Legacy fills a specific gap. On one end is a single seed phrase
in a safe — simple, but anyone who finds it gets everything, and
you can't safely make copies. On the other is Bitcoin
multisig — powerful and enforced on-chain, but
complex enough that most people never set it up, and most heirs
can't operate it. Legacy is the middle ground:
split-custody inheritance with memorable keys, fully
offline, no third parties, no subscriptions, and nothing that has
to outlive you. It is not the most powerful option — it's
the simplest one that still protects against a single point of
compromise.
Legacy is a good fit if you…
- Already keep a physical seed phrase backup (steel or paper). Legacy is your inheritance and transfer layer — not a replacement for your primary backup.
- Are comfortable with self-custody: you can enter a passphrase and scan a QR, and you expect your beneficiary to manage the same.
- Want to avoid third parties — no lawyers, executors, custodians, or collaborative-custody services holding your keys.
- Want zero ongoing cost — no subscriptions, no accounts, no service that has to still exist when you're gone.
- Want it fully offline / air-gapped — encrypt and decrypt on a SeedSigner with no internet, ever.
- Prefer memorable keys — a handful of random, unrelated words you can hold in your head or pass along verbally — over share files you have to store.
- Plan to deliver the Benefactor Key through a deadman switch, a will, or sealed instructions — so the beneficiary receives it only when intended.
- Want to store the encrypted backup openly and redundantly — the ciphertext is useless without both keys, so you can copy it freely.
It's probably NOT for you if…
- You need k-of-n redundancy where losing a single key isn't catastrophic. Legacy is strictly two-of-two — both keys are required. Look at SLIP-39 (Shamir) or multisig.
- You can't reliably ensure both keys survive to your beneficiary, and won't keep a fallback. Without one, a single lost key means the Bitcoin is gone (see below).
- You want on-chain, enforced, auditable inheritance with spending policies and signing thresholds — that's Bitcoin multisig with timelocks, not Legacy.
- You're protecting institutional or nation-state-level value. Use enforced on-chain schemes.
- You aren't comfortable being your own custodian. Legacy gives you no one to call — that's by design, but it isn't for everyone.
The honest tradeoff
Legacy is
two-of-two: both the Benefactor and
Beneficiary keys are required, with no built-in backup. That
keeps it simple — but it means a single lost key is fatal. We
don't hide this; we mitigate it with discipline, not added
complexity:
- Keep many copies of the encrypted QR. It's inert without the keys, so spread it across locations.
- Keep a sealed break-glass fallback — both keys, or the seed itself — with a lawyer, in a home safe, or in a deposit box, opened only if the normal path fails.
The split gives you the security. The fallback gives you the reliability. Used together, no single failure loses your Bitcoin.
Choosing your keys — secure vs. memorable
You choose your own keys, so you choose your own
security. There's an unavoidable tradeoff: longer,
more random keys are harder to brute-force but harder to
remember. Legacy doesn't pick a point on that scale for you —
it lets you decide where to sit. Here's how to find your spot.
← more memorable, weaker
more random, stronger →
A name or common word — e.g. bitcoin. Don't. Trivial to guess or crack in seconds.
Two related words — e.g. bitcoinbeach. Weak. Predictable; within reach of a targeted attacker.
3 random, unrelated words — e.g. mango stapler vault. The floor. Acceptable, especially across two keys.
4–5 random, unrelated words — e.g. cloud mango river tuesday. Recommended. The sweet spot — strong and still memorable.
6+ random words / a full passphrase. Overkill. Maximum resistance, but hard to memorize — you may end up writing it down, which changes your threat model.
Two things work in your favor: Legacy combines both
keys, so a 4-word + 4-word setup has the strength of
eight random words — and PBKDF2's 600,000 iterations
add roughly 19 bits of brute-force resistance on top. A modest
passphrase here is far stronger than the same passphrase would be
almost anywhere else.
How Legacy compares
Seed in a safe
Simplest of all. But no protection if it's found, and no safe way to make redundant copies.
Legacy you are here
Simple, offline, memorable keys, split custody, freely-copyable backup. Strict 2-of-2 — pair it with a sealed fallback for reliability.
SLIP-39 / Shamir
Any k-of-n, so no single point of failure. But the shares aren't memorable, and wallet support is thinner.
Multisig + timelocks
The gold standard: enforced on-chain, auditable, survivable. But complex to set up — and for an heir to operate.
A recommended setup
- Keep your normal seed backup (e.g. a steel plate), exactly as you do today.
- Encrypt a copy of the seed with a Benefactor Key and a Beneficiary Key.
- Store the encrypted QR redundantly — multiple locations, even semi-public.
- Your beneficiary holds (or memorizes) their key.
- Deliver the Benefactor Key via a deadman switch, will, or sealed instructions.
- Keep a sealed fallback (both keys, or the seed) as break-glass insurance.
If that sounds like you, see How It Works
or try the encryption demo. If it doesn't,
we'd genuinely rather you used the right tool — multisig or SLIP-39 —
than the simple one.