Admin Login
Guides
Start typing to search…

Emergency Recovery

⚠️ Discover how to retrieve Master Key in an emergency

In an emergency, you must recover the wallet master key to derive all other private keys. The Institutional Vault Emergency Recovery Service (ERS) provides a controlled recovery flow for this scenario.

📘

Note:

ERS is used to recover the master private key material, not to restore the full wallet system runtime. Wallet/system restoration still relies on your DB backup process.

Recovery information contains encrypted key shares for each node. The designated recovery public key encrypts these shares, and only the corresponding private key holder can decrypt them. Store this private key offline in a secure location and access it only during emergency recovery.

How to Create Master Key Recovery Information

Follow the steps below to create the master key and prepare ERS recovery information:

  1. On first launch, the wallet asks MPA nodes to create a master key.
  2. MPA nodes then:
    1. Create the master key and a key ID.
    2. Generate ERS recovery info and exchange it with each other (all nodes must agree).
    3. Mark the master key as operational, then send key ID and recovery material to the wallet.
  3. Wallet users download and securely store the recovery information.
📘

Note:

Validate and store recovery information before creating production accounts in the wallet.

Institutional Vault - Emergency Recovery Service (ERS) Tool Quickstart

Run ./erstool --help to see all commands and ./erstool [command] --help for command-specific help.

Full Command List

erstool --help
Blockdaemon Wallet Emergency Recovery

Usage:
  erstool [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  derive      Derive a private sub-key; optionally print the associated address
  help        Help about any command
  p11-recover Recover private key with P11 decryption, e.g., to integrate with an HSM
  pem-recover Recover private key with a decryption key in a PEM file

Flags:
  -h, --help   help for erstool

Recover with HSM (P11)

Use p11-recover when the decryption key is HSM-protected.

./erstool p11-recover \
  --backupFile wallet-backup.json \
  --hsm-key-label "ers-recovery-key" \
  --hsm-library "$P11" \
  --hsm-pin "$PIN"

P11 Recovery Flags

erstool p11-recover --help
Recover private key with P11 decryption, e.g., to integrate with an HSM

Usage:
  erstool p11-recover [flags]

Flags:
  -b, --backupFile string        path to encrypted backup file
  -h, --help                     help for p11-recover
      --hsm-key-id string        hex-encoded CKA_ID of key (optional)
      --hsm-key-label string     label of RSA private key in HSM
      --hsm-library string       path to PKCS#11 library (.so/.dylib)
      --hsm-pin string           HSM PIN (for Azure: 'cu_name:password')
      --hsm-pin-file string      HSM PIN (for Azure: 'cu_name:password')
      --hsm-slot uint            HSM slot ID (default: 0)
      --hsm-token-label string   HSM token label (alternative to slot ID)

Example Azure HSM Recovery Output

./erstool p11-recover \
  --backupFile wallet-azure-hsm-back.json \
  --hsm-key-label "ers-recovery-key" \
  --hsm-library /opt/azurecloudhsm/lib64/libazcloudhsm_pkcs11.so \
  --hsm-pin "cu1:user1234"
Key type: ECDSA_SECP256K1
 - private key: b2c249071ecc16d6e6b42e8a548765fc891d1d447b2ed614182911a5bd58953e
 - public key : 04ba5ad297ebb8ab0537ac4ecffaf4f7616e17cd8a846f627530eb9d3892ecdcc3ad3802cdfcc9315ec5caac158e4e3287b82bcad0430642e9bdfc1f6e239b2a85
 - chain code : 67c0f586eb03263c6f7c915cea8ddd078299f41582b282491e58a925bb74b489
Key type: EdDSA_Ed25519
 - private key: 09d0986845e6ad8ec0d106c1345e87e5399b2fe658321a6c2c8cd085a7a1ccf6
 - public key : 0784d06c90d40f377526cc830ddcd6159d97ead0bf834b8656af68670f505846
 - chain code : 98f19af818c311bbf1934be17ad9577008e5ba9fab1e5259e2f2af602c0989b2

Recover with PEM Key

Use pem-recover when the decryption key is in a PEM file.

./erstool pem-recover \
  --backupFile wallet-backup.json \
  --privateKeyFile recovery-key.pem

PEM Recovery Flags

erstool pem-recover --help
Recover private key with a decryption key in a PEM file

Usage:
  erstool pem-recover [flags]

Flags:
  -b, --backupFile string       path to encrypted backup file
  -h, --help                    help for pem-recover
  -p, --privateKeyFile string   path to private key in PEM format

Derive Private Sub-Keys and Addresses

After master key recovery, use derive to derive private sub-keys and optionally print the associated address.

erstool derive --help
Derive a private sub-key; optionally print the associated address

Usage:
  erstool derive [flags]

Flags:
      --account uint32           account in the wallet's standard derivation path
      --address-index uint32     address-index in the wallet's standard derivation path
      --address-type string      optional print of address from derived key
      --coin-type uint32         coin-type in the wallet's standard derivation path
      --derivation-path string   derivation path, e.g., m/44/60/0/0/0, for Ethereum mainnet address#0 in account#0
      --full-derivation-path     specify the full derivation path using the derivation-path flag, rather than through (coin-type, account, address-index)
  -h, --help                     help for derive
      --privateKey-file string   path to private master key file

derive Examples

Derive using standard wallet path components:

./erstool derive \
  --privateKey-file master-private-key.hex \
  --coin-type 60 \
  --account 0 \
  --address-index 0 \
  --address-type evm

Derive using an explicit full derivation path:

./erstool derive \
  --privateKey-file master-private-key.hex \
  --full-derivation-path \
  --derivation-path "m/44/60/0/0/0" \
  --address-type evm

Derivation Paths

A derivation path is a string that describes a sequence of key derivations from a root key.

Derivation Path Format

m/purpose/coin_type/account/change/address

Each component means:

  • m: master node.
  • purpose: set to 44 (unhardened) for BIP-44.
  • coin_type: SLIP44 identifier for the blockchain.
  • account: account index, starting at 0.
  • change: 0 for external addresses, 1 for change addresses (currently not used).
  • address: address index, starting at 0.

Blockdaemon Derivation Paths

BlockchainEnvironmentDerivation PathNotes
BitcoinMainnetm/44/0/account_index/0/address_indexMultiple receive addresses and accounts
BitcoinTestnetm/44/1/account_index/0/address_indexMultiple receive addresses and accounts
EthereumMainnetm/44/60/account_index/0/0Multiple accounts
EthereumTestnetm/44/1/account_index/0/0Multiple accounts
PolygonMainnetm/44/966/account_index/0/0Multiple accounts
PolygonTestnetm/44/1/account_index/0/0Multiple accounts
PolkadotMainnetm/44/354/account_index/0/0Multiple accounts
PolkadotTestnetm/44/1/account_index/0/0Multiple accounts
SolanaMainnetm/44/501/account_index/0/0Multiple accounts
SolanaTestnetm/44/1/account_index/0/0Multiple accounts

🗣️We Are Here to Help!

Please contact us via email or support chat if you encounter an issue, bug, or need assistance. Don't forget to include any relevant details about the problem. To request a wallet form and Institutional Vault Approver form, please click here or contact our sales team.

Updated 24 days ago