Skip to main content

Verifying your Workspace Key Backup with Python Script

  • Updated

After you receive your Workspace Key Backup package, you must verify your key recovery process.

Step 1: Transfer the Workspace Key Backup package to offline machine

As the workspace Owner, you receive an email with your native Workspace Key Backup package as a temporary downloadable link, which expires after two days.

  1. Download the backup file before it expires.
  2. Move the file to a USB stick. Do not save it on the online machine.
  3. Transfer the backup file from the USB stick to the offline machine.

The package consists of both your Owner mobile key share and your two cloud key shares. The mobile key share is encrypted using your Owner recovery passphrase that you created when you first enrolled your mobile device in the Fireblocks mobile app. Your two cloud key shares are encrypted with the public key you sent to Fireblocks Support (or uploaded via the Fireblocks Console) during the setup phase earlier in this process.

For advanced setup, you can store your package on a second offline machine, but it should not be on the same machine where you store your recovery private key.

Step 2: Run a sanity test

The sanity test verifies that your private key seeds for both ECDSA and EdDSA signing are properly extracted from your key backup file without exposing them. To learn more about ECDSA and EdDSA see the Fireblocks Vault HD derivation paths article. Your private key is reconstructed in the offline machine’s memory, but not revealed so they can be viewed or extracted. 

In your offline machine, use the following command in the Fireblocks Key Backup and Recovery Tool to verify that your workspace private keys are intact and in your possession.

  1. Verify the Workspace Key Backup package. If you have not run the Fireblocks Key Backup and Recovery Tool yet, do it now using the below command. Make sure you have completed the prerequisite setup steps before using this tool. 
./fireblocks_key_backup_and_recovery.py
  1. Select Verify the recovery package in the Fireblocks Key Backup and Recovery Tool.
  2. Enter the requested file names and passphrases:
    1. Backup zip file name
    2. RSA Private key file name
    3. Recovery RSA private key passphrase
    4. Workspace Owner recovery passphrase

The following indicators can appear when entering the requested file names:

  • A green
    Verified!
    indicator: means the respective extended private key is intact.
  • A red
    Verification failed
    indicator: means the respective extended private key is not intact.
    • If you see the
      Verification failed
      indicator:
      • Check that you input your Workspace Key Backup package file, Owner recovery passphrase, keypair private file, and keypair passphrase correctly.
      • If you do not remember where you stored any of the above, delete the package and request to create a new Workspace Key Backup package.

        Note

        If you use an auto-generated recovery passphrase, you must first decrypt the auto-generated recovery passphrase file.

      • If the recovery process is successful, both your ECDSA (xPUB) and EdDSA (xPUB) extended public keys will appear with a green
        Verified!
        indicator next to them.

If you want to do a full recovery test, follow the steps for wallet recovery in this article.

Was this article helpful?
0 out of 0 found this helpful

Related Articles