Before receiving funds into your Fireblocks Vault, we strongly recommend creating a Workspace Key Backup and securely storing your passphrase. Learn more from our backup and recovery webinar.
Overview
Fireblocks provides a comprehensive backup and recovery solution for your private keys to ensure you always have access to your assets and can sign transactions. The backup and recovery process allows you to recover your signing device keys should you lose them in the unlikely event of a disaster (or if Fireblocks suspends operations).
Your Fireblocks Vault is a secure Multi-party Computation (MPC) based wallet that prevents your private key from having a single point of compromise when you sign transactions. With Fireblocks MPC, one key share is stored on your company’s hardware, in the Fireblocks mobile app of each user with signing privileges, or on a secure server that hosts your API Co-Signer. You have two corresponding key shares that Fireblocks stores with top-tier cloud providers’ secure SGX servers. Your three key shares are never together in one place that exposes your full private key.
Types of backup and recovery
Backup and recovery for your digital assets are grouped into two main types: Mobile Key Share Backup and Workspace Key Backup.
The following table describes your options for ensuring secure backup and recovery of your keys. The methods for each type are not mutually exclusive and we strongly suggest using them together.
| Type | Description | Method | Purpose |
| Mobile Key Share Backup with 3rd-party DRS provider | The autogenerated passphrase (AGP) encrypted backup key share is sent to a 3rd-party DRS. |
3rd-party DRS, e.g., Fireblocks partnering providers: |
Mitigates risk of forgetting/losing access to Owner's device and recovery passphrase. |
| Workspace Key Backup |
|
3rd-party backup and recovery, e.g., Fireblocks partnering providers: |
Provides technical support & 3rd-party ownership without risking exposure. Contact CSM for more info. |
|
Native Recovery Utility generates a native key backup package of your workspace. |
Provides direct ownership of key backup if you have the correct technical resources. |
Backup Types
Mobile Key Share Backup
The key share is one of the three key shares held on your mobile device to sign transactions. Users who can sign transactions (Owner, Admin, and Signer) have a Key Share Backup generated automatically through the Fireblocks mobile app when onboarding the Fireblocks platform. During onboarding, the user sets a recovery passphrase, which allows them to recover the mobile key share of users with signing privileges should the device get lost, stolen, or damaged. This passphrase encrypts the key share, and the encrypted key share is then sent to Fireblocks.
Remembering your recovery passphrase to recover your signing keys with the Key Share Recovery process is crucial. Each user should memorize the passphrase or store it in a secure location. In addition, your workspace should have at least two users with signing privileges besides the workspace Owner. Since your key share is essential for ensuring access to your funds, we strongly recommend following our Best Practices to minimize the risk of losing it. We also recommend having a backup with one of our third-party DRS partners to mitigate the risk of losing access to your signing devices and the recovery passphrase.
You can learn more about the Mobile Key Share Backup process here.
Workspace Key Backup
The workspace key is the extended private key for your workspace from which all asset signing keys are derived. Your workspace key is the combination of all your three key shares.
With Fireblocks, you are the custodian and must always have access to your full private key. Therefore, it is mandatory to back up your workspace’s private key in case Fireblocks’ services are inaccessible.
We recommend using one of Fireblocks partnering third-party DRS providers (Coincover or Station70). You can also use our Native Recovery Utility solution to back up your workspace’s full private key. You can manage Workspace Key Backup internally at your company by securing and maintaining offline equipment and following the security guidelines.
Recovery Methods
Mobile Key Share Recovery
Depending on the user role and needs, the following Mobile Key Share Recovery methods are available:
- For the workspace Owner’s device
- For a non-Owner device
At your company level, the following recovery methods are also available:
- Using the Owner's recovery passphrase
- Using the mobile device of another user with signing privileges
Another option is using a third-party DRS provider for a lost passphrase, or if your device is lost, stolen, or damaged.
Workspace Key Recovery
Workspace recovery involves recovering your full private key material from an offline backup created in advance and compiling all three corresponding MPC key shares into one single-extended private key. Finally, loading this extended private key onto a third-party wallet, enables you to access your wallets created on Fireblocks. Learn about the Native Recovery Utility.
DRS Third-Party Backup and Recovery
We also highly recommend having a third-party DRS provider, which includes an additional key share backup with an auto-generated passphrase, further reducing the risk of losing access to your company assets.