Skip to main content

Account Recovery

Because CloudKeep uses zero-knowledge encryption, we cannot read or reset your master password. Your recovery key is the only backup path to regain access to your encrypted data.

Recovery Key Overview

When you create your CloudKeep account and set a master password, a recovery key is generated. This key is a 24-word mnemonic phrase that encodes a cryptographic key capable of decrypting your private key independently of your master password.

Example recovery key (24 words)
apple banner castle delta echo forest
guitar harbor igloo jungle kite lemon
mango nectar orbit piano quartz river
sunset timber umbrella violet walnut xenon

This key is shown exactly once during onboarding. It is never stored on CloudKeep servers. If you lose it and forget your master password, there is no way to recover your data.

Why Recovery Keys Matter

CloudKeep's zero-knowledge architecture means the server never has access to your unencrypted data or the keys needed to decrypt it. This provides strong security, but it also means:

  • CloudKeep support cannot reset your master password for you. We do not have it and cannot derive it.
  • Without either your master password or your recovery key, your encrypted vaults are permanently inaccessible.
  • The recovery key is your safety net. It is the only alternative to your master password for unlocking your data.

Storing Your Recovery Key Safely

Treat your recovery key with the same care as a bank safety deposit box key. Here are recommended storage strategies:

  • Write it on paper and store in a secure physical location such as a safe or safety deposit box. Paper cannot be hacked remotely.
  • Store in a separate password manager that you access with a different master password. This way, a single compromised password does not expose both your CloudKeep account and its recovery key.
  • Split storage — write the first 12 words in one secure location and the last 12 in another. Both halves are required to restore access.
  • Avoid digital-only storage on a single device. A lost or broken laptop could mean losing both your master password memory and your recovery key.

Never store the recovery key in a CloudKeep vault (you would need the key to access the vault that contains the key), in an unencrypted note, or in email/chat history.

Using Your Recovery Key to Restore Access

If you forget your master password, follow these steps to regain access:

  1. 1

    Start recovery

    Go to the CloudKeep login page and click Forgot Master Password?
  2. 2

    Verify email

    Authenticate with your email address and email verification code to prove account ownership.
  3. 3

    Enter recovery key

    Enter your 24-word recovery key when prompted.
  4. 4

    Client-side decryption

    CloudKeep uses the recovery key to decrypt your private key in the browser. No data leaves your device during this step.
  5. 5

    Set new password

    Set a new master password. Your private key is re-encrypted with the new password.
  6. 6

    New recovery key

    A new recovery key is generated. Write it down and store it securely. The old recovery key is invalidated.

After recovery, all your vaults and secrets are accessible under the new master password. No data is lost.

What If You Lose Both?

If you have lost both your master password and your recovery key, your encrypted data is permanently unrecoverable. This is by design — it guarantees that no one, including CloudKeep employees, can access your secrets without your authorisation.

In this situation you can:

  • Create a new account with a new email address and start fresh.
  • Delete the old account by contacting support with proof of email ownership. Your encrypted data will be purged from our servers.
  • Re-import secrets if you have an encrypted backup that was created with a password you remember, or an unencrypted export file stored securely.

Re-generating a Recovery Key

You can generate a new recovery key at any time from Settings → Security → Recovery Key. This is recommended if you suspect your recovery key has been compromised or if you want to rotate it as a precaution.

  1. 1

    Open Security settings

    Navigate to Settings → Security.
  2. 2

    Regenerate

    Click Regenerate Recovery Key.
  3. 3

    Confirm identity

    Enter your master password to confirm your identity.
  4. 4

    Save new key

    A new 24-word recovery key is generated and displayed. The previous recovery key is immediately invalidated.
  5. 5

    Store securely

    Write down the new key and store it securely using the strategies described above.

Regenerating your recovery key does not change your master password or affect your vaults and secrets in any way. Only the recovery path is updated.

Next Steps

  • Security Architecture — understand the full encryption model and key hierarchy.
  • Export — create encrypted backups as an additional safety measure.