Who Is This For?

Legacy isn't for everyone — and that's the point.

Legacy fills a specific gap. On one end is a single seed phrase in a safe — simple, but anyone who finds it gets everything, and you can't safely make copies. On the other is Bitcoin multisig — powerful and enforced on-chain, but complex enough that most people never set it up, and most heirs can't operate it. Legacy is the middle ground: split-custody inheritance with memorable keys, fully offline, no third parties, no subscriptions, and nothing that has to outlive you. It is not the most powerful option — it's the simplest one that still protects against a single point of compromise.

  • Already keep a physical seed phrase backup (steel or paper). Legacy is your inheritance and transfer layer — not a replacement for your primary backup.
  • Are comfortable with self-custody: you can enter a passphrase and scan a QR, and you expect your beneficiary to manage the same.
  • Want to avoid third parties — no lawyers, executors, custodians, or collaborative-custody services holding your keys.
  • Want zero ongoing cost — no subscriptions, no accounts, no service that has to still exist when you're gone.
  • Want it fully offline / air-gapped — encrypt and decrypt on a SeedSigner with no internet, ever.
  • Prefer memorable keys — a handful of random, unrelated words you can hold in your head or pass along verbally — over share files you have to store.
  • Plan to deliver the Benefactor Key through a deadman switch, a will, or sealed instructions — so the beneficiary receives it only when intended.
  • Want to store the encrypted backup openly and redundantly — the ciphertext is useless without both keys, so you can copy it freely.
  • You need k-of-n redundancy where losing a single key isn't catastrophic. Legacy is strictly two-of-two — both keys are required. Look at SLIP-39 (Shamir) or multisig.
  • You can't reliably ensure both keys survive to your beneficiary, and won't keep a fallback. Without one, a single lost key means the Bitcoin is gone (see below).
  • You want on-chain, enforced, auditable inheritance with spending policies and signing thresholds — that's Bitcoin multisig with timelocks, not Legacy.
  • You're protecting institutional or nation-state-level value. Use enforced on-chain schemes.
  • You aren't comfortable being your own custodian. Legacy gives you no one to call — that's by design, but it isn't for everyone.
Legacy is two-of-two: both the Benefactor and Beneficiary keys are required, with no built-in backup. That keeps it simple — but it means a single lost key is fatal. We don't hide this; we mitigate it with discipline, not added complexity:
  • Keep many copies of the encrypted QR. It's inert without the keys, so spread it across locations.
  • Keep a sealed break-glass fallback — both keys, or the seed itself — with a lawyer, in a home safe, or in a deposit box, opened only if the normal path fails.
The split gives you the security. The fallback gives you the reliability. Used together, no single failure loses your Bitcoin.

You choose your own keys, so you choose your own security. There's an unavoidable tradeoff: longer, more random keys are harder to brute-force but harder to remember. Legacy doesn't pick a point on that scale for you — it lets you decide where to sit. Here's how to find your spot.

← more memorable, weaker more random, stronger →
A name or common word — e.g. bitcoin. Don't. Trivial to guess or crack in seconds.
Two related words — e.g. bitcoinbeach. Weak. Predictable; within reach of a targeted attacker.
3 random, unrelated words — e.g. mango stapler vault. The floor. Acceptable, especially across two keys.
4–5 random, unrelated words — e.g. cloud mango river tuesday. Recommended. The sweet spot — strong and still memorable.
6+ random words / a full passphrase. Overkill. Maximum resistance, but hard to memorize — you may end up writing it down, which changes your threat model.
Two things work in your favor: Legacy combines both keys, so a 4-word + 4-word setup has the strength of eight random words — and PBKDF2's 600,000 iterations add roughly 19 bits of brute-force resistance on top. A modest passphrase here is far stronger than the same passphrase would be almost anywhere else.
Find your spot
Rough guide only. Assumes each word is genuinely random and unrelated (~11 bits/word), and an attacker with ~10¹² SHA-256/second — about 1.7 million Legacy guesses/second once PBKDF2's 600,000 iterations are paid. Reused, related, or non-random words are worth far less than this estimate.
Seed in a safe

Simplest of all. But no protection if it's found, and no safe way to make redundant copies.

Legacy you are here

Simple, offline, memorable keys, split custody, freely-copyable backup. Strict 2-of-2 — pair it with a sealed fallback for reliability.

SLIP-39 / Shamir

Any k-of-n, so no single point of failure. But the shares aren't memorable, and wallet support is thinner.

Multisig + timelocks

The gold standard: enforced on-chain, auditable, survivable. But complex to set up — and for an heir to operate.

  • Keep your normal seed backup (e.g. a steel plate), exactly as you do today.
  • Encrypt a copy of the seed with a Benefactor Key and a Beneficiary Key.
  • Store the encrypted QR redundantly — multiple locations, even semi-public.
  • Your beneficiary holds (or memorizes) their key.
  • Deliver the Benefactor Key via a deadman switch, will, or sealed instructions.
  • Keep a sealed fallback (both keys, or the seed) as break-glass insurance.

If that sounds like you, see How It Works or try the encryption demo. If it doesn't, we'd genuinely rather you used the right tool — multisig or SLIP-39 — than the simple one.