Quick analogy first. Imagine two filing cabinets at a Bitcoin custody service:
Cabinet A (plaintext) — full of regular paper. The company has a key. Anyone with the key can read every file. The company promises they won't, but the data is right there to be read.
Cabinet B (ciphertext) — full of paper, but every word on every page is encrypted with a key that lives only on YOUR phone or laptop. The company doesn't have your key. If they're hacked, served a subpoena, or have a rogue employee — they hand over locked gibberish, because that's all they have.
Most Bitcoin custody services run on Cabinet A. They tell you they don't look. We can't tell you that, because we can't look in the first place. Different promise. Different math.
That's the whole point of what I'm building. A 2-of-3 multisig Bitcoin vault where:
- Encryption happens on your browser. Your passphrase derives a key that never leaves your browser. Our server only ever stores ciphertext — vault names, device information, the wallet configuration file, everything. We can't decrypt any of it.
- We don't store your addresses, balances, or transaction history. Your browser derives addresses locally and queries our blind proxy to a private Bitcoin node. The proxy relays information without linking addresses to users.
- We hold 1 of 3 keys. You hold the other two on hardware wallets. We can never move your funds alone. If we vanish tomorrow, you sweep your Bitcoin into Sparrow Wallet with your two keys.
- Your spending rules live in encrypted form too. Address allowlists, daily limits, hold timers — enforced inside a secure enclave, never readable by us, only changeable with a hardware-wallet signature.
The litmus test for any multisig vault service: can they tell you their total assets under custody? If yes, they can read every customer's balance. If they charge you a percentage of what you hold, same thing. Both require plaintext. We can't produce that number — we genuinely don't know how much Bitcoin our users hold. That's not a marketing line.
One question for anyone using multisig today:
- Would this matter to you? Or is "they promise not to look" already enough?
Check us out at https://xyzvault.io — would love feedback from anyone using another multisig platform, or who'd considered it and backed away.
In which ways is this superior to having 3 geographically distributed keys?
Instead of bad_person™ needing to compromise 2/3 of my locations before, they now need to either compromise 2/2 locations, or 1/2 locations and finess (read: social engineer, hack) their way into you giving up one key, or 1/2 locations and the swipe my password that I'd need to get the custodied key.
So there's got to be some promised advantage since I'm still required to enact very good opsec for the remaining keys.
That's a fair point, and I wouldn't argue that XYZVault is strictly more secure than a well executed 3 key geographically distributed setup. If your threat model is maximizing security and you're comfortable managing three separate locations, that's already a strong solution.
The advantage we're trying to provide is convenience without giving up self-custody.
With XYZVault, you still control two keys, so we can never move your funds on our own. The service key simply acts as a backup key when you have access to one of your keys but not the other. For many people, maintaining three hardware wallets in three separate locations is operationally difficult, expensive, and increases the chances of losing track of devices, descriptors, backups, or recovery information.
The other aspect is privacy. Many collaborative custody providers require KYC or collect enough information to know exactly who you are and how much Bitcoin you hold. Even when databases are encrypted at rest, that data is typically stored in plaintext within the application and can be exposed if the platform is compromised.
XYZVault takes a different approach. Your descriptor, xpubs, labels, vault configuration, and other sensitive metadata are encrypted locally in your browser before they ever leave your device. The server stores ciphertext, not plaintext, and does not possess the key needed to decrypt it. As a result, a database breach doesn't reveal your balances, transaction history, wallet structure, or other vault data because we don't have access to it ourselves.
So the value proposition isn't "replace perfect OPSEC with trust in us." It's reducing the operational burden of managing a multisig setup while minimizing the amount of information the service operator can learn about you.
This is interesting, but I'll admit I'm somewhat confused about one thing:
Your sever stores an encrypted version of "vault names, device information, wallet configuration file, everything"
However, is the 1 key you have, the platform key, also part of what is stored in this manner? If it isn't, can't you still see all my transactions?
Good question. No, the platform key alone cannot reveal your transactions.
To track a wallet, you need the descriptor/xpubs that identify which addresses belong to it. In XYZVault, those are encrypted in your browser before upload. We use Argon2id to derive a master key from your passphrase, then HKDF to derive an authKey and encKey. The authKey is hashed and stored for authentication, while the encKey never leaves your browser.
Your descriptor, xpubs, labels, policies, and vault configuration are encrypted with AES-256-GCM before reaching our servers. Every encrypted blob is also bound with AAD, preventing ciphertext from being transplanted between accounts.
The service key itself lives inside an AWS Nitro Enclave. While we cannot extract the key from the enclave, it's important to understand the trust model: the enclave protects secrets from attackers, not from the code running inside it.
The same assumption exists with hardware wallets. A secure element chip protects a private key from extraction, but it still executes firmware written by the manufacturer. If a vendor intentionally shipped firmware that leaked keys, the secure element would do exactly that. The chip protects against extraction, not against the device creator instructing it to reveal secrets.
Likewise, the Nitro Enclave protects the service key from theft, but the reason we cannot see your balances or transactions is because the wallet metadata needed to identify your addresses is encrypted with an encKey that never leaves your browser.
Even in the hypothetical scenario where someone could extract information from the enclave, they would only obtain the platform's service key. They still would not have access to your encrypted vault data because the encKey required to decrypt it never leaves your browser and is never stored on our servers or in the enclave.
Some additional information:
Vaults on XYZVault use our private Bitcoin node, address and transaction lookups are routed through a blind proxy.
Your browser derives addresses locally, then sends lookup requests to the proxy. The proxy forwards those requests to XYZVault’s private Bitcoin node, but it does not log request data, and the node does not receive account context. That means XYZVault may transiently handle address or transaction queries, but we are not able to tie those queries back to a specific user or vault.
This is different from storing wallet data. XYZVault does not store your addresses, balances, or transaction history. Those are derived and computed client-side each time the vault loads. The proxy only exists so users can query chain data without relying on third-party public APIs.
This is helpful.
And you got to exactly what I was worried about: if my descriptor is encrypted, I need to treat the passphrase/key for that encryption like another key in my multisig, because without it, none of us are going to be able to move my coins.
However, I think your model does have something that is interesting: assuming that I have a separate copy of the descriptor that I can backup on my own, having an encrypted version that lives elsewhere is very handy. Tying it to a set spending policies I determine is even cooler.
You may already be doing this, but what would be really cool is if the passphrase that encrypted the data in the enclave was derived from both the keys to the multisig that I keep so that I could use either one to decrypt the data.
Currently, there is no account recovery path. Your encryption key is derived from your passphrase, and neither is ever transmitted to or stored by the platform. If you lose your passphrase, we cannot recover your account or decrypt your vault data.
That said, you've raised a good idea. This could be an opt-in feature which will allow the user to enroll their hardware devices as recovery keys.
I think there's a bip (BIP 138) that is doing something like this.
https://github.com/bitcoin/bips/pull/1951
I readen lot of documentation and spend hours on understanding these bip 138 concepts but they are pure technical term that a casual user like me won't understand however 30 CC for the link
👋 Hi just discovered XYZVault.
We run satstools.com — 42 free Bitcoin-only tools for serious stackers, miners & Lightning users across English, Spanish & Portuguese markets.
We have a few advertising slots open for Bitcoin-native brands only. No altcoins. No fiat companies.
Check our Media page 👉 https://satstools.com/media
Apply here for our Media Kit 👉 https://satstools.com/sponsor 🟠⚡️"
No data cause it stoopid
https://m.stacker.news/144257
For those who are curious on what the platform looks like, here you go! I'm always open to feedback on improving the UX, as well as, the security of the platform.