Security

Encryption you control. Vendor-independent recovery. Encryption and decryption happen locally on your device.

Quick navigation

Encryption process

Secret

→

Password

→

Argon2id

→

AES-256-GCM

→

HMAC

→

Zeroize

→

Encrypted backup ✔

Designed to keep your secret encrypted end-to-end. Plaintext is handled briefly during encrypt/decrypt and wiped after use.

Encrypted backup formats: QR · file · text · SSS

Protection layers

Brute-force resistance + tamper detection (what protects your copies)

Argon2id — slows offline guessing (memory-hard key derivation).

AES-256-GCM — encrypts the encrypted backup (widely deployed authenticated encryption).

HMAC — helps detect tampering or corruption.

Zeroize — clears keys from memory after use.

End-to-end protections beyond encryption

Keys exist only in RAM and are zeroized after use. Plaintext is kept in memory and cleared after use.

Recovery works offline with your encrypted backup + password (no login required).

Air-gapped activation: import a signed License Token (.mck) with no network calls.

Threat model + limits

What this protects you from — and what it does not.

Protects you from

Found or stolen backups stay encrypted (ciphertext); password required.
Backup loss/disaster (redundant copies; optional Shamir shares).
Vendor lock-in for recovery (offline Recovery Kit + in-app recovery).
Cloud compromise of encrypted backups (ciphertext), if stored encrypted-only.

Does not protect you from

A compromised device during encrypt/decrypt (malware, keyloggers, screen capture).
Weak or reused passwords (offline guessing becomes feasible).
If you lose your password, recovery is impossible.
Social engineering or physical coercion.
Misconfigured SSS thresholds or losing too many shares.
An attacker who obtains both your password and an encrypted backup.

Verification

GitHub Releases include installers, manual_decrypt, and checksums.txt (SHA-256).

The Self-Contained Recovery Kit (Windows ZIP) is exported from inside the app (Lifetime Pro).

See verification steps (Recovery)

Password hygiene

Your password is the key to decryption. Treat it like a recovery-critical secret.

Use a long, unique password (prefer a passphrase) to resist offline guessing.
Store your password separately from your encrypted backups.
Test recovery with non-critical data before relying on it for real funds.

Runtime security controls

These are the behaviors that matter once you store copies and later need recovery.

You Own Your Recovery

Offline recovery with your encrypted backup + password. No login required.

Tools & OS support

manual_decrypt is available on Windows now (Linux beta, macOS planned). recovery_cli is included in the exported Windows ZIP.

Sovereign Mode (Pro)

One-way device lock.

In Sovereign Mode: server access blocked while enabled.

30-minute access window

Server access is disabled by default. When needed, you can enable a 30-minute access window for server-dependent actions (Cloud+, ordering, license validation) — in-memory and resets on restart.

Zero Knowledge

We don't transmit your plaintext secrets. Cloud+ may see account + file names and sizes, but not backup contents or your password. Encryption and key derivation happen on your device.

Security-first activation options

Standard setup for most users. Air-gapped activation + Sovereign Mode for maximum isolation.

Standard activation (online)

Sign in to link and restore your license on this device.
Movable Pro devices periodically validate (see FAQ).
Recovery is still offline with your encrypted backup + password.

Air-gapped activation (offline token)

Purchase online, then import a signed License Token (.mck) on your offline device.
Import performs no network calls.
Device-bound and replay-protected.
Pairs with Sovereign Mode for permanent offline operation.

SHA-256 checksums for release files are provided in checksums.txt on GitHub Releases. See the Recovery page for verification steps.

Sovereign Mode: server access is disabled by default and can be enabled for 30 minutes when needed (in-memory; resets on restart).

How MyColdKey fits into your protection strategy

Redundant encrypted copies

Add redundant encrypted copies alongside your hardware wallet and existing backups (metal or paper). You hold the only keys.

Air-gapped recovery

Recover offline on an air-gapped machine with the free recovery tools — no login required.

One layer for all secrets

Works for seed phrases, passwords, and other sensitive notes — one recovery model.

Discreet carry (optional)

Encrypted QR copies don't reveal what they protect unless decrypted with your password.

FAQ

Pre-launch note: tools will be available on release; until then, review the recovery model and verification steps.

Can I test recovery before trusting it?

Yes. Create a non-production encrypted backup, then recover it fully offline using the Recovery Kit. Once you’re confident, repeat the same process with your real setup.

What if I lose the password?

Recovery requires the password. If it’s lost, the encrypted backup remains encrypted. Store the password separately from encrypted backups, based on your threat model.

What if MyColdKey is unavailable?

Your backups are fully vendor-independent. The free manual_decrypt (Windows now, Linux beta, macOS planned) and exported Windows ZIP (recovery_cli) work offline with your password and encrypted backup. You keep control without vendor lock-in.

Is login required for recovery?

No. Recovery works without login. Use manual_decrypt (Windows now, Linux beta, macOS planned) or the exported Windows ZIP (recovery_cli) with your encrypted backup and password — no app install, no login.

What is the Self-Contained Recovery Kit?

A set of offline recovery tools. GitHub Releases include installers, manual_decrypt tools, and checksums.txt. Export the Self-Contained Recovery Kit (Windows ZIP with recovery_cli + guide) from inside the app.

Which format should I use?

Single backup: Standard (one file or QR). Redundancy or family: SSS (Shamir). All work offline; choose what fits your storage and recovery plan.

Can I activate Pro on an air-gapped device?

Yes. Purchase online, then import a signed License Token (.mck) on your offline device. Import performs no network calls.

Does Sovereign Mode block server access?

Sovereign Mode blocks server access by default. You can optionally enable online access for 30 minutes for server-dependent actions (Cloud+, ordering, license validation).

Do Pro devices require check-ins?

Movable Pro devices require periodic license validation (at least once every 12 months). Permanent Sovereign devices do not require check-ins.

How does the 30-minute access window work?

It's an in-memory timer. When it expires (or the app restarts), server access is disabled again.

Does Cloud+ work in Sovereign Mode?

Cloud+ can be enabled on your license, but Cloud operations are gated behind the temporary access window in Sovereign Mode. Cloud+ can see account + file names and sizes, but not backup contents or your password.

How many layers protect my data?

Several hardened layers: (1) Argon2id key derivation, (2) AES-256-GCM encryption, (3) HMAC integrity check, (4) immediate key zeroization, (5) optional SSS so no single share reveals anything. All run on your device only.

Ready to secure your crypto with encryption you control?

Get launch updates