Francis Pouliot – Solving Self-Custody: Making Sovereignty Simple

I’ve been orange-pilling people for 12 years and installing Bitcoin wallets — probably close to 10,000 of them. And every single time, I have to walk someone through a terrifying list of ways they can get screwed. There has to be a better way. I shared this thinking on the BTC Prague stage.

The Hard Path

At Bull Bitcoin — the non-custodial, Bitcoin-only exchange I founded in Canada about 12 years ago — we have a philosophy we call the hard path. Our goal is to scale the Bitcoin user experience to reach more sovereign-minded individuals, without compromising on the cypherpunk ethos: absence of third parties, trust minimization, censorship resistance, permissionless access, anonymity, and privacy.

The easy path is to make compromises. Lots of companies do it. We don’t. Our zone of acceptable compromise is very small. We want large-scale Bitcoin adoption with amazing UX — without selling paper bitcoin, without pushing ETFs, without custodial shortcuts. We want to create sovereign individuals, and the core of sovereignty in Bitcoin is self-custody.

The Four Problems with Self-Custody

There are four main issues with self-custody: fiat on/off ramps, payment speed and cost, wallet backups, and inheritance. We’ve largely solved the first two with Bull Bitcoin and our wallet using Liquid swaps. The two remaining problems are wallet backups and inheritance.

Seed phrases — the BIP 39 standard invented in 2013 — are the weak point. When I orange-pill someone, I end up saying: if you don’t back up, you’re screwed. If you lose your backup, you’re screwed. If someone finds your metal plate, you’re screwed. Add a passphrase — but if it’s weak, you’re screwed. Forget it, you’re screwed. Store both together, you’re screwed. It becomes impossibly complicated for everyday people.

Introducing Recoverable

So we built something called Recoverable — available at recoverable.com. Here’s how it works: your seed generates a 256-bit key via BIP 85. That key encrypts your mnemonic using AES, creating an encrypted vault file. That file goes to your Google Drive, Apple Cloud, Proton Drive — wherever you like.

Your user password — even a simple PIN — is combined with a random salt using the Argon2 hashing algorithm to produce an authentication key and an encryption key. The encryption key wraps the backup key and is stored on the Recoverable server, an anonymous service the wallet connects to over Tor. There is no email, no KYC, no IP address exposure. The server doesn’t know where your backup file is. Your drive doesn’t know where your key is. Nothing links them together.

The server uses rate limiting — only three requests per day — so even a six-digit PIN is effectively brute-force-proof. To recover, you grab your encrypted file, enter your PIN, and the server returns your encrypted backup key. Decrypt it, and your seed is back.

What This Is — and What It Isn’t

This is an alternative to custodial wallets and physical seed backups for hot wallets. It is not a replacement for hardware wallets, multisig, or long-term cold storage. Don’t use this for your life savings. Use it on your mobile wallet when you’re orange-pilling your taxi driver at 2am in a bar.

Recoverable is fully open source — the client is written in Dart, the server in Rust. Any wallet developer can implement it. We built on ideas from the Photon SDK by developer Tankred Haus, whom I want to credit. A full 30-page white paper with threat modeling is available at recoverable.com