Generating a Workspace Key Backup Package (Fireblocks Recovery Utility)

This article covers the full process for generating a workspace key backup package for your Cold Wallet workspace using the self-service in-house backup method.

Overview

The diagram below illustrates how you will receive the Workspace Key Backup Package at the end of the process.

The package is composed of six files containing the following key share components:

• ECDSA cloud key share 1 (encrypted with the RSA public key you provide)
• ECDSA cloud key share 2 (encrypted with the RSA public key you provide)
• ECDSA Owner mobile key share (encrypted with the Owner generated passphrase)
• EDDSA cloud key share 1 (encrypted with the RSA public key you provide)
• EDDSA cloud key share 2 (encrypted with the RSA public key you provide)
• EDDSA Owner mobile key share (encrypted with the Owner generated passphrase)

Start the backup process

Throughout the key backup process, you alternate between multiple devices, both offline and online, including the Recovery Utility app on an air-gapped machine, the Fireblocks mobile app, and the Console.

To review the workflow, watch the following video.

1. In the Console, go to Settings > General > Key backup. Under In-house key backup, select the Fireblocks Recovery Utility link.
   
2. In the Download the Fireblocks recovery utility modal, select your operating system (macOS (M1-M4 CPU) or Ubuntu (v20.04 LTS or later)), then select Download.
   
3. Transfer the downloaded file to the offline machine using a USB stick. The machine must be air-gapped and offline.

4. Select Use the Recovery Utility > Generate Keys, then follow the on-screen instructions to generate your key backup package.

   

   Warning: If your machine is not offline, a red warning message appears at the top of the Recovery Utility app window indicating you must go offline. Keep this machine permanently disconnected from all networks.

5. Generate the recovery key pair using one of the following methods:

   1. Using the Recovery Utility: Enter a private key passphrase of at least four characters, then select Generate Recovery Keys.

      Important: Save this passphrase; you will need it to construct the full package. For enhanced security, Fireblocks recommends a passphrase of at least 12 characters, including uppercase and lowercase letters, numbers, and special symbols.

      

   2. Without the Recovery Utility:

      1. Use the following command to generate the RSA-4096 recovery private key (fb-recovery-prv.pem). Create a key pair passphrase to use when decrypting the backup during recovery. Fireblocks recommends memorizing the key pair passphrase and keeping one copy in a separate, secure location such as a physical safe.

         openssl genrsa -aes128 -out fb-recovery-prv.pem 4096

      2. Extract the recovery public key (fb-recovery-pub.pem) from fb-recovery-prv.pem with the following command:

         openssl rsa -in fb-recovery-prv.pem -outform PEM -pubout -out fb-recovery-pub.pem

      3. Import the public key into the Recovery Utility.

         

6. Select Download Keys Zip to download your Private Key (save this on your air-gapped machine) and your Public Key for uploading to the Console in the following steps.
   
7. Extract the Public Key from the zip file to an online machine with access to the Console.
8. In the Console, go to Settings > General, then select Create backup.
   
9. Complete the prerequisite steps to prepare the recovery public key, then select I'm ready to upload the public key file.
10. Select the public key file you generated using the Recovery Utility, then select Upload key.
    
11. The workspace Owner receives a confirmation email stating that they and the Admin Quorum must verify and approve the public key recovery on the Fireblocks mobile app.
12. The Admin Quorum is notified to approve using the Fireblocks mobile app. If they do not approve within 48 hours (2 days), you must restart this process.
13. To check approval status while the request is pending, select the yellow Awaiting approval badge to see the approval requests and which Admins can still approve them.
    
14. Return to the air-gapped machine, follow the Recovery Utility instructions, and select Start Approval. This prompts you to either scan a QR code or enter a short key into the Fireblocks mobile app.
15. The Admin Quorum collaborates with the workspace Owner to verify and approve the key backup by following the prompts on the Fireblocks mobile app:
    1. Select View > Get Started > I'm ready to approve.
       
    2. The Admin Quorum selects an approval method (scan a QR code or input a short key) and informs the Owner. The Owner has access to the offline machine and can proceed with the QR code option in the Recovery Utility; Admins can ask the Owner for a short key.
    3. Scan the QR code or input the short key using the applicable method.
    4. Once verification is successful, the Fireblocks mobile app confirms that the key was verified.
    5. The public key appears in the Fireblocks mobile app.
       
    6. To view the public key on the offline machine, return to the Recovery Utility on the air-gapped machine and select View Public Key.
       
       If the public keys match, select Approve on the Fireblocks mobile app. If they do not match, select Deny. A mismatch may mean the Owner accidentally modified or uploaded the wrong recovery public key before it was submitted to the Console.
    7. The Admin Quorum and Owner enter their Fireblocks mobile app PIN codes and complete biometric authorization to approve the request.
16. In the Console, the backup status updates to Pending download.
    

17. After the approval is finalized on the Fireblocks mobile app, the workspace Owner can select Download backup kit to download the backup package.

    Important: The backup package can only be downloaded once.

    

18. After downloading, transfer the package to an offline machine.
19. Once the backup kit has been transferred to the offline machine, verify the recovery package.