We’re excited to announce that the latest version of Passport firmware – 2.3.8 – is now live! To download it, simply initiate the update from Envoy to be guided through the process.
WHAT’S CHANGED
For more details on each of the changes, keep reading below!
IMPROVEMENTS
Onboarding updated for Envoy 2.0 compatibility
Added a black splash screen for Stealth units
BUG FIXES
Fixed signing error when consolidating SegWit into Taproot addresses
Fixed a non-user-facing issue where the keypad test was not functional upon provisioning new devices in the factory
VERIFYING, REPRODUCING, AND INSTALLING PASSPORT FIRMWARE
If you’d like to verify and install the latest version of Passport manually, you can follow our guide on the topic here: Firmware Update support page
If you’d like to take the additional step of testing the reproducibility of Passport’s firmware, you can follow our guide on the topic here: Reproducibility Guide.
The latest version of Envoy – 2.0.1– is now published on all your favorite mobile platforms! To download it, simply visit our download page or check for updates on your platform of choice.
Please note that there can be a significant lag from publishing to general availability due to Apple App Store and Google Play Store review policies and delays.
🛠 v2.0.1 Fixes:
After releasing Envoy 2.0.0, some users reported seeing an unexpected prompt asking for Bluetooth permission. While v2.0.0 did introduce Bluetooth support for QuantumLink on Passport Prime, this prompt should not have appeared for users who weren’t pairing a Prime device.
Fixed a visual bug when displaying a descriptor after enabling Taproot
What’s changed
Important upgrade to BDK 2.0 – on first startup, all your accounts will re-sync due to changes in the database format. This will occur automatically when you open the updated app for the first time.
In addition to the updates described below, Envoy 2.0.0 adds initial support for Passport Prime, including QuantumLink Bluetooth connectivity and the device onboarding flow.
For more details on each of the changes, keep reading!
New Features
Completely updated the onboarding flow to be easier and intuitive. It streamlines the onboarding process for non-technical users while keeping all the advanced features accessible to power users.
Unified Taproot and SegWit accounts! Taproot addresses will no longer live in a separate account tile – one account will now be able to have both address types. Head to Advanced Settings to change the default script to be displayed when tapping Receive. If you had a Taproot and a SegWit tile for the same account, they will be merged during the upgrade process, and they will keep the tags they had before upgrading. You will also now be able to choose the type of script to export in the descriptor.
You can now export your wallet metadata in BIP-329 format! This will save your Notes and Tags in a way that you can easily import them in other software wallets, like Sparrow. Head to Advanced backups under Backups in the app menu to find this option.
Manual to Magic (and vice versa) is here! Manual users can now go to the Backups menu and opt in to Magic backups. Likewise, Magic Backup users can go to the Backups menu and disable the toggle to become manual users – the Magic Backup will be deleted from our servers.
Tapping an item in Activity now opens the relevant event associated to it! So if you tap in a transaction, for example, it opens the transaction details directly in the Activity view.
Brand new currency selector: Over 160 new fiat pairs now available in Envoy! Be sure to head to settings and change the fiat value to the one you want to use. Hint: You can now search for the currency name or code.
Added new Electrum backend options! If you don’t use your own node and you don’t want to use Foundation’s node for transaction relaying and checking balance, you can now connect to some other well-established nodes. Head over to the Privacy tab and check the dropdown under Node.
Envoy now upgraded from using testnet3 to testnet4 and from Mutinynet Signet to Global Signet. Upon upgrading, you will be notified that the accounts in the old networks have been deleted – you will need to go to settings and re-enable testnet or signet to start working on the new networks.
Improvements
Upgraded from BDK 0.28 to BDK 2.0!! This is a MAJOR update. The app now streamlines most processes in parallel, numerous interactions have been rewritten, and the results are great! Expect reduced loading times across the board, a smoother experience, reduced sync times, and fewer bugs.
Redesigned the way RBF fees are displayed to make it clear how much the user is paying and how much it is replacing. When doing an RBF, tap the “i” icon next to the new “Boost fee” field displayed in the transaction review screen to clearly understand the fee structure
Envoy will now ask you to re-authenticate if you had the lock privacy feature enabled after the app has entered the background.
Increased the note character limit to match the spec of BIP 329.
Visual refresh to the main menu, as well as to the Backups menu.
Added screen and logic to require app update should an urgent vulnerability come up in the future.
Tapping “Receive” now shows the next unused address, instead of changing every time irrespective of wallet activity.
Updated Arti to 1.4.3.
Updated Flutter to 3.27.1.
Standardized and localized messages across the board for Ramp, BTCPay, and Azteco purchases.
Improved the behavior of “Cancel Transaction” and improved the way edge case errors are handled.
Tapping “Send max” will now display all the trailing zeroes when using BTC as a unit for easier visualization of quantity being sent.
Improved logging for Magic Backup and networking issues for easier troubleshooting.
Added a low-res map for when the ATM map API can’t be loaded in the Buy area.
The “learn more” hyperlinks will now link to the specific area dedicated to them in our documentation, instead of linking to the more generic page.
Using Android’s gesture on the side of the phone will now unselect coins if you are doing coin control.
Improved translations.
Bug Fixes
Fixed a bug that impacted iOS users where the file picker would not come up if you mistakenly saved the update file in a location other than the SD card once before.
Fixed a bug that impacted iOS users where sometimes the red dot alerting of a new firmware version would persist even after downloading the latest version.
Fixed an issue that would show a different date for transactions on-chain and into Envoy.
Fixed an issue where some transactions would still show as pending even though they were confirmed on-chain.
Fixed several minor scrolling and scaling issues for users with large font sizes.
Fixed a minor issue where notes added to boosted Passport transactions or Ramp purchases would not be properly saved.
Fixed a minor UI issue where incoming txs would at times show as “Boosted”.
Fixed a minor issue where deselecting coins during “Edit Transaction” would not refresh the actual transaction.
Fixed a minor issue where some countries would not show in alphabetical order when selecting region in the “Buy” menu.
Fixed an edge case bug where importing an incorrect backup file multiple times in a row could sometimes yield in an unresponsive screen.
Added an alert icon in a dialog that was missing it when deleting a passport account.
Fixed a minor bug where killing the app while selecting a country allowed a user to select a region belonging to a different country in the Buy region selection.
Gracefully handle an error when opening a specific type of unsupported link, instead of showing an off-spec error message.
Tapping the decimal point straight away in the send screen works now without having to tap “0” first.
Fixed a minor bug where pairing an old passport would not display the red dot alerting of new versions on a fresh Envoy install.
Fixed a minor issue where the user would be warned about emptying their wallet when trying to delete an already empty wallet.
Minor visual and flow improvements across the board.
Hardened the code overall by updating some libraries with known edge case vulnerabilities.
Verifying Envoy on Android
If you’d like to take the optional additional step of verifying Envoy binaries on Android, follow our guide: Verifying Envoy on Android
Losing access to a wallet or device doesn’t need to mean panic. We’ve built Magic Backups into both Envoy and Passport Prime to make backup and recovery seamless, without compromising on privacy. No accounts. No emails, and most importantly, no access to your seed or data by Foundation. Ever. Just strong encryption, smart design, and a bit of cryptographic magic.
Let’s walk through what makes our backups so Magic.
🔐 Magic Backups in Envoy
When you set up an Envoy mobile wallet, it generates a Bitcoin seed and stores it securely in your phone’s secure element, a hardware-protected environment isolated from apps and the operating system.
From there, Magic Backup kicks in behind the scenes to keep your wallet recoverable.
📁 What We Actually Store (and what we don’t)
When Magic Backup is enabled in Envoy, the app automatically creates a secure, encrypted backup of your wallet’s non-sensitive data, things like account labels and settings, so you can restore your wallet exactly how you left it. This backup is created and stored in a way that keeps your seed and personal information completely private.
Here’s exactly what happens when that backup is created:
Secure seed sync via Apple or Google
Most users have iCloud Keychain or Android Auto-Backup enabled. This means your encrypted seed, stored in the secure element, is automatically backed up across your devices, fully end-to-end encrypted by your operating system.
✅ Foundation never sees your iCloud or Google account, never sees your seed, and doesn’t need permission to back it up.
Encryption with your seed: Your Envoy settings, labels, and connected Passport accounts (if you have any) are encrypted using your mobile wallet seed as the encryption key. This means only someone with access to your seed can decrypt the backup.
Stored as a secure file: The encrypted backup file is uploaded to Foundation’s servers as a file of data. We have no access to the contents, no ability to decrypt it, and no knowledge of what’s inside.
Private identifier: To allow Envoy to retrieve your backup later, your encrypted metadata is stored alongside a SHA256 hash of your mobile wallet seed. This lets our server verify that a restore request is legitimate without ever knowing your actual seed.
🔄 Recovery in Seconds
If you ever lose your phone or reinstall Envoy, getting your wallet back is quick and effortless:
Make sure you’re signed in to your Apple or Google account.
Install Envoy and create a new mobile wallet.
Set up with Magic Backups.
Done, your wallet is automatically restored!
👩🏻💻 What’s Happening Behind the Scenes
Here’s how Magic Backup works in the background:
Envoy checks the secure element on your phone to see if a mobile wallet seed already exists.
a) If it finds one, it creates a SHA256 hash of the seed (like a digital fingerprint) and sends it to Foundation’s servers.
b) This hash proves you know the seed, but doesn’t reveal the seed itself.
If no seed is in the SE, Envoy checks your device’s iCloud Keychain or Android Auto-Backup and restores the seed to the secure element.
a) It then hashes the newly restored seed and sends that hash to the server.
Our server uses the hash to verify that the request is legitimate. If it matches a stored record, the server sends back your encrypted backup file.
Envoy then uses the seed it has stored on the phone to decrypt the backup file directly on your device, restoring your wallet settings, labels, and preferences, exactly how you left them.
🔐 Why It’s Secure
Your seed is never sent to our servers.
Your backup is encrypted before it ever leaves your phone.
We store only a blind, encrypted file and a hash, nothing identifiable.
Only you can decrypt your data, and only with your seed.
🎬 Ready to see the magic for yourself?
We’ve made setting up Magic Backups in Envoy as smooth as it gets, but seeing is believing.
Watch our step-by-step tutorial below and get set up in minutes.
🛡️ Magic Backups in Passport Prime
We’ve seen how Magic Backups in Envoy make recovering your mobile wallet effortless, with your seed secured by your device, backed up to your cloud and your settings backed up as an encrypted file.
Passport Prime takes that to a whole new level, as a personal security platform, it protects not only Bitcoin, but also 2FA credentials, encrypted files, security keys, extra seeds and more.
Magic Backups work differently here, and it’s important to note:
🔁 Passport Prime and Envoy each have their own separate Magic Backups.
Envoy Magic Backup secures your mobile wallet seed and app data.
Prime Magic Backup securely stores your Passport Prime app data and part of your Master key.
These are two distinct encrypted files, stored on the Foundation server.
🔐 How Your Master Key Is Secured with Passport Prime
When you set up Passport Prime, your Master key isn’t just stored in one place, and you’re never asked to write it down, but you can, of course, choose to do so by retrieving your seed words from the Backups screen.
By default, Prime uses a secure, privacy-preserving system called Shamir Secret Sharing to split your seed into three parts:
The first part is saved onto the NFC Keycard
The second part is saved onto the NFC Keycard
The third part is encrypted and securely stored on your phone’s secure element and backed up to iCloud Keychain, just like the Envoy seed
You only need any two of the three parts to fully recover your Master Key.
This approach gives you the redundancy to lose a card or your phone and still recover, without ever exposing your complete master key to a single location.
🧩 Envoy’s Role in Prime’s Recovery
When you set up Passport Prime, the device doesn’t just split your master key; it also prepares a secure backup of your Prime-specific app settings and data. These actions are initiated by Prime and securely transmitted to Envoy using QuantumLink our end-to-end encrypted Bluetooth tunnel.
Want to know how it works? Learn more about QuantumLink here.
Here’s how it works:
Prime creates a dedicated Prime Magic Backup file containing your app settings and data (like account labels and configuration data). This file does not contain your master key.
Prime also securely sends one of the three Shamir master key parts to Envoy as part of the 2-of-3 backup system.
The Magic Backup file is encrypted using a key derived from your master key in Prime (which is only reconstructed during recovery).
Prime sends the encrypted backup and associated metadata to Envoy via QuantumLink.
Envoy then uploads the encrypted file to Foundation’s servers, and includes a cryptographic hash of the master key, allowing the server to recognize the backup without learning anything sensitive.
🛑 Reminder: This backup is completely separate from the Magic Backup for your Envoy mobile wallet. Each product manages its own backup file, using its own encryption.
Just like with Envoy’s mobile wallet backups, the master key never leaves Passport Prime also:
Foundation can’t see your master key.
Foundation can’t see your data.
🔁 Restoring Passport Prime
If your Passport Prime is ever lost, reset, or replaced, recovery is quick without needing to re-enter your master key.
Here’s how it works:
Power up a new Passport Prime and connect it to Envoy.
Tap one of your NFC Keycards to the device.
Passport Prime receives both the Keycard’s part and the part stored in Envoy, then reconstructs the master key locally on Prime.
Prime then requests your Prime Magic Backup from Foundation’s servers via Envoy, using a cryptographic hash of the master key to identify it.
Once received, Prime decrypts the backup locally, restoring your account labels and settings.
💡 If the part stored in Envoy is missing or unavailable, you can still recover your Prime wallet using both NFC Keycards. Passport Prime accepts any two of the three Shamir parts, even if one part is lost.
🔚 Bitcoin and Beyond.
Magic Backups were built with one goal in mind: to make backup and recovery easy, seamless, and so private that you never have to think about it, until you need it.
Whether you’re backing up Bitcoin on Envoy, or securing your 2FA credentials and sensitive data with Passport Prime, the process is the same:
Your data is encrypted before it ever leaves your device.
Foundation never sees your keys or your settings.
Recovery is in your hands, always.
Just simple, private, self-sovereign recovery, across your entire digital life.
