# Backup keys

The backup key mechanism in Seald allows an administrator to generate a backup password to recover access to the account of a user in the event all their devices are lost or inaccessible.

This works by adding a virtual device (i.e. a key pair that will be called a "user backup key") to each user's account. The private key of this user backup key is then encrypted for an administrator backup key and this encrypted key is backed up on Seald's servers. The administrator backup key is itself encrypted by a password and this encrypted key is also backed up on Seald's servers. This mechanism allows an administrator who knows this backup password to recover access to a user backup key, and will allow in the future to associate a new device with an account.

# List of backup keys

This list is available in the settings of the administration dashboard, under the "Backup keys" tab.

Tab Backup keys
Tab Backup keys

The "Installed" column gives the number of users in the team who have added a certain backup key.

# Generation of a backup key

The first time you log in to the administrator account, you are asked to generate a backup key. If you have skipped this step, or if you wish to generate a new one, click on the "Create a backup key" button. Give a name to your key. You also have the possibility to send a request to add the backup key to the team users.

TIP

By asking existing users to add the backup key, a window will appear asking them to accept the key.

If the desktop application is not started at the time of the notification, the window will appear the next time Seald is started.

TIP

For new users, a request to add the backup keys will happen at the end of the Seald account creation.

Adding a backup key
Adding a backup key

You can check the "Request adding" checkbox to notify existing users to make them accept the backup key and make it active on these users as soon as possible.

Backup key password
Backup key password

At this stage, a password is given to you. You will need to copy and securely store this password.

TIP

By asking existing users to add the backup key, a window will appear asking them to accept the key.

If the desktop application is not started at the time of the notification, the window will appear the next time Seald is started.

TIP

For new users, a request to add the backup keys will happen at the end of the Seald account creation.

# Request to add the backup key

When a backup key is created after creating a user account, or when users did not accept backup keys when creating their account, they will not have the backup key activated.

To activate it, you must notify the users in question and ask them to accept this backup key. This can be done :

  • either directly at the backup key generation step by checking the "Request adding" checkbox ;
  • or by clicking on the three small dots and then on "Request adding" which appears when at least one user has not accepted it.
Request to add a backup key
Request to add a backup key

This will notify users for whom the backup key is not yet activated by displaying a window:

Backup key adding request window
Backup key adding request window

TIP

For more security, it is recommended to check that the hash displayed in the details of this window matches the hash displayed in the administration dashboard for this backup key.

Backup key adding request window details Hash of the backup key
Backup key adding request window details Hash of the backup key in the administration dashboard

Once the request is confirmed, it will be possible to use the recovery procedure for this user from the backup key.

# Revocation of a backup key

If the password of a backup key is lost or stolen, the backup key must be revoked.

To do this, simply press the three small dots and then the "Revoke" button and click on confirm.

Revoke a backup key
Revoke a backup key

WARNING

It is not possible to go back following a revocation of the backup key, it will be permanently disabled, even if you know your password.

# Using a backup key

To use a backup key, it is necessary to use the user account recovery procedure.