Note: In the unlikely event of Cobo Portal discontinuing its services, you can reconstruct the root extended private keys corresponding to the vault by utilizing an active Recovery Group. All private keys linked to the wallet addresses within this vault can be derived from these root extended private keys. Unlike restoration, recovery relies on the support from another holder group.

Step 1: Export private key shares

For mobile co-signers

  1. Go to iCloud.com and sign in with your Apple ID and password.
  2. Open iCloud Drive.
  3. Find and select the backed-up data file you want to export.
  4. Click the Download icon at the top of the page or double-click the backed-up data file.
  5. The file will be downloaded to your default download location.

For server co-signers

  1. Complete necessary pre-preparations.
  • Ensure accessibility to the secrets.db database files and the corresponding passwords for the two private key shares associated with your selected Recovery Group.
  • Record the root extended public keys after jointly generating each set of private key shares. Once generated, these root extended public keys will remain constant.
  1. Prepare the recovery environment.

The server hosting your TSS Node must be offline or in a secure environment. Please ensure that your TSS Node package and the database files are readily available. The directory structure of your TSS Node package is as follows.

cobo-tss-node-generic
├── configs
│   └── cobo-tss-node-config.yaml.template
├── db
│   └── secrets.db
├── recovery  (default folder where the exported MPC key shares will be stored)
└── tss-node.sh
  1. Verify private key shares information.

Enter the cobo-tss-node-generic directory to retrieve the group information.

sudo ./tss-node.sh info group

Ensure that the root extended public keys in the output match those saved during pre-preparations. If the TSS Node manages multiple private key shares, locate the group with the correct root extended public keys and take note of the Group ID.

  1. (For third-party recovery only) Share with your entrusted third party the root extended public keys linked to the specific private key share you intend to export. Your entrusted third party will utilize this information to verify their private key share information.

  2. In an offline or secure network environment, run the following command in the root directory of your TSS Node to export the private key shares.

./tss-node.sh export-share --group-ids <groupID1>,<groupID2>

  1. Enter the password you set to during the initialization of your TSS Node.

  2. Enter a new password to encrypt the private key share in each exported file. Please note that once set, this password cannot be modified. In the event of a lost password, the exported private key share file will become inaccessible and must be exported again. It is recommended to set a complex password between 16-32 characters using a password manager (e.g., 1Password) and store the password on a secure device.

  3. The private key shares will automatically be exported as JSON files.

  4. Please verify the accuracy of the root extended public keys and group ID in the exported files.

Step 2: Reconstruct all private key shares and derive the private keys for all wallet addresses

Follow the instructions below to reconstruct all private key shares and derive the private keys for all wallet addresses associated with the vault. The instructions are applicable for both mobile co-signer and server co-signer.

  1. Complete necessary pre-preparations.
  • Obtain the recovery kit from the open-source repository. Prior to compiling cobo-mpc-recovery-tool, ensure you are familiar with the instructions provided in the README.md file. Alternatively, you can download the latest version of cobo-mpc-recovery-tool here.
  • Save the wallet addresses associated with each vault using one of the following methods:
    • Retrieve AddressDetail via the generate_addresses operation during key generation. The HD path corresponding to each address will be included in the response.
    • Retrieve AddressDetail via the list_addresses operation regularly. The HD path corresponding to each address will be included in the response.
    • Manually export all address information associated with a vault by clicking the export icon on Cobo Portal.

  1. (For third-party recovery only) Obtain the private key share exported by your entrusted third party. The private key share file exported by your entrusted third party will also be in JSON format. Please verify that the root extended public keys in the files exported by you and your entrusted third party are identical.

  2. Create a new recovery folder at the same directory level as cobo-mpc-recovery-tool. Paste the two exported private key share files under the recovery folder.

├── cobo-mpc-recovery-tool
└── recovery
    ├── recovery-secrets-<nodeID1>-<time1>
    └── recovery-secrets-<nodeID2>-<time2>
  1. Execute the following commands using the actual group IDs and private key share files.
./cobo-mpc-recovery-tool verify \
    --recovery-group-files recovery/recovery-secrets-<nodeID1>-<time1>,recovery/recovery-secrets-<nodeID2>-<time2> \
    --group-id <groupID>
  1. Wait for the MPC recovery tool to automatically complete the verification process.
  • The cobo-mpc-recovery-tool will verify the keys/values associated with the first private key share file.
  • The cobo-mpc-recovery-tool will derive and verify the root extended public keys using the “participants” information in the first private key share file.
  • You need to manually enter the password associated with the first private key share file to decrypt it. The cobo-mpc-recovery-tool will then derive and verify the corresponding public keys.
  • The cobo-mpc-recovery-tool will verify the keys/values associated with the second private key share file.
  • The cobo-mpc-recovery-tool will verify whether the keys/values in the first private key share file are consistent with those in the second private key share file.
  • The cobo-mpc-recovery-tool will derive and verify the root extended public keys using the “participants” information in the second private key share file.
  • You need to manually enter the password associated with the second private key share file to decrypt it. The cobo-mpc-recovery-tool will then derive and verify the corresponding public keys.
  1. Place the address.csv file exported during pre-preparations under the recovery folder.
├── cobo-mpc-recovery-tool
└── recovery
    ├── address.csv
    ├── recovery-secrets-<nodeID1>-<time1>
    └── recovery-secrets-<nodeID2>-<time2>
  1. Execute the following commands using the actual group ID and private key share files.
  • Enter the passwords to decrypt the two private key share files.
  • The root extended private keys and the root extended public keys will be reconstructed.
  • Ensure that the root extended public keys in the output are the same as the root extended public keys you saved during pre-preparations.
  • The address.csv file will be automatically imported, and the system will generate a recovery/address-recovery.csv file based on the HD paths in the address.csv file.
  • Upon completion of the execution, all private keys associated with the wallet addresses in this vault will be stored in plain text within the recovery/address-recovery.csv file. Please ensure that all data is stored securely.
./cobo-mpc-recovery-tool \
    --recovery-group-files recovery/recovery-secrets-<nodeID1>-<time1>,recovery/recovery-secrets-<nodeID2>-<time2> \
    --group-id <groupID> \
    --csv-file recovery/address.csv \
    --show-root-private-key
Feel free to share your feedback to improve our documentation!