Root of Trust
& Digital Bearer Asset Inheritance

Using social recovery as a personal, offline, geographically distributed root of trust.

Boaz Bechar · May 2026

A few words about me
Boaz Bechar

Boaz Bechar

  • Father of two
  • Former SVP digital assets and cyber innovation
  • Previously: Citi, Bitmain, BTC.com, Blocktrail
The bus factor

What happens to your keys if something happens to you?

Disaster Recovery for the self-custodian is still a wild west.

A detour into what lasts

It's hard to hold onto anything for decades.

A 1989 certificate in Boaz's name for planting a tree in Israel
A handwritten 1986 invitation addressed to Boaz Bechar

Kept ~40 years, and still here.

You're in good company

Even the largest institutions back up keys on paper.

…move it to USB sticks and paper backups. We then take these to a safe deposit box.

Source: Coinbase blog, 2012

The Coinbase team goes to a secure location… and prints out keys that are then split up using… scannable QR codes. We… apply… Shamir's Secret Sharing… split it into a bunch of chunks… a threshold… sufficient to reconstruct the original. The binders full of billions of dollars worth of keys are then divided among various secure locations.

Source: CoinDesk, 2018

Printed key backup, USB sticks, and Coinbase laptop (Coinbase blog, 2012)
Paper backup and USB key in a safe deposit box (Coinbase blog, 2012)

Photos: Coinbase blog, 2012

The gold standard

The internet's own root of trust is a ceremony.

ICANN's DNSSEC root key ceremony

Trusted officers, smartcards, safes, tamper-evident bags, filmed for the world to audit. IANA · Root KSK Ceremony 61

Institutions aside

So what do the rest of us do?

A hardware wallet is a signing device, not long-term storage, so the real backup falls to you.

The typical setup today

A seed on a card at home is cash under the mattress.

Seed phrase
1·····7····· 2·····8····· 3·····9····· 4·····10····· 5·····11····· 6·····12·····
  • Fire: one bad day, gone
  • Flood: ink and paper don't swim
  • Evil maid or houseguest: brief access is enough
  • Ballistic missile: if you're in the mideast
The usual approaches

What we try, and where it breaks.

Etched metal plate
Survives fire and flood, but still one copy in one place.
Split it
Two spots, now two single points of failure.
Onchain mechanics
On-chain timelocks or multisig: hostage to one protocol.
Buy the ETF
Give up self-custody.

I needed something chain-agnostic and disaster-resilient.

The other failure mode

Insider risk for the self-custodian.

  • Can you trust yourself?
  • They're family, not security experts
  • Self-custody is a privilege and a burden
The physical threat is real

The $5 wrench beats $5,000 of cryptography.

82documented attacks in 2025: the worst year on record, roughly double the prior peak
331documented since 2014, and most go unreported

Data: Jameson Lopp · github.com/jlopp/physical-bitcoin-attacks

The turn

What if the secret never lived in one place?

No crown jewel.

A safe that's geographically distributed.

Disaster-resilient by design.

It's not a new idea

A safety net made of people you trust.

Apple · Account Recovery Contact
Apple · Account Recovery Contacts
Facebook · Trusted Contacts
Facebook · Trusted Contacts
Right idea, hard problem
“The human brain is quite poorly suited for remembering passwords and tracking paper wallets, but it's an ASIC for keeping track of relationships with other people.”

Vitalik Buterin · “Why we need wide adoption of social recovery wallets,” 2021

It doesn't have to be social
your secret
1 2 3 4 5 6

Any 3 of 6 rebuilds it.

Split it. Spread it out.

  • Social recovery doesn't have to be social: hold every share yourself
  • Spread them across places: a safe abroad, a USB in a drawer, a shard online
  • Pick any threshold: 2-of-3, 5-of-10, 10-of-20
  • Each share is useless alone; it only works combined
m-of-n threshold
So I built it
A printed PaperVault KEY page with a QR code and key details
A printed PaperVault KEY page with a QR code and key details
A printed PaperVault VAULT page with a QR code and vault details

A foundational password vault

Store secrets and passwords on encrypted paper with distributed keys. Designed to last generations.

  • Open source
  • Run it yourself, offline
  • Secured with m-of-n keys
  • Social recovery
  • Digital inheritance

PaperVault · papervault.xyz · github.com/boazeb/papervault

A home for every secret

What goes in a paper vault?

A two-factor authentication setup screen listing ten one-time account recovery codes
  • Your 2FA recovery codes
  • The disk-encryption key when you unbox a new laptop
  • Anything that doesn't naturally fit in a password manager…
  • …like the password to your password manager.
The trap

Cyclic dependencies lock people out.

Her phone
Apple password
Password manager
2FA app
needs lives in needs was on the phone
Locked out

Exactly the moment you reach for a break-glass recovery tool.

The unanswerable question

Where do you keep the password to your password manager?

The two-buttons meme: a sweating person agonizing between two red buttons labeled 'Authy password in password manager' and 'Authy password memorable'
Choices that matter on paper

The boring details decide if it works.

Annotated PaperVault vault page: encrypted QR, matching color codes, integrity warning, tactical white space, unlock instructions, and vault metadata

Printed on archive-grade paper, stored in tamper-evident envelopes.

Under the hood

It comes down to four functions.

src/services/EncryptionService.js
import { split, combine } from 'shamir-secret-sharing';

export class EncryptionService {
  // 1. AES-256-GCM encrypt (Web Crypto API)
  static encrypt(secret, password) { … }
  // 2. split the key into m-of-n shares
  static splitKey(key, shares, threshold) {
    return split(key, shares, threshold);
  }
  // 3. combine a threshold of shares back into the key
  static combineShares(shares) {
    return combine(shares);
  }
  // 4. decrypt with the recovered key
  static decrypt(data, key, iv) { … }
}

Native Web Crypto API for encryption, Privy's audited shamir-secret-sharing for key splitting.

Don't trust, verify
Is the encryption really done in my browser?
Yes. AES-256-GCM via the Web Crypto API, fully client-side. No network calls.
What if I lose two of my five shares?
3-of-5 means you can lose two and still recover. Lose three and it's gone, by design.

Audit it by talking to it.

  • Open source: every line on GitHub, MIT-licensed
  • Chat with the codebase in plain language
  • Let AI help you reason about your own threat model
Going pro

The same gear institutions use.

Reams of archival-grade copy paper, premium wove watermarked, National Archives approved
Archive-grade paperAcid-free, built to last decadesSource: archivalsurvival.com.au
An annotated tamper-evident security envelope: self-sealing closure, serialized numbering, and seam tamper-evidence
Tamper-evident envelopesA guardian can tell if a share was openedSource: SECUR-PAK
Live demo

Let's create a vault, and unlock it.

papervault.xyz · works with the wifi off

In one line

A root of trust that's yours: offline, distributed, on paper.

Encrypt · AES-256 Split · Shamir m-of-n Print · survives decades

Open sourceworks offlinedesigned for resilience

papervault.xyz · github.com/boazeb/papervault

Thank you, and special thanks to the Privy team for the Shamir library. Questions?