Skip to main content

Generating a Workspace Key Backup Package - Fireblocks Recovery Utility

  • Updated

Overview

The diagram below illustrates how you will receive the Workspace Key Backup Package at the end of the process.

Self DRS (1).png

The package is composed of six files that contain the following key share components:

  • ECDSA cloud key share 1 (encrypted with the RSA public key you provide)
  • ECDSA cloud key share 2 (encrypted with the RSA public key you provide) 
  • ECDSA Owner mobile key share (encrypted with the Owner generated passphrase)
  • EDDSA cloud key share 1 (encrypted with the RSA public key you provide)
  • EDDSA cloud key share 2  (encrypted with the RSA public key you provide)
  • EDDSA Owner mobile key share (encrypted with the Owner generated passphrase)

Important

We do not recommend running tests using your production workspace keys as it could put your signing keys at risk of exposure. You should always test the native Workspace Key Backup and Recovery process in a testnet workspace first. Contact your Customer Success Manager if you have not already obtained one.

Start the backup process

To generate the key backup package, follow the steps below.

Note that throughout the key backup process, you will be alternating between multiple devices both offline and online, including using the Recovery Utility app on an air-gapped machine and the Fireblocks mobile app and Console.

To review the actual workflow, see the following video.

  1. To start the key backup process:
    1. Download the Fireblocks Recovery Utility application by selecting the link for your matching operating system:
      • macOS (M1-M4 chips)
      • Ubuntu (v20.04 LTS and up is supported)
        • For v22.04 you must first install libfuse2 to run Applmages
        • Note that v24.04 is not supported due to a bug in apparmor
    2. Set up the offline recovery machine. Make sure it is air-gapped and offline.
    3. Transfer the Recovery Utility app (i.e., via a USB stick) to the offline machine to run the application.
  2. To generate your key backup package, select Use the Recovery Utility > Generate Keys, and then follow the on-screen instructions.

    Note

    If your machine is not offline, a red warning message appears at the top of the Recovery Utility app window, indicating you must go offline.

  3. Generate the recovery key pair. The following two options apply:
    1. Using the recovery utility: enter a private key passphrase, consisting of at least four characters, and select Generate Recovery Keys.

      Note

      Make sure you save this passphrase as you will later need it to construct the full package.

      For enhanced security, it is recommended to use a passphrase at least 12 characters long and include uppercase and lowercase letters, numbers, and special symbols.

    2. Without the recovery utility:

      1. Use the below command to generate the RSA-4096 recovery private key (fb-recovery-prv.pem). You have to create a key pair passphrase you would use to decrypt the backup during a recovery. We recommend you memorize the key pair passphrase but also keep a single copy of it in a separate, secure place like a physical safe.

        openssl genrsa -aes128 -out fb-recovery-prv.pem 4096
      2. Extract the recovery public key (fb-recovery-pub.pem) from fb-recovery-prv.pem with the following command:
        openssl rsa -in fb-recovery-prv.pem -outform PEM -pubout -out fb-recovery-pub.pem
      3. Drop the public key into the recovery utility. 
        img.png

    3. Select Download Keys Zip to download your Private Key (which must be saved on your air-gapped machine) and your Public Key for uploading to your Fireblocks Console in the following steps.
    4. Extract the Public Key from the zip file to an online machine with access to your Console.
    5. In your Console, connect to the specific workspace for which you want to generate the key backup package. In the General tab, under Settings, select Create backup.
    6. Complete the prerequisite steps to prepare the recovery Public Key. Check the I’m ready to upload the public key file box.
    7. Select the Public Key file that you generated above using the Recovery Utility app, then select Upload key.
      Screenshot 2024-03-27 at 10.03.55.png
    8. Your workspace Owner receives a confirmation email stating that they and the Admin Quorum must now verify and approve the public key recovery on the Fireblocks mobile app, shown further below.
    9. Your Admin Quorum is notified to approve using the Fireblocks mobile app. If they do not approve within 48 hours, you must restart this process.
    10. While the request is pending approval, selecting the yellow Awaiting approval badge shows the approval requests and which Admins can still approve them.


    11. Return to the air-gapped machine to follow the Recovery Utility app instructions and select Start Approval. This prompts you to either scan a QR code or enter a short key into your Fireblocks mobile app.
    12. Your Admin Quorum collaborates with the workspace Owner to verify and approve the key backup by following the prompts on the Fireblocks mobile app: 
      1. Select View > Get Started > I’m ready to approve.

      2. The Admin Quorum selects one of the approval methods - scan a QR code or input a short key - and informs the Owner. Since the Owner has access to the offline machine, they can proceed with the QR code option in the Recovery Utility app, while the Admins can ask the Owner for a short key.
      3. Scan the QR code or input the short key according to the suitable method.
      4. Once the verification is successful, the Fireblocks mobile app prompts that the key was verified.
      5. The public key appears in their Fireblocks mobile app.

      6. To view the public key on the offline machine, go back to the  Recovery Utility app on the air-gapped machine and select View Public Key.

        If the public keys match, select Approve on the Fireblocks mobile app. Otherwise, select Deny. This may mean the Owner accidentally modified or uploaded the wrong recovery public key at some point before it was submitted to your Console.
      7. The Admin Quorum and Owner enter their Fireblocks mobile app PIN codes and complete biometric authorization to approve the request.
    13. In your Console, the backup status updates to Awaiting completion. If any Admin selects Deny, the backup status updates to Denied.


    14. After finalizing the approval process on the Fireblocks mobile app, the workspace Owner receives the encrypted kit via email, which they need to download and transfer to the air-gapped machine. 
    15.  Once the included instructions in the email are completed, mark the backup as completed in your Console.
    16. In the Console, the status updates to Completed.


You have now completed generating your in-house key backup package. Learn about verifying a recovery package here.

 

Was this article helpful?
1 out of 1 found this helpful

Related Articles