# Export a recovery kit

The recovery kit is an encrypted archive of every key in the system. Export it regularly and store it in durable, immutable storage. It is the foundation of your disaster-recovery plan.

## Prerequisites

* Your group must have the `access_keys_backup` capability in the Administrative Policy.
* A backup public key must be configured at deployment time. Key creation is blocked until this is set. The corresponding private key must be held securely offline; you will need it if you ever need to restore.

## Export steps

1. In the sidebar, under the **SYSTEM** section, click **Backup**.
2. The **Backup Recovery Kit** modal opens. Read the summary: it describes what the archive contains and reminds you to verify the file after download.
3. Click **Export Backup**.
4. The browser downloads a file named `keys-backup-<timestamp>.zip`.

![Export Backup dialog explaining the encrypted recovery kit and the verification steps](/img/guide/backup/export-recovery-kit.png)
*The Export Backup dialog. The downloaded zip is an encrypted backup of every key, re-importable only by an admin holding the offline private key paired to the deployment backup key.*

## What the archive contains

The zip contains a JSON file with all key records and their encrypted material, plus an error log. After downloading, open the zip and verify:

* The JSON file lists the expected number of keys.
* The error log is empty (no keys failed to export).

## How the archive is encrypted

The recovery kit is encrypted using hybrid encryption: RSA-OAEP-SHA-256 wraps a per-export symmetric key, and ChaCha20-Poly1305 encrypts the payload. Only the private key paired to the backup public key configured at deployment can decrypt the archive.

Each MPC node contributes encrypted material independently; a single backup key covering all nodes is not permitted.

## Storage recommendations

Store the recovery kit in write-once (WORM) object storage. Keep at least two copies in geographically separate locations. Treat the file like the private key it protects: limit access to your disaster-recovery team.

## Restoring from a recovery kit

Restoration is a deployment-time operation, not a web UI action. It requires the offline private key and access to the infrastructure layer. See the [Backup & Recovery](/deploy/operations/backup-dr) section of the Deployment guide for the full procedure.

:::note
Each export is recorded in the audit log as a `keys_backup_created` event, including the actor and timestamp. Review these records periodically to confirm that exports are happening on schedule and only by authorized personnel.
:::
