I’ve thought about this for a while and think that Foundation is in a unique position where they have 4 components necessary to make this feature a reality:
- Control over Hardware & Software stack
- Open source operating system
- Mobile app that can be connected to device
- Envoy+ membership with reoccurring subscription (for future users)
How it would functionally work: the user would onboard their wallet and add beneficiaries using the Envoy app. Beneficiaries would simply be wallet addresses, the percent split of owned assets or flat amounts (ex: 50% of balance) and a cell-phone and email address, or potentially, an Envoy/Foundation app user.
The user’s Passport wallet would deterministically generate an encryption key using the user’s wallet’s private key, which would be saved on device and also shared with the beneficiaries – this could be done offline trustlessly, or, through the Envoy app.
Whenever the wallet owner signs a transaction using their prime device, additional transactions (PSBTs) are created and signed, optionally multiple times (There should be multiple PSBT’s available, accounting for the possibility that fees are significantly higher in the future). These PSBT’s are encrypted using the encryption key, not broadcast, but instead uploaded on Envoy’s server for Envoy+ members. This prevents having to share any private key material with Envoy/Foundation. Every time you sign a new transaction using your Passport Prime wallet, new PSBTs are created, signed, encrypted, and shared with Envoy+.
The only thing that Foundation could possibly do if they were to be able to get the encryption key and decrypt the PSBTs, is broadcast your transactions to send your BTC to your beneficiaries. There would be a user-set timelock, that after X amount of time, the PSBTs would be available to be shared your beneficiaries. The beneficiaries can request the inheritance at anytime, but you would be alerted, and any wallet transactions would refresh the timer anyway.
All other inheritance options require using multi-signature setups or introduce other attack vectors. This method would be safe, optional, and still allow users to share their private keys OUTSIDE of Foundation/Envoy’s ecosystem if they do so please, and if you use it in a different (non Foundation) wallet, the PSBT’s would be useless (to my understanding – correct me if I’m wrong), preventing lock-in… At the same time, for those concerned about potential for lost keys (such as in the case of the CA fires recently), this could help address that need.
Given the open source nature of the Passport Prime wallet, preparing the PSBT’s should be trustless, as preparation of the unsigned PSBT is done on the OS chip, signed on the secure element, then signed PSBT can be confirmed on device prior to both transactions being sent out to the Envoy app for 1) broadcast and 2) custody for inheritance planning.
I’d love to hear your thoughts on this. I’ve not seen a company or wallet provider think of this method for inheritance planning before. Traditionally using miniscript, multisig schemes, or custodial arrangements is how it’s done.