# Recover Private Keys Use the process described in these pages to recover your organization's private keys, independently of Fordefi. ## Before you start To recover its private keys, you must must possess the following: - The encrypted backup snapshot. - The recovery phrase of each dedicated admin (when using the Recovery Phrases backup method), or the private key matching the public key used for backup (when using the Public Key Upload backup method). Together, they allow you to reconstruct the private keys independently of Fordefi. Recommendation Recovering private keys should be performed on an external, offline device. ## Procedure 1. Download the Fordefi recovery tool. For your security, we provide the SHA-256 hash of each ZIP file so you can verify the integrity of your download. The checksums apply to the ZIP archive itself (not to the contents inside). You can find these hashes here: [Checksums](/assets/recovery-tool_checksums.02beb043aad37e626705edeefb3f7a3423d445c00e5fa124f28ddb35dd87d578.8a09eedf.txt). MacOS Intel Download Recovery Tool MacOS Apple Silicon Download Recovery Tool Linux Download Recovery Tool Windows Download Recovery Tool 1. Extract the recovery tool .zip file. 2. Extract the backup snapshot .zip file. 3. Put the recovery tool and the backup snapshot in the same directory, and then open a terminal and navigate to this directory. 4. Depending on the [backup method](/user-guide/backup-and-recover-private-keys#backup-methods) you have used, proceed to one of the following sections: ### Recovery phrases Run the command that suits your operating system: Windows ```bash recovery-tool.exe key-share-recover -p '\path\to\backup.json' -o output_file.csv ``` MacOS/Linux ```bash ./recovery-tool key-share-recover -p '/path/to/backup.json' -o output_file.csv ``` When prompted, enter the minimum number of recovery phrases, as configured during the backup. Do this as follows: ``` Enter mnemonic #1: afraid pole typical never dad symbol present stable adult garbage climb riot Enter mnemonic #2: hybrid puppy section doll mention next deal eight agree erase lunch observe ``` ### Public key upload Run the command that suits your operating system: Windows ```bash recovery-tool.exe public-key-recover -p '\path\to\backup.json' -k my_file/private_key.pem -o output.csv ``` MacOS/Linux ```bash ./recovery-tool public-key-recover -p '/path/to/backup.json' -k my_file/private_key.pem -o output.csv ``` ### Public key upload via YubiKey Ensure you have the `backup_snapshot.json`, Fordefi `recovery-tool` binary and the appropriate recovery script (`run_recovery.sh` for macOS/Linux or `run_recovery.bat` for Windows) in your working directory. Your YubiKey should contain an RSA-2048 private key in PIV slot 9D with a 6-8 character PIN configured. For the full recovery process, scripts, and detailed instructions, see the [Fordefi API Examples GitHub repository](https://github.com/arnac-io/api-examples/blob/main/misc/README.md). Run the following commands, as suit your operating system: Windows **Prerequisites:** - Install [YubiKey Manager](https://www.yubico.com/support/download/yubikey-manager/) - Install [OpenSC](https://github.com/OpenSC/OpenSC/releases) **Verify YubiKey:** ```powershell & "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs11-tool.exe" --module "C:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" --list-objects --pin YOUR_PIN ``` **Recovery command:** ```powershell .\recovery-tool.exe public-key-recover -d "cmd /c run_recovery.bat YOUR_PIN" -p "backup_snapshot.json" > private_keys.csv ``` MacOS/Linux **Prerequisites:** ```bash # macOS brew install yubico-piv-tool opensc # Linux (Ubuntu/Debian) sudo apt-get install -y yubico-piv-tool opensc libengine-pkcs11-openssl ``` **Verify YubiKey:** ```bash # macOS pkcs11-tool --module /opt/homebrew/lib/libykcs11.dylib --list-objects --pin YOUR_PIN # Linux pkcs11-tool --module /usr/lib/x86_64-linux-gnu/libykcs11.so --list-objects --pin YOUR_PIN ``` **Recovery command:** ```bash ./recovery-tool public-key-recover -d './run_recovery.sh YOUR_PIN' -p 'backup_snapshot.json' > private_keys.csv 2>&1 ``` ### Options The following list of options for the recovery tool are available for all the recovery methods described above. - `-p` specifies the path to the .json file that was generated during the backup process. Here, it is `backup.json`. - `-b` can be used instead of `-p`. It lets you input the contents of the .json file through stdin. - `-o` (optional) specifies the output file. In the example,`output_file.csv` contains the recovered private keys. If this option is not used, the output will be displayed in stdout. - `-k` - When using the "public key upload" method, this option specifies the path to a file that lets you provide the private key in PEM format. - When using the "recovery phrases" method, this options lets you provide the admins' recovery phrases. If this option is not used, you can enter the recovery phrases later, when prompted. - `--export-electrum-dir` (optional) A directory. If provided, Fordefi exports into this directory private keys that can be easily imported into an Electrum Bitcoin wallet. Fordefi creates one file per vault with all the vault's keys in both legacy and SegWit formats. ## Use the recovery output file The output consists of private keys (in hexadecimal format) for each of the vaults created in your Fordefi workspace. For example: alt You can now use the recovered private keys to [access your funds](/user-guide/backup-and-recover-private-keys/recovery/recover-funds).