Back Up Organization Keys

It is crucial that you back up your private keys after you activate your Fordefi account. A backup will allow you to retain access to your private keys in either of the following cases:

  • You lose access to all the mobile devices in your organization on which the Fordefi app has been installed.
  • You wish to use your private keys independently of Fordefi. Doing so protects you even in the unlikely event that something unforeseen happens to the key material on the Fordefi side.
Back up within seven days

After you activate your organization, you are required to perform a backup of your private keys within seven days. If seven days have elapsed without a backup, your organization will be temporarily prevented from creating transactions or vaults until you complete the backup.

Backup methods

Fordefi provides admins with two quick and easy methods to back up an organization's private keys:

  • Recovery Phrases: With this method, two admins are designated to each create and hold a recovery phrase. The two phrases are required to recover an organization's private keys. Learn more.
  • Public Key Upload: With this method, you can use a backup key that was created on an air-gapped machine. You upload the public key to Fordefi, while the private key remains on the air-gapped machine. Learn more.

In addition to the backups that you initiate, Fordefi regularly sends you an encrypted backup snapshot over email.

Manage your backup snapshot

The backup snapshot contains the encrypted MPC shares and the data about all the vaults in your workspace. For each vault, the snapshot contains its name, address, and, most importantly, its derivation path. Whenever you create a new vault, Fordefi generates an up-to-date backup snapshot, which contains the information of the new vault, and sends it to you. The encrypted MPC shares are the same in all your backup snapshots (apart from the case where you import new keys into your workspace).

When you run the recovery tool, the tool first reconstructs the master private key from the encrypted MPC shares, and then uses the additional vault information from the snapshot to derive the private key of each of the vaults in your workspace from the master key.

This has two implications. On the one hand, having an up-to-date backup snapshot is recommended, since it allows automatic recovery of all your vaults. Therefore, we recommend that you store the updated snapshots files sent to you over email (as opposed to, for example, only downloading the backup snapshot once).

On the other hand, having an up-to-date backup snapshot is not critical, in the sense that even if you only have an older version of the backup snapshot, you can still recover your private keys by manually providing the derivation path of each vault. Even if you don't have the derivation paths, they can be easily enumerated, since they follow a predictable pattern. Learn more about manually deriving vaults private keys.

Prerequisites for recovery

To recover its private keys, an organization must possess the following:

  • The encrypted backup snapshot.
  • The recovery phrase of each dedicated admin (when using the Recovery Phrases backup method), or the private key that was generated on the air-gapped machine (when using the Public Key Upload backup method).
  • The recovery tool that is provided with your Fordefi account.

Together, they allow you to reconstruct the private keys independently of Fordefi.

Learn about the recovery process in detail.