Vault Recovery

a simple, guided way to regain control of your vaults if normal access is unavailable when should i use this? use vault recovery only if primevault services are unavailable and you need to access your assets what you'll need three recovery admins pre nominated by your org → any 2 of 3 must participate each admin's recovery passphrase (created in the mobile app during setup) your latest encrypted vault backup (download from web → settings → vault backup ) the primevault local recovery tool (runs offline on your computer) security at a glance primevault stores only public keys for recovery admins your encrypted vault state is stored in amazon s3 with delete protection the recovery tool runs locally and decrypts data using 2 of 3 admin passphrases primevault cannot view or restore your passphrases or private keys one time setup (do this once) nominate 3 recovery admins email primevault support to whitelist them for recovery admins set passphrases (mobile) each whitelisted admin opens the primevault mobile app and creates a recovery passphrase download encrypted backup (web) go to settings → vault backup and download the encrypted vault backup store it securely re download a fresh backup after material changes to vaults/policies note you are ready to recover when… 3 admins are whitelisted, 2+ have set passphrases, and you've stored a current backup recover access (step by step) open the local recovery tool launch the offline app it opens a local interface in your browser enter admin passphrases (2 of 3) two recovery admins enter their own passphrases on that machine (passphrases never leave the device ) upload the encrypted vault backup select the latest backup file you previously downloaded decrypt & retrieve keys the tool decrypts the backup and shows per vault key material ecdsa chains (e g , ethereum/evms) outputs hex private keys you can import into wallets like metamask eddsa chains may not produce a conventional private key contact support for chain specific guidance secure and restore operations move funds as needed rotate keys/policies and restore your standard primevault workflows generate and store a fresh backup once stable how it works each recovery admin's passphrase locally generates a keypair; primevault keeps only the public key your vault state is encrypted to those public keys and stored in s3 (with delete protection) during recovery, the local tool uses any two admins' passphrases plus the encrypted backup to decrypt on your machine you receive per vault keys (for ecdsa chains) so that you can import them into a compatible wallet and recover your assets faqs do we need primevault involved during recovery? no recovery happens locally with your admins and your backup primevault doesn't see passphrases or private keys why a 2 of 3 threshold? it reduces single point risk any two trusted admins can recover; one alone cannot what if an admin forgot their passphrase? you can still recover with any of the other two admins who remember theirs if fewer than two passphrases are available, reset your recovery setup first (contact support) why don't some chains output a private key? some eddsa ecosystems don't map to a single importable hex key we provide chain specific scripts or procedures, so contact support how often should we refresh the backup? any time you make material changes (new vaults, policies, signers) and at a regular cadence (e g , monthly or quarterly) need help? whitelisting recovery admins chain specific recovery (eddsa) validating your backup or tooling contact primevault support