# Use Public Key Upload The following are instructions for backing up an organization's private keys by uploading a public key. To reduce the risk of compromise, you might want to use a backup key that has been created on an air-gapped machine. Create a public 2048-bit RSA key pair (private and public), then upload the public key in PEM format to Fordefi. - To create the private key using openSSL use the following command: `openssl genrsa -out key.pem 2048` - To extract the public key: `openssl rsa -in key.pem -outform PEM -pubout -out public.pem` The backup process is performed in two phases: - **In the Fordefi web console**: An admin uploads the public key file and specifies a backup email. - **On admins' mobile devices**: The initiating admin verifies the backup and other admins approve it. ## In the Fordefi web console 1. In the side menu, click **Settings** and then click the **Backup** tab. 2. Choose **Public Key Upload** as your backup method. 3. In **Public key file**, choose the public key file. *Ensure that it is in PEM format*. 4. Click **Next**. 5. Specify an email address to receive encrypted backup snapshots. Click **Edit email**. You can choose whether or not the system sends you backup snaphots by email. - To opt in, toggle on **Get the latest encrypted backup by email**, then specify the email address of the person who will receive the backup. - To opt out, toggle off **Get the latest encrypted backup by email**. Click **Save**. If you have opted out, no encrypted backups are sent by email. You can still download the latest backup snapshot at any time by selecting **Settings** > **Backup** in the Fordefi web console. 6. Click **Initiate backup process**. An updated backup snapshot of the metadata and an encrypted copy of the organization's private keys is sent as a .json file to the backup email address. ## On admins' mobile devices The initiator of the backup and the admin quorum continue the backup process inside the Fordefi mobile app. ### The initiator of the backup The admin who uploaded the public key receives a mobile verify request. The request displays the following information: - Creating user - Date and time - Email - Public key - Admin quorum approval list when applicable - CTA: Verify or abort Click **Verify**. ### Admin Quorum The Admin Quorum receives a backup upload request approval with the same information as the initiator. Click **Approve**.