Identity Recovery Flow

Recover a GetTrusted identity on a new device using encrypted recovery QR codes.

Overview

GetTrusted’s recovery flow encrypts the 24-word mnemonic using AES-256-GCM and a user-supplied password, producing a self-contained recovery QR code. This recovery code is created during identity creation and stored encrypted on device unless deleted. Scanning the QR and providing the same password reconstructs the master identity deterministically.

1

Original Device — Create Recovery QR

  • Start with the 24-word mnemonic.

  • User provides a password.

  • Derive an AES key from the password using PBKDF2-SHA512 (100k iterations) and a generated salt.

  • Encrypt the mnemonic with AES-256-GCM.

  • Compress the encrypted payload with LZMA to reduce QR size.

  • Base64-encode the compressed ciphertext and generate/display the QR code.

  • Optionally store the Base64/QR in a password manager or save the QR image.

2

New Device — Recover from QR

  • Scan the recovery QR.

  • Base64-decode the scanned payload.

  • LZMA-decompress to obtain the encrypted mnemonic, salt, and nonce.

  • User provides the same password.

  • Derive the decryption key via PBKDF2-SHA512 using the extracted salt (same parameters).

  • Decrypt the mnemonic with AES-256-GCM.

  • Recreate the identity deterministically (via Workflow 1), producing an identical master identity; device private keys will differ.

Process Flow (diagram)

flowchart TD
  subgraph Original_Device [Original Device]
    A1[Create Recovery QR] --> A2[Mnemonic 24 words]
    A2 --> A3[User Passphrase]
    A3 --> A4[PBKDF2 Key Derivation - 100k iterations]
    A4 --> A5[Generate Salt]
    A5 --> A6[AES-256-GCM Encrypt Mnemonic]
    A6 --> A7[LZMA Compression - reduce QR size]
    A7 --> A8[Base64 Encode and Display QR Code]
    A8 --> A9[Store in Password Manager or Save QR]
  end

  subgraph New_Device [New Device]
    B1[Scan Recovery QR] --> B2[Base64 Decode]
    B2 --> B3[LZMA Decompress]
    B3 --> B4[Extract Encrypted Mnemonic, Salt, Nonce]
    B4 --> B5[User Password]
    B5 --> B6[PBKDF2 same salt - Derive Decryption Key]
    B6 --> B7[AES-256-GCM Decrypt Mnemonic]
    B7 --> B8[Recreate Identity via Workflow 1]
    B8 --> B9[Result - Identical Master Identity with New Device Key]
  end

  A9 -.-> B1

Cryptographic Summary

Component
Algorithm
Key Size
Purpose

Password Derivation

PBKDF2-SHA512

256 bit

Derive AES key

Encryption

AES-256-GCM

256 bit

Protect mnemonic

Compression

LZMA

Reduce QR size

Encoding

Base64

QR-safe transport

Security Guarantees

  • Recovery material is AES-256 encrypted before encoding — safe to store in password managers.

  • Decryption requires both password and QR data.

  • Recovered mnemonic regenerates identical master identity; private keys differ per device.

  • Recovery cannot decrypt historical messages — only re-establish identity.

Strategic Implications

By separating recovery from decryption, GetTrusted achieves recoverability without risk. Users can lose devices but never lose identity integrity.

PreviousIdentity CreationNextTrust Exchange

Last updated