Back Up Private Keys - Public Key Upload Method

The following are instructions in backing up an organization's private keys by uploading a public key.

To reduce the risk of compromise, you might want to use a backup key that has been created on an air-gapped machine. Create a public 2048-bit RSA key pair (private and public), then upload the public key in PEM format to Fordefi.

To create the private key using openSSL use the following command:

openssl genrsa -out key.pem 2048
To extract the public key:

openssl rsa -in key.pem -outform PEM -pubout -out public.pem

The backup process is performed in two phases:

In the Fordefi web console: An admin uploads the public key file and specifies a backup email.
On admins' mobile devices: The initiating admin verifies the backup and other admins approve it.

In the Fordefi web console

In the side menu, click Settings and then click the Backup tab.
In the list of backup methods, select Public key upload.
In Upload public key, choose the public key file. Ensure that it is in PEM format.
In Set the backup email address, enter a backup email address.
Click Initiate backup process.
An updated backup snapshot of the metadata and an encrypted copy of the organization's private keys is sent as a .json file to the backup email address.

On admins' mobile devices

The initiator of the backup and the admin quorum continue the backup process inside the Fordefi mobile app.

The initiator of the backup

The admin who uploaded the public key receives a mobile verify request. The request displays the following information:

Creating user
Date and time
Email
Public key
Admin quorum approval list when applicable
CTA: Verify or abort

Click Verify.

Admin quorum

The admin quorum receives a backup upload request approval with the same information as the initiator.

Click Approve.