Key Recovery
Two independent recovery mechanisms ensure you are never locked in. You can always recover control of your wallets without cooperation from Carabaas.
Per-Key Ejection (Standard)
Available on all plans. Allows you to export a specific vault's MPC key share.
How It Works
- Your organization admin initiates a key ejection request for a specific vault
- The request requires orgAdmin confirmation (authenticated approval)
- A 24-hour security delay begins — this window allows detection and investigation of potentially unauthorized requests
- After the delay, the vault's key share is encrypted with your public key (provided during onboarding)
- You receive the encrypted key share — Carabaas cannot read it
- Carabaas deactivates for that vault — it will no longer co-sign transactions for it
- You decrypt the key share and combine it with your own share to derive the full wallet private key
Security Properties
- Only the specific requested vault key is ejected — the provider's seed and all other vaults are unaffected
- The 24-hour delay provides a window for fraud detection
- Carabaas is notified immediately and can escalate if the request appears unauthorized
- The ejected vault transitions to full merchant control
Use Cases
- Migrating a single vault to another provider
- Consolidating vaults
- Testing the exit process (recommended annually)
Full Seed Backup (Enterprise)
Available on enterprise plans. Provides a complete backup of all vault key material.
How It Works
- An encrypted backup is created and held by a third-party escrow provider
- You hold the decryption key — only your private key can decrypt the backup
- Carabaas cannot read the backup; the escrow provider cannot read the backup
- Recovery restores all vaults without cooperation from Carabaas
Security Guarantees
| Property | Guarantee |
|---|---|
| Provider cannot read the backup | Encrypted with your public key — only you can decrypt |
| Escrow cannot read the backup | Same — encrypted for the merchant only |
| Merchant cannot use it silently | Requesting the backup triggers a notification to Carabaas |
| Merchant can always recover | Carabaas cannot block backup delivery from the escrow |
Recovery Procedure
- Request the backup from the escrow provider
- The escrow notifies Carabaas that recovery has been initiated
- Carabaas deactivates its cosigner entirely
- Decrypt the backup with your private key
- Reconstruct the provider's keys and derive full wallet private keys
- Migrate to a self-custodied setup or a new provider
Recovery Timeline
| Method | Timeline |
|---|---|
| Per-vault ejection | 24h security delay + ~1h technical |
| Full seed recovery | 1–5 business days (escrow process) + ~1h technical |
| Full migration | 1–2 weeks including testing |
What Recovery Means
Regardless of which recovery mechanism is used:
- You gain full unilateral control of the wallet private keys — the MPC threshold is no longer enforced
- The provider's security guarantees (enclave isolation, seal/unseal, quorum approval) no longer apply to recovered wallets — you assume full responsibility for key security
- Recovery is a one-way transition from shared custody to full self-custody
Exit Drills
Annual exit drills are recommended for enterprise merchants. Carabaas provides:
- A test environment with representative key material
- Technical support through the drill
- Documentation of the recovery process
- Verification that recovery produces valid keys
tip
Test the exit process before you need it. Schedule an exit drill with your account manager.