallet with its own set of accounts and unique addresses.
All passphrases are valid. Please exercise extreme caution when using them.
Passphrases are never stored on Passport, or in any encrypted backup. To access your passphrase wallet(s), you need to enter it into Passport upon boot.
To apply a passphrase to Passport, move right with the directional pad until you see the MORE menu. You can also read our in-depth article on passphrases to learn more.
We have a full page
dedicated to backups, but here’s a quick primer.
Passport can create an Encrypted Backup of your Bitcoin wallet, as well as all accounts, names, multisig configurations and device settings onto any microSD card. This backup file uses the 7z
encryption format and is protected by the 20-digit passcode shown to you at the time you create the backup.
The beauty of this type of backup is that you can keep the microSD card containing the encrypted backup at different locations(s), that may not suitable for the storage of traditional plain text seed words. Each microSD backup is useless to anyone without the 20-digit backup to to unlock it. The backup code should be stored in a separate secure location.
Updating the firmware on Passport will ensure your device benefits from the latest features and security updates. Our latest firmware versions are linked below and should only ever be downloaded from Envoy, our GitHub
or this support site.
The easiest way to update your Passport firmware is via Envoy , our mobile companion app. Advanced users that want to manually download, verify and install their firmware can follow the instructions on our firmware updates page.
Your seed words can be viewed on device at any time after logging in with your 6-12 character PIN by going to Settings > Advanced > View Seed Words.
You can change your device PIN at any time after logging in with your current 6-12 character PIN. Simply head to Settings > Device > Change PIN.
The extensions menu on Passport offers a simple way to enable extra features on Passport. Enabling extensions from this screen creates menu items that allow you to use Passport with specific types of third party software.
Extensions are enabled and disabled in Settings > Extensions Once enabled, each extension will have its own custom screen at the default menu level. To view them, scroll right from the Primary Account screen.
Yes you can use Passport in stateless mode where the device never saves its private key or seed words permanently to the device. You can also use a hybrid mode where you use the device in the typical fashion, with a single master set of seed words and accounts, but also use the Temporary Seed or Key Manager to temporarily interact with other wallets without them being permanently saved to the device.
Compatibility
Absolutely. Passport abides by the BIP39 Bitcoin wallet standard. This means that after setup, if you decide you want to use a different hardware or software wallet to manage your Bitcoin, all you need to do it import the 12 or 24 word seed from your Passport into your new wallet of choice.
No, Passport only supports Bitcoin. We do not have any immediate plans to support other cryptocurrencies, and are laser-focused on building the best Bitcoin hardware wallet.
We recently launched Envoy
, our mobile companion app. Envoy offers the easiest and most intuititve way to setup and manage Passport to. However, Envoy is completely optional and not a requirement to use Passport in any way.
Passport is designed instead to work with most popular Bitcoin wallets and services. This ensures that you have the ability to select your preferred software wallet , instead of being forced to use our software or services. And it also ensures that Passport strives for mass-compatibility with the Bitcoin ecosystem.
Passport is compatible with a range of mobile and desktop wallet software applications. This is achieved via the widely adopted PSBT (partially signed Bitcoin transactions) format.
See a full list, including video tutorials here .
Yes, Passport supports both single-sig and multisig PSBTs.
From version 2.3.0 Passport will display OP_Return transaction information when signing.
Security
Passport uses the same general security architecture as many other Bitcoin hardware wallets, with a processor by STMicroelectronics and a 608b secure element by Microchip. The Bitcoin private keys are encrypted on the processor and stored on the secure element to minimize trust in a single chip. All circuit designs and firmware are Open Source and auditable.
Passport is completely airgapped, with only a camera and microSD slot for communications, no wireless functionality of any kind. This is important because it closes off numerous attack vectors and ensures that Passport can never communicate directly with an Internet-connected device.
Our Founders Edition device is powered by AAA batteries, while Batch 2 devices use a removable and rechargeable standard form factor lithium-ion battery, typically found in older Nokia phones. This is charged via the power only USB-C port on the bottom of the device. This port is not capable of passing any data since the connectors inside the port required to do so are simply not there.
Foundation Devices is based in the USA, and we believe it is important to have as close a control over our supply chains as possible. By assembling Passport in the USA, we can ensure that (1) we are on the factory floor and closely overseeing assembly, (2) our manufacturers are held to higher regulatory and transparency standards.
Bitcoin represents sovereignty, privacy, and freedom. We believe it is important to build our products in jurisdictions which represent these same values. This is why Foundation will never assemble our products in China.
Purchasing
We offer payments via credit card or Bitcoin. Credit card payments are processed by Stripe and Bitcoin payments are processed by our self-hosted BTCPay Server. Foundation encourages Bitcoin payments.
We also have a blog post on how you can purchase Passport more privately using Bitcoin.
Yes, Passport includes a one year warranty to cover manufacturing defects only. Accidental damage, such as drops or liquid exposure, is not covered. Nor is accidentally bricking the device!
You can read the entirety of the warranty offered with Passport here .
Envoy
Why Envoy?
Envoy is a Bitcoin mobile wallet and Passport companion app, available on iOS and Android. Download links available here .
Envoy is designed to offer the easiest to use experience of any Bitcoin wallet, without compromising on your privacy. With Envoy Magic Backups, set up a self custodied Bitcoin mobile wallet in 60 seconds, without seed words!
Passport users can connect their devices to Envoy for easy setup, firmware updates, and a simple Bitcoin wallet experience.
Get on boarded and set up with a new mobile wallet, complete with automatic backups, in under 60s! Get guided Passport setup and management and receive notification when a new firmware update is available. You can even install it right from your phone!
Envoy also enables you to receive into your offline cold storage from anywhere in the world, or to build spend transactions, ready for authorization by Passport. Envoy will also notify you of company announcements such as blog posts, special offers, security upgrades or new hardware and software releases.
Magic Backups is the easiest way to set up and back up a Bitcoin mobile wallet. Magic Backups stores your mobile wallet seed (not your Passport seed) end-to-end encrypted in iCloud Keychain or Android Auto Backup. All app data is encrypted by your Envoy seed and stored on Foundation Servers.
Set up your mobile wallet in 60 seconds, and automatically restore if you lose your phone.
Magic Backups are completely optional for users that want to leverage Envoy as a mobile wallet. If you prefer to manage your own mobile wallet seed words and backup file, choose ‘Manually Configure Seed Words’ at the wallet set up stage.
The Envoy backup file contains app settings, account info and transaction labels. The file is encrypted with your mobile wallet seed words. For Magic Backup users, this backup file is stored fully encrypted on the Foundation server.
Manual backup Envoy users can download and store their backup file anywhere they like. This could be any combination of your phone, a personal cloud server, or on something physical like a microSD card or USB drive.
No, Envoy’s core features, including mobile wallet functionality, backups and Passport management will always be free to use. In the future we may introduce paid tiers or subscriptions for additional features.
Downloading and installing Envoy requires zero personal information. Envoy also offers users the ability to connect the internet via Tor, a privacy preserving protocol. When enabled, this means that Foundation has no way of knowing who you are or even your approximate geographical location. Envoy also allows more advanced users the ability to connect to their own Bitcoin node to remove any reliance on the Foundation servers completely.
Envoy Features
Yes! From v1.7 you can now purchase Bitcoin within Envoy and have it automatically deposited to your mobile account, or any connected Passport accounts. Simply click the Buy button from the main Accounts screen.
Absolutely, there is no limit to the number of Passports you can manage and interact with using Envoy.
Yes, Envoy makes multi-account management simple.
Yes, Envoy connects using the Electrum server protocol. To connect to your own Electrum Server, scan the QR or enter the URL provided into the network settings on Envoy.
When a user opts to connect use Envoy over the Tor network, Envoy will display a Shield at the top of all main screens. The color or status of this shield dictates the current status of Envoy’s connectivity:-
- Shield is pulsating = Envoy is trying to establish a connection to Tor
- Shield is solid = Envoy has successfully connected to Tor
- No shield = Tor has been disabled from the settings
- Shield is red = Envoy cannot connect to a user specified custom Electrum server
Learn more about Envoy and Tor here .
Envoy supports Coin Control , but not batching (yet).
Yes. Envoy has three fee settings for the user to choose from when spending, ‘Standard’, ‘Faster’ and ‘Custom. Standard aims to get your transaction finalized within 60 minutes, faster within 10 minutes and the custom fee slider allows you to select any fee rate you like. These are estimates based on the network congestion at the time the transaction is built and you will always be shown the cost of both options before finalizing the transaction.
Compatibility
No, we pride ourselves on ensuring Passport is compatible with as many different software wallets as possible. See our full list, including tutorials here .
No, anyone is still free to manually download, verify and install new firmware. See here for more information.
Yes, just be aware that any wallet-specific information, such as address or UTXO labeling, will not be copied to or from Envoy.
This may be possible as most QR enabled hardware wallets communicate in very similar ways, however this is not explicitly supported. As Envoy is Open Source, we welcome other QR-based hardware wallets to add support!
At this time Envoy only works with ‘on-chain’ Bitcoin. We hope to support Lightning in the future.
Security
Anyone finding your phone would first need to get past your phones operating system PIN or biometric authentication to access Envoy. In the unlikely event they achieve this, the attacker could send funds from your Envoy Mobile Wallet and see the amount of Bitcoin stored within any connected Passport accounts. These Passport funds are not at risk because any transactions must be authorized by the paired Passport device.
If you use Envoy as a mobile wallet, where the private keys reside on your mobile phone, then an attacker would need to break your device PIN/biometrics and Envoy’s PIN/biometrics (if you enable this) to be able to spend funds. Envoy wallets is mobile, meaning it’s something you take with you everywhere you go for day to day spends. We recommend never storing more funds in your Envoy wallet than you would physical cash in your traditional wallet. For everything above that limit, use Passport.
Envoy communicates predominantly via QR codes, however firmware updates are passed from your phone via a microSD card. Passport includes microSD adapters for your phone.
If used with a Passport, Envoy acts as a ‘watch-only’ wallet connected to your hardware wallet. This means Envoy can construct transactions, but they are useless without the relevant authorization, which only Passport can provide. Passport is the ‘cold storage’ and Envoy is simply the internet connected interface!
If you use Envoy to create a mobile wallet, where the keys are stored securely on your phone, that mobile wallet would not be considered cold storage. This has zero effect on the security of any Passport connected accounts.
Envoy Privacy
When you query any data on any Bitcoin explorer that is not your own, you are sharing information with the explorer provider. What information you share depends on the queries you make and how you connect to the explorer. For exmaple, if you connect to an explorer using the traditional internet, without a VPN and paste in a transaction ID, the explorer provider can theoretically tie together and store those pieces of information. The explorer provider learns that a person at X approximate geographical location (derived from your IP address) is interested in a certain address or transaction. If you make multiple queries from the same IP address, the provider can cluster them together.
If you choose to query a third party explorer like the one we host at Foundation, you should do so on a device running a VPN or with access to the Tor network. Both of these options will protect your IP address from us. Foundation does not log any requests made to our hosted explorer.