12. Recovery Passphrase & Workspace Keys Backup

Stage 5 + 29 + 30 + 31 누적 — 3 recovery scenarios · 6-file package · 4 secrets · SPOC 경고

Recovery Passphrase 의 역할

recovery-passphrase.md, p.1 직접 인용:

"Fireblocks uses the recovery passphrase to create an encrypted backup of the mobile device's private key share, which is stored securely in Fireblocks' cloud servers."
  • 누가 생성: Owner / Admin / Signer — initial user setup 시 mobile app 에서 필수 생성
  • Requirements: ≥10 chars + ≥1 capital + ≥1 number + ≥1 special. Mobile client-side validate
  • 역할: Mobile device 의 MPC key share 를 cloud backup 으로 암호화하는 키
  • 저장 위치: Owner 가 별도 보관 — DB 에는 hash 도 저장 안 함 (forbidden storage)

3 Recovery Scenarios

Scenario사용 자산사용처
Owner key share recovery본인 recovery passphrase (또는 password-less)Owner device 분실 / 신규
Admin/Signer key share recovery다른 authorized signer의 recovery passphraseAdmin / Signer device 분실
Workspace Keys RecoveryRecovery passphrase + Workspace Keys BackupOwner의 full private key 재구성

Verify Passphrase + Periodic Verification

  • Mobile app Settings > Verify recovery passphrase — cloud 에서 backup download → 입력한 passphrase 로 decrypt 시도
  • 3회 연속 실패 → 5분 lockout
  • 월 1회 알림, Owner/Admin/Signer 대상 (iOS 2.5.7+, Android 2.5.2+)
  • Owner / Admin 이 workspace audit logs 에서 key share risk status 검토 가능 — log 에 verification 시점 + 정상 verify 여부 포함

Workspace Keys Backup (★ Stage 30 — 6 files)

generating-a-workspace-key-backup-package-fireblocks-recovery-utility.md 직접 인용: "The package is composed of six files that contain the following key share components."

Backup Package — 6 encrypted shares:
  ┌── ECDSA shares (3 files)
  │   ├── Mobile share        — passphrase-encrypted
  │   ├── FB Cloud share #1   — RSA-4096 encrypted
  │   └── FB Cloud share #2   — RSA-4096 encrypted
  └── EdDSA shares (3 files)
      ├── Mobile share        — passphrase-encrypted
      ├── FB Cloud share #1   — RSA-4096 encrypted
      └── FB Cloud share #2   — RSA-4096 encrypted

Hosted MPC Backup — 3-share variant (Stage 29)

hosted-mpc-backup-and-recovery.md: SaaS MPC 와 달리 Owner mobile + 2 Guard Co-Signer 가 함께 backup 에 참여.

Share출처암호화 방식전달 경로
1. Mobile key shareOwner mobile devicepassphrase-encryptedencrypted kit via email → download → air-gapped machine #1
2. Guard Co-Signer #1 shareGuard CS#1 (SGX)RSA public key (customer 업로드)자동 생성 → local host file
3. Guard Co-Signer #2 shareGuard CS#2 (SGX)RSA public key자동 생성 → local host file

Asymmetric encryption layers: mobile = passphrase, Guard = RSA. 2 air-gapped machines 요건 (download + assembly 분리).

Reconstruction — 4 secrets (Stage 31)

Recovery Utility 의 offline-only procedure 가 요구하는 4 가지 비밀:

  1. Recovery Kit ZIP (6-file package)
  2. RSA private key (Guard share 의 복호화)
  3. Mobile App Recovery Passphrase
  4. RSA Private Key Passphrase
SPOC 경고 (★ Fireblocks 직접 인용)

"Performing this procedure on an online machine will result in your private key being considered exposed and compromised."

→ DR Recovery Utility 는 offline air-gapped machine 에서만 사용. Online 실행 = 즉시 key compromise.

Auto-passphrase (Enterprise 옵션, Stage 6)

  • Support enable 필요 (자체 활성 불가)
  • Mobile device 가 secure random passphrase 자동 생성 → 고객 RSA key 로 암호화 → Fireblocks 에 저장
  • Offline machine 에서 decrypt (recovery 시)
  • 효과: 사용자 인적 오류 (분실/유출) 제거, 표준화
  • Trade-off: 새로운 SPOF = RSA private key 의 안전 보관

DB Schema (auditdb, all append-only)

CREATE TABLE recovery_events (
  id                  BINARY(16) PRIMARY KEY,
  workspace_id        BINARY(16) NOT NULL,
  scenario_type       ENUM('owner-key-share', 'admin-signer-key-share',
                            'workspace-keys-recovery') NOT NULL,
  initiated_by_user_id BINARY(16) NOT NULL,
  initiated_at        DATETIME(6) NOT NULL,
  completed_at        DATETIME(6),                    -- ★ set-once
  status              ENUM('initiated', 'verifying', 'reconstructed',
                            'failed', 'aborted') NOT NULL,
  air_gapped_machine_1_attested BOOLEAN,             -- DCAP attestation evidence
  air_gapped_machine_2_attested BOOLEAN,
  KEY (workspace_id, scenario_type)
);

CREATE TABLE passphrase_verification_attempts (
  id                  BINARY(16) PRIMARY KEY,
  user_id             BINARY(16) NOT NULL,
  attempt_type        ENUM('verify', 'periodic', 'recovery') NOT NULL,
  result              ENUM('verified', 'incorrect', 'lockout') NOT NULL,
  attempted_at        DATETIME(6) NOT NULL,
  KEY (user_id, attempted_at)
);

CREATE TABLE workspace_keys_backups (
  id                  BINARY(16) PRIMARY KEY,
  workspace_id        BINARY(16) NOT NULL,
  variant             ENUM('saas-mpc', 'hosted-mpc') NOT NULL,
  share_count         INT NOT NULL,                  -- 6 (SaaS) or 3 (Hosted)
  passphrase_owner_user_id BINARY(16) NOT NULL,      -- 누구의 passphrase 로 암호화
  rsa_pubkey_fingerprint BINARY(32),                 -- Hosted MPC Guard 의 RSA
  created_at          DATETIME(6) NOT NULL,
  superseded_at       DATETIME(6),                    -- Owner transfer 시 파기 결정
  destroyed_at        DATETIME(6),                    -- 파기 완료
  KEY (workspace_id)
);

-- ★ Forbidden columns 의 ABSENCE 가 schema 자체로 보이도록 audit
-- 절대 추가 X: passphrase_plaintext, passphrase_hash, rsa_private_key, backup_blob_plaintext