Overview

The Fireblocks Non-Custodial Wallet (NCW) solution provides a disaster recovery feature designed to help businesses ensure continuity and minimize disruption to their operations. In the event of a disaster, this feature allows businesses to regenerate the shares that Fireblocks manages, ensuring that their operations can continue uninterrupted.

The disaster recovery feature includes a toolkit that allows you to provide your end users with access to their funds, even if something happens to the original shares.

📘

Please note:

The Disaster Recovery kit is designed specifically for the key share located exclusively on Fireblocks servers (Quorum Key #1).

In the event that Fireblocks ceases to exist and the customer wishes to empower the end-user to perform a full key takeover, the customer must establish an endpoint on their own system.

This endpoint will provide Quorum Key #1 (generated from the Disaster Recovery kit) to the SDK, enabling the reconstruction of the complete private key.

Initial Key Generation

Fireblocks NCW employs a 2-of-2 MPC signature scheme. One key share (Quorum Key #2 in the diagram below) is generated on the user's device, while the second (Quorum Key #1) is generated by Fireblocks.

Every Fireblocks workspace possesses a distinct, randomly generated master key that functions as a seed. When a new NCW is created, Fireblocks utilizes the master key alongside the freshly generated wallet identifier to calculate the corresponding key share for that specific wallet.

The combination of Quorum Key #1 and Quorum Key #2 forms the fundamental master key for the given NCW.

📘

Key Reconstruction

Please be aware that MPC technology relies on the absence of a single point in time when the complete master key of the NCW exists in its entirety.

The only situation when the entire master key of a NCW consolidates into a complete key is when the end user chooses to initiate the Full Key Takeover process.

Disaster Recovery Kit Generation

After the successful completion of the customer onboarding process with Fireblocks, a recovery kit is generated by Fireblocks. This kit comprises the master key of the workspace (seed) and is subsequently transmitted to the customer.

The initiation of this procedure involves the customer generating an RSA4096 private and public key pair. The public component of this pair is shared with Fireblocks. Fireblocks then assembles a kit containing the master key for each workspace (seed).

Then this kit is encrypted using the provided public key and dispatched to the customer. Fireblocks highly recommends securely storing this encrypted kit independently from the corresponding RSA private key, preferably on an offline, air-gapped machine.

Disaster Recovery Process

For the customer, it's essential to set up the Fireblocks Recovery Tool on an isolated offline machine. Once the tool is installed and a real-world situation demands its use, the customer must furnish the Fireblocks Recovery Tool with the recovery kit, the associated RSA private key, and the targeted wallet identifiers for recovery.

The Fireblocks Recovery Tool will decrypt the kit, leverage the specified wallet identifier, and generate the corresponding Quorum Key #1 as the output.