The auto-generated recovery passphrase approach ensures that the workspace Owner, in charge of approving users and signing devices day-to-day, is not the same person who can recover all of the company’s cryptographic key shares in the event of a disaster.
Note
In this approach, another employee designated as a Security Manager (an operational role not a defined workspace role) creates the Owner recovery passphrase and can enter it on the Owner’s mobile device when performing an Owner Key Share Recovery.
In this approach, another employee designated as a Security Manager (an operational role not a defined workspace role) creates the Owner recovery passphrase and can enter it on the Owner’s mobile device when performing an Owner Key Share Recovery.
The auto-generated recovery passphrase also ensures the Owner does not participate during Workspace Key Recovery. When the auto-generated recovery passphrase is enabled for a workspace, the Owner’s device already has a recovery passphrase that they made during device setup. If this option is activated after a device is set up, the Owner must manually approve the backup request from their Fireblocks mobile app's Settings.
During setup, the recovery passphrase is used to encrypt the Owner’s mobile device key share before it's uploaded to Fireblocks’ backup servers. Recovery passphrases are encrypted using an RSA-4096 wrap key provided by your designated Security Manager, who receives an Owner passphrase backup file, which is encrypted with that wrap key.
To set up an auto-generated passphrase:
- Your company must designate an employee to be Security Manager.
- Your designated Security Manager sends Fireblocks an RSA-4096 public key to encrypt the Owner’s recovery passphrase. The RSA-4096 wrap key can be the same key used during the Workspace Key Backup process or a new key.
Note
The RSA key is set at the workspace level. All devices that use this backup option encrypt their recovery passphrase with this RSA key.- To set up a new key, the Security Manager completes the below steps on an offline machine:
- Use the below command to generate the RSA-4096 recovery private key (fb-recovery-prv.pem). You have to create a key pair passphrase you would use to decrypt the backup during a recovery. We recommend you memorize the key pair passphrase but also keep a single copy of it in a separate, secure place like a physical safe.
openssl genrsa -aes128 -out fb-recovery-prv.pem 4096
- Extract the recovery public key (fb-recovery-pub.pem) from fb-recovery-prv.pem with the following command:
openssl rsa -in fb-recovery-prv.pem -outform PEM -pubout -out fb-recovery-pub.pem
- Use the below command to generate the RSA-4096 recovery private key (fb-recovery-prv.pem). You have to create a key pair passphrase you would use to decrypt the backup during a recovery. We recommend you memorize the key pair passphrase but also keep a single copy of it in a separate, secure place like a physical safe.
- Copy the public key (fb-recovery-pub.pem) to an online machine, and submit it to Fireblocks Support.
- Fireblocks Support then enables the auto-generated passphrase option on the workspace Owner's mobile device.
- To set up a new key, the Security Manager completes the below steps on an offline machine:
- The Workspace Owner then initiates a Key Share Recovery in their Fireblocks mobile app:
- Tap Settings > Linked Users
- Tap on Run DRS.
- Enter your PIN code to initiate the backup.
- Authenticate your identity using your mobile phone's biometrics.
- The Fireblocks mobile app then re-encrypts the Owner's mobile key share with the recovery public key that the Security Manager previously sent to Fireblocks Support.
- Fireblocks Support then provides the Security Manager with an encrypted auto-generated passphrase file.
- Download the Passphrase Decryption Tool. When the Owner needs to recover their key share, they must enter their recovery passphrase or their auto-generated recovery passphrase on their mobile device. Only the Security Manager can retrieve the auto-generated recovery passphrase, by extracting it from the passphrase backup file using the Passphrase Decryption Tool, and then providing it to the workspace Owner.
- Run the following command in the Passphrase Decryption tool.
python3 decrypt_passphrase.py <encrypted_auto_generated_passphrase_file> <RSA_private_key_file> <RSA_private_key_passphrase>
- If the passphrase is successfully decrypted, the tool reveals the auto-generated passphrase to the Security Manager. Now, for future Owner Key Share Recovery, separation of duties is in place, because only the Security Manager can retrieve the recovery passphrase that is needed to recover the Owner's key share.
Using the auto-generated recovery passphrase during Key Share Recovery
- Contact Fireblocks Support to move Fireblocks to a new device for Owner. Make sure to specify that you are using the auto-generated recovery passphrase option.
- Fireblocks Support verifies this request using a conference call with the Owner.
- Support performs the change. This may take several days based on Fireblocks SLA.
- The Owner opens their Fireblocks Console. A QR code appears to scan and enroll with the Fireblocks Mobile App. The Owner scans the QR code with their mobile app.
- The app opens in Recovery Mode.
- Optional: Other Admins can navigate to Settings > Users in their Fireblocks Console and see that the status of their Owner user is "Pending Device Pairing".
- The Security Manager uses the decryption tool to get the recovery passphrase.
- The Security Manager enters the recovery passphrase on the workspace Owner’s mobile app.
- The app verifies the recovery passphrase. Fireblocks holds a copy of the Owner’s key share that was encrypted with the private key generated during the auto-generated recovery passphrase setup. The app attempts to decrypt the key share locally with the entered recovery passphrase.
Note
Activating recovery mode is subject to strict security screening by Fireblocks Support, including identification over a video call. - The Owner’s app is then ready after the recovery passphrase is validated.