Skip to main content

Cold Wallet Mobile Key Share Backup and Recovery

  • Updated

Overview

Mobile Key Share Backup allows you to recover the mobile key share of users with signing privileges. In this context, Cold Wallet workspaces are somewhat different from warm Workspaces. The only two user roles with transaction signing privileges are Owner and Signer. Key Share Backup helps prevent losing access to company assets due to human or signing device errors.

Events where you lose access to your key share

The following events block your ability to sign transactions on your mobile device. However, you can use Key Share Backup to recover your key share in any of the following events:

  1. You make any changes to your device's biometric settings or lose your PIN code.
  2. You lose or damage your device.
  3. You replace your device.
  4. You delete the Fireblocks Cold Wallet mobile app from your device.
  5. You do not remember your passphrase.

Important:

Cloud backups of your Fireblocks mobile app do not contain key share material. Therefore, you cannot sign transactions after restoring your Fireblocks mobile app from a cloud backup. You must re-download the Fireblocks mobile app instead and perform a Key Share Recovery as described in the following sections.

Best practices to mitigate risks from these events

You must have at least two users with signing privileges in your workspace besides the workspace Owner. Having more signers with functioning devices lowers the risk of losing access to company assets.

All users with signing privileges are required to create a recovery passphrase when they onboard to the Fireblocks Cold Wallet mobile app. They should store their passphrase in a secure location. They may need to enter their recovery passphrase if all workspace signing devices are damaged. It is important to have access to it for Key Share Recovery.

Learn more about the recovery passphrase and the implications of forgetting it, how to regain access to your key shares, and a safe way to reset it. Bear in mind, though, that on cold workspaces, it is not possible to verify or reset your recovery passphrase, as the device is air-gapped.

Mobile Key Share Recovery for a non-Owner device

Re-enrolling signing devices

This Key Share Recovery method recovers key shares for non-Owner users who lose access to or damage their mobile device or Fireblocks mobile app. If a Signer device requires a reset:

  1. Onboard a new signer user following the guide here. A full re-onboarding is required as new signatures must be pre-processed and then taken offline.
  2. Delete the old signer user as outlined here

Mobile Key Share Recovery for the workspace Owner’s device

Unlike a Key Share Recovery for a non-Owner device, a Key Share Recovery for an Owner device requires help from Fireblocks Support. Therefore, completing an Owner Key Share Recovery may take several business days, depending on support availability and SLA commitments.

To perform a mobile backup of an owner device, see instructions here.

Key Share Recovery by your company

Using the mobile device of another user with signing privileges 

This option allows you to temporarily make an existing Signer user become your new workspace Owner if you lose access to your Owner mobile passphrase or device.

To validate which workspace users are qualified, follow these steps:

  1. Access your workspace user list in your Fireblocks Console. Go to Settings > Users.
  2. Any Signer showing “Ready” under the Status column can be made into the temporary Owner when using this recovery method.

    Important:

    We highly recommend that the user you select remembers their recovery passphrase. This process does not require knowing your original Owner’s passphrase. However, because the temporary owner may be the only user with signing privileges during this process, they must be prepared for the full range of events requiring a recovery passphrase to recover a key share. 

Instead of needing your passphrase, this method relies on identifying the workspace owner or a legal representative in a video conference with Fireblocks Support. However, for that reason, it can take longer than other options.

  1. Use this form to ask Fireblocks Support to change your workspace Owner. The replacement Owner must be an existing user with signing privileges (Signer role) with an operational Fireblocks Cold Wallet mobile app.
  2. Support validates your request through a conference call with both your existing Owner and the temporary Owner.
  3. Support then adjusts your roles to reflect the temporary Owner. This can take several days based on our SLA.
  4. The original Owner now appears as a Signer user in your Fireblocks Console.
  5. The new Owner then navigates to Settings > Users and selects Delete user.
  6. Create a new Signer user with Fireblocks Support by following the guide here.
  7. The Signer user onboards a mobile device following the guide here.
  8. Contact Support to change the workspace Owner back to the original Owner user.
  9. Support validates your request using a conference call with both the temporary Owner and the original Owner that you want to restore.
  10. Fireblocks Support changes workspace ownership. This may take several days based on our SLA.

Note:

The Fireblocks Cold Wallet mobile app does not support Auto-Generated Passphrase (AGP) functionality. Mobile key share backup & recovery through a third-party DRS provider is also not supported.

Was this article helpful?
0 out of 0 found this helpful

Related Articles