Overview

Our workspace key backup and recovery process ensures that the two Cloud key shares of your workspace’s full private key are not only stored in our SaaS’ separate data centers. In addition, you have full control over your workspace’s full private key, which is important if you need to recover your assets from your Fireblocks Vault.

When you use our MPC wallets, you keep direct custody of your assets. Therefore, as your own self-custodian, you are responsible for ensuring that you have independent access to your private key. By backing up your workspace’s full private key, you maintain access to your assets even if our service is disrupted.

We strongly recommend that you backup your key shares within 14 days of your workspace creation date. We remind you of this requirement in a pop-up message in your Fireblocks Console right after you enroll your first mobile device.

Download the Recovery Utility

To run the Fireblocks Recovery Utility application, download it by selecting the link for your matching operating system:

• MacOS (M1/M2 Chips)
• Ubuntu 20.04 LTS (currently only this version is supported here)

The application contains both the Recovery Utility and the Recovery Relay. The Recovery Relay is used as part of the asset withdrawal process.

Additionally, please note the following:

• You must run the Recovery Utility on an air-gapped machine (as described here).
• If needed, you must run the Recovery Relay on an online machine to enable withdrawals.

Start the backup process

1. To start the key backup process:
   1. Download the Fireblocks Recovery Utility application by selecting the link for your matching operating system:
      • MacOS (M1/M2 Chips)
      • Ubuntu
   2. Set up the offline recovery machine. Make sure it is air-gapped and offline.
   3. Transfer the Recovery Utility app (i.e., via a USB stick) to the offline machine to run the application.
2. To generate your key backup package, select Use the Recovery Utility > Generate Keys, and then follow the on-screen instructions.
   
   
   

   Note:

   If your machine is not offline, a red warning message appears at the top of the Recovery Utility app window, indicating you must go offline.

3. Generate the recovery key pair:
   1. Enter a private key passphrase, consisting of at least four characters, and select Generate Recovery Keys.
      

      Note:

      Make sure you save this passphrase as you will later need it to construct the full package.

      
   2. Select Download Keys Zip to download your Private Key (which must be saved on your air-gapped machine) and your Public Key for uploading to your Fireblocks Console in the following steps.
      
   3. Extract the Public Key from the zip file to an online machine and reach out to Customer Success for further assistance.

Send your recovery public key to Fireblocks

1. Copy the public key file (fb-recovery-pub.pem) to an online machine.
2. On the online machine, calculate the md5 checksum of the public key:
   1. If your online machine runs Windows:
      1. Open Command Prompt or Windows PowerShell.
      2. Locate the folder that contains the public key (fb-recovery-pub.pem).
      3. Type cd followed by the folder path. You can drag and drop the folder to fill in the name automatically.
      4. Enter the following line of code:
         
      5. Press Enter. The output is the MD5 checksum of the public key file
   2. If your online machine is a Mac:
      1. Open Terminal.
      2. Locate the folder that contains the public key (fb-recovery-pub.pem).
      3. Enter: md5 <fb-recovery-pub.pem>
      4. You can automatically populate the <fb-recovery-pub.pem> by dragging the file from Finder into the Terminal window.
      5. Press Enter. The output is the MD5 checksum of the public key file.
3. Use the below inputs to complete this task form to send your recovery public key and checksum to Fireblocks Support:
   
   
   1. CC: If you are not the workspace Owner, add their email address here.
   2. Tasks: Select Workspace Operations.
   3. Workspace Operations: Select New workspace keys backup - performed by my organization.
   4. Confirm Passphrase: Check this box to confirm you have the Owner’s recovery passphrase.
   5. Owner’s Approval: Indicate whether you are the Owner, or if you CC'd them.
   6. I have attached the Public Key: Check this (you attach the key in a later field).
   7. MD5 Checksum: Paste the MD5 checksum you generated.
   8. Workspace name(s): Type or paste the names of your associated workspaces.
   9. Business Impact: Select Low, Medium, High, or Critical based on urgency.
   10. Subject: Choose a subject line.
   11. Description: Paste your recovery public key as part of your description.
   12. Attachment: Attach your public key file (fb-recovery-pub.pem) which you previously moved back to an online machine.
       
4. Fireblocks Support then performs an integrity check to validate your public key and emails you a Workspace Keys Backup package within several days, per our Recovery Services SLA.

When you receive the recovery kit back from Fireblocks, move it to the offline device. Verify the package on the Recovery Utility.

Finally, in order to reconstruct your workspace, see instructions here.