Backup & Recovery Strategies

Five strategies for different custody models and recovery scenarios

Strategy 1: No Backup (Risk Acceptance)
For throwaway keys and development-only wallets
Generate Key Use Immediately Delete if Compromised
Procedure:
  1. Generate key on device (Keychain only)
  2. Use immediately for signings
  3. Do NOT export to file or iCloud
  4. If device is compromised: delete key, generate new one
  5. Key is permanently lost if device is destroyed
Advantages:
  • No backup infrastructure needed
  • Simplest setup (zero configuration)
  • Fastest key generation
  • No recovery complexity
Risks:
  • Total loss if device damaged/stolen
  • No recovery option available
  • Only suitable for non-custodial use
  • Cannot be used for long-term storage
Best For:
Development, testing, throwaway keys, single-use signing operations
Strategy 2: iCloud Backup (Automatic Cloud Sync)
For single-device users with Apple ecosystem
Generate Key Enable iCloud Backup App Data Syncs Key Available on New Device
Procedure:
  1. In iOS Settings: Enable iCloud Backup for device
  2. App automatically stores encrypted share in iCloud Keychain
  3. Key is synced to all user's paired iPhones
  4. On new device: Sign in with Apple ID → Restore from iCloud Backup
  5. Key automatically available (no manual import)
Advantages:
  • Completely automatic (no user action)
  • Cross-device sync built-in
  • Key available on new device instantly
  • Free (included with iCloud)
Risks:
  • Depends on Apple's infrastructure
  • Apple holds escrow key (can decrypt with legal authority)
  • Requires iCloud account and internet
  • Key is synced (less isolated than device-only)
Best For:
Single-device users, consumer wallets, iPhone backup users, convenience-first approach
Strategy 3: Encrypted File Export (Cold Storage)
For users who want manual control over backups
Generate Key Export to File Store Offline/Cloud Manual Import + Passphrase
Procedure:
  1. In app: Key Detail → Backup → Export
  2. System generates strong passphrase suggestion (or you create one)
  3. Choose export format (Keystore V3 JSON recommended)
  4. File saved to Files app / AirDrop / Email
  5. Move file to encrypted cloud (Tresorit, Sync.com, iCloud Drive)
  6. To recover: Import → Select file → Enter passphrase
Advantages:
  • User-controlled encryption (not Apple)
  • Portable (move between devices/platforms)
  • Can store offline or in encrypted cloud
  • Works without iCloud account
Risks:
  • Passphrase must be strong (security depends on it)
  • File can be intercepted during transfer
  • Must remember passphrase (if forgotten, key is lost)
  • Manual recovery process (slower than iCloud)
Best For:
Cold storage, paranoid users, multi-platform recovery, offline-first approach
Strategy 4: USB-C Hardware Backup (Air-Gap Safe)
For long-term custody and generational wealth
Generate Key Export to USB Device Store in Safe (Air-Gap) Connect USB + PIN to Restore
Procedure:
  1. Use dedicated USB-C backup device (hardware-encrypted)
  2. In app: Export Key → Select USB Device
  3. System encrypts share on USB device (device-enforced, no passphrase needed)
  4. Store USB in physical safe (completely air-gapped, no network)
  5. To recover: Connect USB to device → Enter PIN → Key imported
  6. USB device is durable for 10+ years
Advantages:
  • 100% air-gap safe (no network access)
  • Hardware-enforced encryption
  • No passphrase to remember
  • Durable for decades
  • Can be passed to heirs (inheritance)
Risks:
  • High cost ($100-$500 for hardware)
  • Physical device can break or be lost
  • Slower recovery than file or iCloud
  • Vendor lock-in (proprietary encryption)
Best For:
Long-term custody, inheritance planning, institutional vaults, high-security requirements
Strategy 5: Threshold Backup (2-of-3 Redundancy)
Enterprise-grade recovery with no single point of failure
Device A: Share 0 + Device B: Share 1 + Server: Share 2
Procedure:
  1. Generate key across 2 devices (BLE or QR)
  2. Device A stores Share 0 in Keychain
  3. Device B stores Share 1 in Keychain
  4. Server automatically stores Share 2 in HSM (non-extractable)
  5. All shares sync to iCloud as automatic backup
  6. If Device A lost: Use Device B + Server (2-of-3 threshold) to sign
  7. If Server down: Use Device A + Device B to refresh Share 2
  8. If Device B lost: Device A + Server create new Share 1 for replacement
Advantages:
  • No single point of failure
  • Device loss is fully recoverable
  • Server compromise doesn't break security
  • Threshold refresh allows graceful onboarding
  • Audit trail on all operations
Risks:
  • Requires server infrastructure
  • More complex to set up
  • Coordination between 2-3 parties required
  • Threshold refresh takes time (~2-3 minutes)
Best For:
Enterprise custody, institutional treasuries, DAOs, multi-sig organizations

Recovery Scenarios

Scenario 1: Single Device Lost (No Backup)
Device is destroyed or stolen, and no backup was configured.
Outcome: Key is permanently lost. Cannot be recovered.
Action: Generate a new key on the replacement device.
Scenario 2: Single Device Lost (iCloud Backup)
Device is destroyed, but iCloud backup was enabled.
Outcome: Restore to new device from iCloud backup (automatic).
Action:
1. Install app on new device
2. Sign in with Apple ID
3. System restores keys from iCloud backup
4. Key available immediately (no manual steps)
Scenario 3: Single Device Lost (File Backup)
Device is destroyed, but encrypted backup file was exported to cloud storage.
Outcome: Recover key by importing backup file from cloud.
Action:
1. Install app on new device
2. Open: Import Key Share
3. Select backup file from cloud storage
4. Enter passphrase
5. System imports and decrypts key
6. Key available for signing
Scenario 4: 2-of-2 Device Lost (File Backup)
Device A is lost, but both Device A and Device B exported encrypted backups.
Outcome: Device B can import Device A's backup file, now holding both shares.
Action:
1. On Device B: "Restore Key Share"
2. Select encrypted backup file from Device A
3. Enter passphrase
4. Device B now has both Share 0 and Share 1
5. Can sign alone (threshold reduced to 1-of-2)
6. Recommend: Re-generate key with new Device C (return to 2-of-2)
Scenario 5: 2-of-3 Threshold, Device Lost
Device C is lost, but threshold is 2-of-3 (Device A + Device B + Server).
Outcome: Use remaining 2 parties to authorize threshold refresh (no key loss).
Action:
1. Initiate "Threshold Refresh" on Device A or Device B
2. System coordinates with Server
3. Both parties verify ownership (biometric + passphrase)
4. New Share 3 generated for replacement Device D
5. Old Share 3 automatically invalidated
6. Transfer new share to Device D (QR or BLE)
7. New threshold active: Device A + Device B + Device D

Strategy Comparison Matrix

Strategy Approach Procedure Recovery Risk Best For
1. No Backup Risk acceptance Generate, use, delete Impossible Total loss Dev/throwaway
2. iCloud Automatic cloud Enable in Settings Auto-restore Apple escrow key Single device
3. File Export Manual cold storage Export + store file Manual import Passphrase risk Cold storage
4. USB-C Hardware air-gap Export to USB safe Connect + PIN Device loss Long-term
5. Threshold Enterprise redundancy 2-device DKG + server Threshold refresh None (redundant) Enterprise

How to Choose Your Strategy

  1. What is the key for?
    • → Development/testing: Strategy 1 (no backup)
    • → Personal wallet: Strategy 2 or 3
    • → Business/custody: Strategy 4 or 5
  2. How important is automatic recovery?
    • → Critical (can't wait): Strategy 2 (iCloud)
    • → Important (manual OK): Strategy 3 or 4
    • → Low (enterprise): Strategy 5
  3. How long must the key survive?
    • → Days/months: Strategy 2 (iCloud)
    • → Years: Strategy 3 (file) or 4 (USB)
    • → Decades/inheritance: Strategy 4 (USB-C)
  4. Do you need redundancy/quorum?
    • → No: Strategy 1-4
    • → Yes: Strategy 5 (2-of-3 threshold)