Security

Your secrets are encrypted and recovered on your device — offline, without vendor lock-in for recovery.

Quick navigation

Your control, by design

What actually protects you when it matters most.

You Own Your Recovery

Offline recovery with your encrypted backup + password. No login required.

Tools & OS support

manual_decrypt is available on Windows now (Linux beta, macOS planned). recovery_cli is included in the exported Windows ZIP.

Sovereign Mode (Pro)

One-way device lock.

In Sovereign Mode: server access blocked while enabled.

30-minute access window

Server access is disabled by default. When needed, you can enable a 30-minute access window for server-dependent actions (Cloud+, ordering, license validation) — in-memory and resets on restart.

Zero Knowledge

We don't transmit your plaintext secrets. Cloud+ may see account + file names and sizes, but not backup contents or your password. Encryption and key derivation happen on your device.

Security-first activation options

Standard setup for most users. Air-gapped activation + Sovereign Mode for maximum isolation.

Standard activation (online)

Sign in to link and restore your license on this device.
Movable Pro devices periodically validate (see FAQ).
Recovery is still offline with your encrypted backup + password.

Air-gapped activation

Purchase online, then import your license file on your offline device — no network calls during import.
Pairs with Sovereign Mode for permanent offline operation.

How MyColdKey fits into your protection strategy

Redundant encrypted copies

Add redundant encrypted copies alongside your hardware wallet and existing backups (metal or paper). You hold the only keys.

Air-gapped recovery

Recover offline on an air-gapped machine with the free recovery tools — no login required.

One layer for all secrets

Works for seed phrases, passwords, and other sensitive notes — one recovery model.

Portable encrypted copies

Encrypted QR copies can be physically distributed or stored anywhere — they reveal nothing without your password.

Threat model + limits

What this protects you from — and what it does not.

Protects you from

Found or stolen backups stay encrypted (ciphertext); password required.
Backup loss/disaster (redundant copies; optional Shamir shares).
Vendor lock-in for recovery (offline Recovery Kit + in-app recovery).
Cloud compromise of encrypted backups (ciphertext), if stored encrypted-only.

Does not protect you from

A compromised device during encrypt/decrypt (malware, keyloggers, screen capture).
Weak or reused passwords (offline guessing becomes feasible).
If you lose your password, recovery is impossible.
Social engineering or physical coercion.
Misconfigured SSS thresholds or losing too many shares.
An attacker who obtains both your password and an encrypted backup.

Encryption mechanism

Encryption process

Secret

→

Password

→

Argon2id

→

AES-256-GCM

→

HMAC

→

Zeroize

→

Encrypted backup ✔

Designed to keep your secret encrypted end-to-end. Plaintext is handled briefly during encrypt/decrypt and wiped after use.

Encrypted backup formats: QR · file · text · SSS

Protection layers

Brute-force resistance and tamper detection

Argon2id — slows offline guessing (memory-hard key derivation).

AES-256-GCM — encrypts the encrypted backup (widely deployed authenticated encryption).

HMAC — helps detect tampering or corruption.

Zeroize — clears keys from memory after use.

Runtime and design protections

Keys exist only in RAM and are zeroized after use. Plaintext is kept in memory and cleared after use.

Recovery works offline with your encrypted backup + password (no login required).

Verification

GitHub Releases include installers, manual_decrypt, and checksums.txt (SHA-256).

The Self-Contained Recovery Kit (Windows ZIP) is exported from inside the app (Lifetime Pro).

See verification steps (Recovery)

Password hygiene

Your password is the key to recovery. Treat it like a recovery-critical secret.

Use a long, unique password (prefer a passphrase) to resist offline guessing.
Store your password separately from your encrypted backups.
Test recovery with non-critical data before relying on it for real funds.

FAQ

What if MyColdKey is unavailable?

Your backups are fully vendor-independent. The free manual_decrypt (Windows now, Linux beta, macOS planned) and exported Windows ZIP (recovery_cli) work offline with your password and encrypted backup. You keep control without vendor lock-in.

Is login required for recovery?

No. Recovery works without login. Use manual_decrypt or the exported Windows ZIP (recovery_cli) with your encrypted backup and password — no app install, no login.

What if I lose the password?

Recovery requires the password. If it’s lost, the encrypted backup remains encrypted. Store the password separately from encrypted backups, based on your threat model.

Can I test recovery before trusting it?

Yes. Create a non-production encrypted backup, then recover it fully offline using the Recovery Kit. Once you’re confident, repeat the same process with your real setup.

How many layers protect my data?

Several hardened layers: (1) Argon2id key derivation, (2) AES-256-GCM encryption, (3) HMAC integrity check, (4) immediate key zeroization, (5) optional SSS so no single share reveals anything. All run on your device only.

What is the Self-Contained Recovery Kit?

A set of offline recovery tools. GitHub Releases include installers, manual_decrypt tools, and checksums.txt. Export the Self-Contained Recovery Kit (Windows ZIP with recovery_cli + guide) from inside the app.

Which format should I use?

Single backup: Standard (one file or QR). Redundancy or family: SSS (Shamir). All work offline; choose what fits your storage and recovery plan.

Can I activate Pro on an air-gapped device?

Yes. Purchase online, then import a signed License Token on your offline device. Import performs no network calls.

How does Sovereign Mode handle server and Cloud+ access?

Server access is disabled by default in Sovereign Mode. When needed for server-dependent actions (Cloud+, ordering, license validation), you can enable a 30-minute access window — in-memory only, resets on restart. Cloud+ can see account + file names and sizes, but not backup contents or your password.

Do Pro devices require check-ins?

Movable Pro devices require periodic license validation (at least once every 12 months). Permanent Sovereign devices do not require check-ins.

Serious security. Offline recovery. Encryption that stays on your device.

Get launch updates Pricing