Skip to content
English
Submit a request Customer portal
Back to iofinnet.com
  • There are no suggestions because the search field is empty.

Disaster Recovery

Learn how to recover access to your vault if signing devices or credentials have been lost. Step-by-step guide including tool download, integrity check, and wallet recovery.

 

This article is relevant for all io.vault and io.network subscriptions. 


Responsibility
Before you start
Recovery tool
- Browser UI mode
- CLI mode (Terminal)
Next steps after disaster recovery
Troubleshooting

Responsibility

Each user is responsible for maintaining the following for each of their registered signers:

  • Their signer passphrase or PIN — stored securely at the time of device registration
  • An up-to-date encrypted backup file — downloaded after every vault creation, reshare, or signing configuration change
  • Their 24-word seed phrase — stored offline in a physically secure location

If any of these is missing when access is lost, recovery may not be possible. For full setup guidance, see the Backup & Recovery Setup article or our FAQs

When to use this process

Use this process only when you cannot withdraw funds from a vault because you are unable to generate a signed transaction through the io.vault app. This may happen due to:

  • Critical software malfunction
  • Malicious DDOS attack
  • Service shutdown
  • Critical loss of access to signing devices or user secret shares
  • Compromise of a signer that requires re-creation of the vault

First: identify your scenario

Before starting the full DR process, check which scenario applies to you:

A Device lost — cloud sync active + passphrase known
Download the app on a new device, log in, select Restore Signer, and enter your signer passphrase. No further steps needed.
B Device lost — passphrase unknown, but threshold still reachable
If remaining devices hold enough shares to meet the vault threshold, create a reshare request to issue new shares to a newly registered device.
C Threshold not reachable, or io.vault service unavailable
Full offline disaster recovery is required. Follow the steps below.

Before you start

Have these ready before running any command: your backup file(s) — one per device registered under your email — and the 24-word seed phrase for each device. If you have multiple email addresses, zip all backup files from all accounts into a single folder first.

The person running the recovery tool will obtain the full private key and have complete access to the vault's assets. Only a trusted operator should run this process.

Downloading the disaster recovery backup file

If you require to further back up your disaster recovery file, the following steps need to be completed:

  1. Open the mobile app and log in
  2. Once logged in, click on the settings button at the top right-hand corner of the app
  3. Select “Download encrypted backup file” and then “Continue”
  4. Specify the file name, select the destination you would like to save the file and then select “Save”
  5. Verify that file was successfully saved to the selected location (preferably on  the cloud)

Warning: For reliable disaster recovery, always back up your files to the cloud instead of storing them directly on the device. This way, if the handset is lost, you can easily access and recover your backup without needing the physical phone

Re-exporting your 24-word seed phrase

If you need to re-export your 24-word seed phrase while your signer is still active and accessible:

  1. Open the io.vault app and log in
  2. Tap the Settings icon in the top right-hand corner
  3. Tap "Export disaster recovery info again"
  4. Write down the 24-word phrase displayed and store it securely offline — never digitally

Recovery tool — two modes:

The io.finnet recovery tool can be run in two ways:

  • Browser UI mode (coming soon): a visual interface launched with ./recovery-tool -web. Recommended for users less comfortable with the terminal.
  • CLI mode (terminal): detailed steps below. Use this if you are comfortable with the command line.

1. Browser UI mode

A browser UI version of this process is also available. For the visual interface guide, refer to docs.iofinnet.com.

2. CLI MODE (Terminal)

A.Recover your private key

Step 1 Download the recovery tool

Download the correct binary for your operating system from the GitHub releases page.

  • Apple Silicon Mac (M1/M2/M3): recovery-tool-mac
  • Linux / FreeBSD: recovery-tool-linux
  • Windows (x86-64): recovery-tool.exe
  • Intel Mac or other platforms: build from source — see Troubleshooting below

Not sure which Mac you have? Click the Apple logo > About This Mac. It will show "Intel" or "Apple M1/M2/M3".

Step 2 Open your terminal

Open Terminal (macOS / Linux) or Command Prompt / PowerShell (Windows) and navigate to the folder where you downloaded the recovery tool:

cd ~/Downloads

For more help refer to the Apple Terminal Guide or Windows Command Prompt guide.

Step 3 Verify the integrity of the downloaded file

Compare the output with the SHA256 hash published on the GitHub releases page:

  • macOS: shasum -a 256 recovery-tool-[XX-VERSION].tar.gz
  • Linux / FreeBSD: sha256sum recovery-tool-[XX-VERSION]
  • Windows (PowerShell): sha256sum recovery-tool-[XX-VERSION]

If hashes match — the file is authentic and safe to use. If they do not match — re-download and restart from the beginning.

Step 4 Extract and allow permissions

Extract the tool: tar -xvzf recovery-tool-[XX-VERSION].tar.gz

Make it executable: chmod +x recovery-tool-mac

If you see a macOS security popup, go to System Settings > Privacy & Security and click Allow Anyway, then try again.

Step 5 Run the recovery tool

Replace [Backupfilename] with the name of your backup ZIP file. Wrap filenames in quotes if they contain spaces.

  • Mac: ./recovery-tool-mac [Backupfilename].zip
  • Linux: ./recovery-tool-linux [Backupfilename].zip
  • Windows: recovery-tool.exe [Backupfilename].zip

Your backup ZIP contains one .json file per device registered under the email address used.

Step 6 Enter the 24-word seed phrase

The tool will request the 24-word seed phrase for each device. Enter the words separated by a single space, then press Enter. Repeat for each signer device.

After all phrases are entered, the tool will attempt to reconstruct the private key(s). The output shows (x/y) — signing power vs threshold. If signing power is equal to or greater than the threshold, the vault can be restored. If not, ensure all backup files are included in the zip.

The tool will attempt to auto-detect the correct nonce and threshold. If unsuccessful, proceed to the next step.

Step 7 Re-run with vault details if needed

If the tool cannot auto-detect vault parameters, re-run with explicit values:

./recovery-tool-mac -vault-id YOURVAULTID -nonce [NONCE] -threshold [THRESHOLD] [Backupfilename].zip

  • Vault ID: found in the dashboard URL — https://app.iofinnet.com/vaults/YOURVAULTID
  • Nonce: vault creation = 0, each reshare increments by 1
  • Threshold: available in vault settings on the dashboard

If successful, the tool displays a success message and outputs the private keys. If failed, check that the backup filename is correctly quoted, the 24-word phrases were entered correctly for each device, the correct vault was selected, and all signers' backup files are included in the zip.

 

B. Reallocate your asset 

Before proceeding: confirm with the Customer Office that the recovered address matches the vault address shown in your dashboard.

Bitcoin (BTC) — Electrum Wallet

  1. Download and install Electrum Wallet for your operating system
  2. Accept the Terms of Use
  3. Enter a name for the wallet you are importing
  4. Select "Import Bitcoin addresses or private keys"
  5. Prefix the private key with p2wpkh: then paste it — example: p2wpkh:yourprivatekeyhere
  6. Set a password to encrypt your wallet if prompted
  7. Your wallet transaction history and balance will appear
  8. You may keep assets in Electrum or transfer them to a new io.finnet vault

Testnet: if recovering a testnet key (tb1 prefix), run Electrum with the --testnet flag. On Mac: open -n /Applications/Electrum.app --args --testnet

Ethereum & EVM-compatible assets — MetaMask

  1. Open the MetaMask app (mobile) or browser extension
  2. Click your profile icon and select "Add account", then "Import account"
  3. Ensure "Private Key" is selected
  4. Paste the private key provided by the recovery tool
  5. The imported account will appear with its associated assets
  6. You may keep the assets in MetaMask or transfer them to a new io.finnet vault to restore the MPC security layer

Tron (TRX) — TronLink

  1. Open TronLink app or browser extension
  2. Select "Import Wallet"
  3. Paste the private key output by the recovery tool
  4. Name your wallet and select assets to import
  5. You may keep assets in TronLink or transfer them to a new io.finnet vault

Solana (SOL), 

Use your recovered EdDSA private key to recover Solana assets. This process requires npm functionality in your terminal.

1. Check if Node.js is installed

From your Downloads folder, run: node -v

If a version is displayed, Node.js is installed. If command not found is displayed, go to nodejs.org, install it, then restart your terminal.

2. Run the Solana tool

The Solana tool is a separate script included in the recovery tool package. Navigate to its directory, install dependencies, and run it:

cd ~/Downloads/io-vault-disaster-recovery-cli/scripts/solana-tool npm install npm start

The Solana Transfer Tool will start.

If Node.js was just installed, restart your terminal before running the above commands.

3. Manage your SOL assets

You will be prompted to:

  • Choose the network — Mainnet is used for real environments
  • Input your private key — for Solana (EdDSA asset type), paste the private key obtained in Part A. The tool will display the derived Solana address, which must match the Solana public address shown in Part A.
  • Check balance [y/n] — note you will not be able to send the entire balance
  • Send SOL [y/n] — enter the destination address (must be a valid Solana address), enter the amount, and confirm the transaction [y]

The tool will display the sender address, receiver address, amount and network. Confirm broadcast of the transaction [y].

If you see: Error fetching recent blockhash: failed to get recent blockhash: TypeError: fetch failed — open a new terminal tab (without closing the current one) and run:curl -s https://api.mainnet-beta.solana.com \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"getLatestBlockhash"}'Copy the displayed blockhash and paste it into the running Solana tool. Use Solana Explorer to verify the transaction on-chain. The result will always display a transaction signature and transaction URL.

Ripples (XRP) 

Use your recovered EdDSA private and public key to recover XRP assets. This process requires npm functionality.

1. Check if Node.js is installed

You may skip this step if Node.js was already installed for Solana recovery. Otherwise, follow the same installation steps as above.

2. Run the XRPL tool

The XRPL tool is a separate script included in the recovery tool package:

cd ~/Downloads/io-vault-disaster-recovery-cli/scripts/xrpl-tool npm install npm start

The XRP Transfer Tool will start.

Restart your terminal if Node.js was just installed.

3. Manage your XRP assets

You will be prompted to:

  • Confirm the network — Mainnet is used for real environments
  • Input your keys — for XRP (EdDSA asset type), first paste the public key, then the private key obtained in Part A. The displayed wallet address must match the XRP address shown in Part A.
  • Check balance [y/n] — note you will not be able to send the entire balance
  • Send XRP [y/n] — the destination address must be a valid XRP address and already hold at least 1 XRP, which is required by the XRP Ledger to create and maintain an account. Enter the amount and confirm the transaction [y].

On the XRP Ledger, every account must keep a minimum reserve of 1 XRP.

The tool will display the transaction details while preparing the transfer. Confirm broadcast of the transaction [y].

Next steps after disaster recovery

Troubleshooting

Permission denied error

Run the following command then retry:

chmod +x recovery-tool-mac

Security popup on macOS

  1. Go to System Settings > Privacy & Security
  2. Click "Allow Anyway" next to the recovery tool
  3. Try running the tool again

Bad CPU type error (Mac only)

The precompiled binary only supports Apple Silicon. Run uname -m to check — x86_64 = Intel. Intel Mac users must build from source:

  • Download and install Go from go.dev
  • Restart your terminal

cd ~/Downloads git clone https://github.com/IoFinNet/io-vault-disaster-recovery-cli.git cd io-vault-disaster-recovery-cli GOARCH=amd64 go build -o recovery-tool-mac

Verify the binary exists:

ls -lh recovery-tool-mac

If you see ls: recovery-tool-mac: No such file or directory — you are in the wrong folder, or the build did not complete. Restart from the clone step.

Then move your backup zip into the same folder and return to the Run step in Part A.

Recovery file does not work

  • Ensure you are using the most recently exported version of the file
  • Verify all recent vault changes occurred before the last export
  • Check all signers' backup files are included in the zip
  • Contact support if the issue persists

Need help?

Contact us at customer@iofinnet.com or submit a support request via the Help Center.