Skip to main content

Key Share Backup

Requesting a backup allows you to obtain a copy of all your wallet's private keys and have full control over your funds. You must take proper precautions to keep your backup and the encryption keys private; otherwise, you will either be unable to recover your assets or lose access to all your funds. The personal key certificate on your phone is not needed, nor will it be helpful in assisting you to recover funds just by using the backup.

How does key backup workโ€‹

Remember that MPCVault uses key derivation to generate wallets; once you export the root keys, you will be able to calculate the private keys for all addresses generated both before and after the export, as long as the key types (ECC_ED25519 and ECC_SECP256K1) have been backed up. We will provide you with a script to help with the recovery process.

MPCVault employs a 3-of-3 configuration for the multi-party computation setup. A naive approach to exporting the keys would be to give you the three key shares directly, but this poses several problems:

  1. Everyone involved in the backup process would be able to see the values and, therefore, could recover all your wallets and, by extension, your assets.

  2. It is difficult for you to establish internal controls such as a 3-of-5 recovery, since everyone involved with the key backup process will know the values of the key shares.

Therefore, we will ask you to generate three Ed25519 keys on your side, and we will encrypt the key shares using the three public keys. Since we have no knowledge of the private key shares, neither we nor anyone who just saw the exported encrypted keys will know how to decrypt the values. The process is performed in a multi-party manner and MPCVault has no visibility of your key share in the process.

Then, we will return to you three files that are encrypted using the provided public keys along with other necessary public information needed to calculate your private keys, such as chaincode.


A step-by-step guideโ€‹

Every backup request must be created manually by your account manager. Please contact your account manager if you would like to access this feature.

First, you need to generate three ed25519 public keys. The easiest way to do this is by using the terminal and following these commands:

  1. Open your terminal.
  2. Paste the following text, replacing the key name:
    ssh-keygen -t ed25519 -C "[key_name]"
  3. Choose a location to save the public and private keys.
  4. Set a password when prompted, if you wish to.
  5. Save the private key and keep it secure. Also, make sure to remember the password. You will need the private key and the password when recovering your assets.
  6. The the content of the public key should look like this:
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0wmN/Cr3JXqmLW7u+g9pTh+wyqDHpSQEIQczXkVx9q production-key
    Your public key is AAAAC3NzaC1lZDI1NTE5AAAAIK0wmN/Cr3JXqmLW7u+g9pTh+wyqDHpSQEIQczXkVx9q
  7. Repeat this process three times to generate three unique keys. Alternatively, three different people can generate three different key shares to avoid any single individual having access to the full contents of the key.

Please provide your account manager with the three public keys. You will then receive a key share backup signing request on your phone. All admins in your organization must approve the request before the key shares can be exported via a multi-party computation process.

Recovery processโ€‹

To recover the key shares, you will need:

  • All three encrypted key shares โ€“ three .backup files
  • The private key files correspond to the public keys that you sent to MPCVault when exporting the key shares
  • The passwords of the three private keys
  • A recovery script, which you will receive when you received the encrypted key shares