Skip to main content

Cold Wallet Workspace Key Backup (Legacy)

The Fireblocks workspace key backup process ensures you maintain independent access to your workspace's full private key, which is required to recover your assets from your Fireblocks Vault if the Fireblocks service is disrupted.

Note: Cold Wallet workspaces can now generate workspace key backups directly from the Console, without requiring workspace Owner approval or opening a support ticket. See Cold Wallet Workspace Key Backup.

Overview

When you use Fireblocks MPC wallets, you keep direct custody of your assets. As your own self-custodian, you are responsible for ensuring independent access to your private key. Backing up your workspace's full private key maintains access to your assets even if the Fireblocks service is disrupted.

The two Cloud key shares of your workspace's full private key are stored across separate Fireblocks data centers. Generating a backup gives you full control over your workspace's full private key outside of Fireblocks infrastructure.

Fireblocks recommends backing up your key shares within 14 days of your workspace creation date. A reminder appears in the Fireblocks Console after you enroll your first mobile device.

Download the Recovery Utility

To run the Fireblocks Recovery Utility application, download it by selecting the link for your operating system:

The application contains both the Recovery Utility and the Recovery Relay. The Recovery Relay is used as part of the asset withdrawal process.

  • Run the Recovery Utility on an air-gapped machine (as described in Generating a key backup package).
  • Run the Recovery Relay on an online machine to enable withdrawals, if needed.

Start the backup process

  1. Download the Fireblocks Recovery Utility for your operating system.
  2. Set up the offline recovery machine. The machine must be air-gapped and offline.
  3. Transfer the Recovery Utility app to the offline machine (for example, using a USB stick).

  4. Select Use the Recovery Utility > Generate Keys, then follow the on-screen instructions to generate your key backup package.

    Note: If your machine is not offline, a red warning message appears at the top of the Recovery Utility app window indicating you must go offline.

  5. Generate the recovery key pair:

    1. Enter a private key passphrase of at least four characters, then select Generate Recovery Keys. Save this passphrase; you will need it to construct the full package.

    2. Select Download Keys Zip to download your Private Key (save this on your air-gapped machine) and your Public Key for uploading to the Fireblocks Console in the following steps.
    3. Extract the Public Key from the zip file to an online machine, then contact Fireblocks Customer Success for assistance.

Send your recovery public key to Fireblocks

  1. Copy the public key file (fb-recovery-pub.pem) to an online machine.
  2. On the online machine, calculate the MD5 checksum of the public key:
    1. If your online machine runs Windows:
      1. Open Command Prompt or Windows PowerShell.
      2. Locate the folder containing the public key (fb-recovery-pub.pem).
      3. Enter cd followed by the folder path. You can drag and drop the folder to fill in the path automatically.
      4. Enter the following command:
      5. Press Enter. The output is the MD5 checksum of the public key file.
    2. If your online machine is a Mac:
      1. Open Terminal.
      2. Locate the folder containing the public key (fb-recovery-pub.pem).
      3. Enter: md5 <fb-recovery-pub.pem>. You can populate the filename automatically by dragging the file from Finder into the Terminal window.
      4. Press Enter. The output is the MD5 checksum of the public key file.
  3. Use the inputs below to complete the task form and send your recovery public key and checksum to Fireblocks Support:

    1. CC: If you are not the workspace Owner, add their email address here.
    2. Tasks: Select Workspace Operations.
    3. Workspace Operations: Select New workspace keys backup - performed by my organization.
    4. Confirm Passphrase: Select this checkbox to confirm you have the Owner's recovery passphrase.
    5. Owner's Approval: Indicate whether you are the Owner, or if you CC'd them.
    6. I have attached the Public Key: Select this checkbox (you attach the key in a later field).
    7. MD5 Checksum: Paste the MD5 checksum you generated.
    8. Workspace name(s): Enter the names of your associated workspaces.
    9. Business Impact: Select Low, Medium, High, or Critical based on urgency.
    10. Subject: Enter a subject line.
    11. Description: Paste your recovery public key as part of your description.
    12. Attachment: Attach your public key file (fb-recovery-pub.pem), which you previously moved to an online machine.
  4. Fireblocks Support performs an integrity check to validate your public key and emails you a Workspace Keys Backup package per the Fireblocks Recovery Services SLA.

When you receive the recovery kit from Fireblocks, move it to the offline device. Verify the package using the Recovery Utility.

To reconstruct your workspace, see Reconstructing your workspace.

Was this article helpful?
0 out of 0 found this helpful

Related Articles