Never lose access: a complete guide to social recovery, backups and device migration
A complete guide to never losing crypto access: Shamir 2-of-3 keys, guardian social recovery, encrypted backups, and atomic device migration.
The short version: Losing your phone should never mean losing your crypto. Vaultr splits your key with Shamir Secret Sharing into a 2-of-3 scheme — device, server, and recovery — so no single point of failure can lock you out or give anyone else control. On top of that sit three recovery paths: social recovery through guardians, SHA-256-verified encrypted cloud backups, and a time-limited device migration token. All of it is non-custodial, and all of it is logged in an immutable audit trail.
Why is recovery the hardest problem in self-custody?
Self-custody has always carried an uncomfortable tradeoff: if you alone hold the keys, you alone can lose them. The seed-phrase era turned a single lost or stolen scrap of paper into a total, irreversible loss. Real self-custody has to solve recovery without quietly reintroducing a custodian who can seize your funds.
Vaultr’s answer is to never put all the trust in one place to begin with — and then to layer recovery options on top.
How does Shamir Secret Sharing protect my keys?
Vaultr secures your key with Shamir Secret Sharing over GF(256), configured as a 2-of-3 scheme. Your key is mathematically split into three shares:
- A device share
- A server share
- A recovery share
The defining property: any two of the three can reconstruct your key, but no single share reveals anything. This is the heart of why Vaultr is non-custodial. The server holds only one share — not your key. Vaultr cannot reconstruct your key alone, and neither can a thief who steals just your device.
Lose one share — a broken phone, for instance — and the other two still recover you. That’s resilience and self-custody at the same time.
What is social recovery with guardians?
Social recovery lets trusted people help you regain access without ever handing them your funds. Vaultr uses a 2-of-3 guardian setup by default: you designate guardians, and when you need to recover, a threshold of them approves the request.
The process is built to be both convenient and safe:
- Guardians are push-notified when a recovery request is made
- Every request carries a 72-hour expiry — stale or suspicious requests die on their own
- The entire flow is written to an immutable audit trail
That expiry window and the audit log are deliberate anti-abuse controls: a recovery attempt can’t sit open indefinitely, and nothing happens silently.
How do encrypted cloud backups work?
For users who want a self-managed safety net, Vaultr offers encrypted cloud backups. The key properties:
- Backups are SHA-256 verified, so integrity is checked — a corrupted or tampered backup is detectable
- Backups are deletable, so you stay in control of your own data and can remove a backup whenever you choose
Because the backup is encrypted, the cloud storage provider can’t read it. It’s a recovery aid that doesn’t become a custody backdoor.
How does device migration work?
Getting a new phone shouldn’t be a security event you dread. Vaultr handles it with device migration built around a time-limited, roughly 15-minute atomic token.
Two design choices make this safe:
- Time-limited (~15 minutes): the migration window is short, so a stolen or intercepted token is useless almost immediately
- Atomic: the migration either completes fully or not at all — there’s no partial state where access is ambiguously split between an old and new device
Move to a new device inside that window and your access transfers cleanly; miss it, and the token simply expires harmlessly.
How do these layers work together?
Think of it as concentric safety nets, not competing options:
- Shamir 2-of-3 ensures no single loss — device, server, or recovery — locks you out or hands anyone control
- Guardians give you a human-trust recovery path with expiry and audit protections
- Encrypted backups give you a verifiable, self-controlled snapshot
- Device migration gives you a fast, atomic path when you simply upgrade hardware
Each layer covers a different failure mode. Together they make permanent lockout extremely hard to stumble into — without ever making Vaultr a custodian. The server’s single Shamir share is the proof: it can participate in recovery, but it can never act alone.
FAQ
Can Vaultr access my funds during recovery?
No. Vaultr holds only one of three Shamir shares, and the scheme is 2-of-3. A single share reveals nothing, so Vaultr cannot reconstruct your key or move your funds on its own. Recovery is non-custodial.
What happens if a recovery request is fraudulent?
Guardian recovery requests are push-notified, expire after 72 hours, and are recorded in an immutable audit trail. A request can’t sit open indefinitely or proceed unnoticed.
Are my cloud backups readable by the storage provider?
No. Backups are encrypted, SHA-256 verified for integrity, and deletable by you at any time. The provider stores ciphertext it can’t read.
How long do I have to migrate to a new device?
Device migration uses a time-limited atomic token of roughly 15 minutes. Complete the migration in that window and it transfers cleanly; otherwise the token simply expires.
Want the full picture of how Vaultr keeps your keys yours? Explore the Vaultr wallet.