{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Wallet backup configuration","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com/products/custody","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"wallet-backup-configuration","__idx":0},"children":["Wallet backup configuration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This guide provides instructions for configuring AWS S3 buckets to securely store encrypted Palisade wallet backup files. The setup ensures your encrypted recovery shards are stored with enterprise-grade security while maintaining controlled access for the Palisade MPC (Multi-Party Computation) service to write backups when needed."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This backup process works with ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"/products/wallet/user-interface/security-controls/mpc-quorums"},"children":["MPC quorums"]}," to ensure key recovery."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"architecture-overview","__idx":1},"children":["Architecture overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Your S3 bucket stores encrypted wallet backups in a specific folder structure, with AWS IAM roles controlling access. The Palisade MPC service assumes a role in your AWS account to write encrypted backup files, ensuring you maintain full ownership and control of your data."]},{"$$mdtype":"Tag","name":"Mermaid","attributes":{"data-language":"mermaid","diagramSource":"flowchart LR\n    subgraph palisade[\"Palisade Cloud\"]\n        MPC[\"MPC Service\"]\n    end\n\n    subgraph customer[\"Your AWS Account\"]\n        IAM[\"IAM Role<br/>PalisadeS3BackupRole\"]\n        subgraph s3[\"S3 Bucket\"]\n            KMS[\"KMS Encryption\"]\n            Shards[\"Recovery Shards\"]\n        end\n    end\n\n    MPC -->|\"1. AssumeRole<br/>(with External ID)\"| IAM\n    IAM -->|\"2. PutObject<br/>(encrypted)\"| s3\n    KMS -.->|encrypts| Shards\n","diagramHtml":"<div class=\"mermaid\" data-processed=\"true\"><svg id=\"mermaid-1772122727952\" width=\"100%\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" class=\"flowchart\" style=\"max-width: 1066.03125px;\" viewBox=\"0 0 1066.03125 368\" role=\"graphics-document document\" aria-roledescription=\"flowchart-v2\"><style>#mermaid-1772122727952{font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-1772122727952 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-1772122727952 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-1772122727952 .error-icon{fill:#552222;}#mermaid-1772122727952 .error-text{fill:#552222;stroke:#552222;}#mermaid-1772122727952 .edge-thickness-normal{stroke-width:1px;}#mermaid-1772122727952 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-1772122727952 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-1772122727952 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-1772122727952 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-1772122727952 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-1772122727952 .marker{fill:#333333;stroke:#333333;}#mermaid-1772122727952 .marker.cross{stroke:#333333;}#mermaid-1772122727952 svg{font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:16px;}#mermaid-1772122727952 p{margin:0;}#mermaid-1772122727952 .label{font-family:\"trebuchet ms\",verdana,arial,sans-serif;color:#333;}#mermaid-1772122727952 .cluster-label text{fill:#333;}#mermaid-1772122727952 .cluster-label span{color:#333;}#mermaid-1772122727952 .cluster-label span p{background-color:transparent;}#mermaid-1772122727952 .label text,#mermaid-1772122727952 span{fill:#333;color:#333;}#mermaid-1772122727952 .node rect,#mermaid-1772122727952 .node circle,#mermaid-1772122727952 .node ellipse,#mermaid-1772122727952 .node polygon,#mermaid-1772122727952 .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-1772122727952 .rough-node .label text,#mermaid-1772122727952 .node .label text,#mermaid-1772122727952 .image-shape .label,#mermaid-1772122727952 .icon-shape .label{text-anchor:middle;}#mermaid-1772122727952 .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-1772122727952 .rough-node .label,#mermaid-1772122727952 .node .label,#mermaid-1772122727952 .image-shape .label,#mermaid-1772122727952 .icon-shape .label{text-align:center;}#mermaid-1772122727952 .node.clickable{cursor:pointer;}#mermaid-1772122727952 .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-1772122727952 .arrowheadPath{fill:#333333;}#mermaid-1772122727952 .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-1772122727952 .flowchart-link{stroke:#333333;fill:none;}#mermaid-1772122727952 .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-1772122727952 .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-1772122727952 .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-1772122727952 .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-1772122727952 .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-1772122727952 .cluster text{fill:#333;}#mermaid-1772122727952 .cluster span{color:#333;}#mermaid-1772122727952 div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:\"trebuchet ms\",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-1772122727952 .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-1772122727952 rect.text{fill:none;stroke-width:0;}#mermaid-1772122727952 .icon-shape,#mermaid-1772122727952 .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-1772122727952 .icon-shape p,#mermaid-1772122727952 .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-1772122727952 .icon-shape rect,#mermaid-1772122727952 .image-shape rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-1772122727952 .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-1772122727952 .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-1772122727952 :root{--mermaid-font-family:\"trebuchet ms\",verdana,arial,sans-serif;}</style><g><marker id=\"mermaid-1772122727952_flowchart-v2-pointEnd\" class=\"marker flowchart-v2\" viewBox=\"0 0 10 10\" refX=\"5\" refY=\"5\" markerUnits=\"userSpaceOnUse\" markerWidth=\"8\" markerHeight=\"8\" orient=\"auto\"><path d=\"M 0 0 L 10 5 L 0 10 z\" class=\"arrowMarkerPath\" style=\"stroke-width: 1; stroke-dasharray: 1, 0;\"></path></marker><marker id=\"mermaid-1772122727952_flowchart-v2-pointStart\" class=\"marker flowchart-v2\" viewBox=\"0 0 10 10\" refX=\"4.5\" refY=\"5\" markerUnits=\"userSpaceOnUse\" markerWidth=\"8\" markerHeight=\"8\" orient=\"auto\"><path d=\"M 0 5 L 10 10 L 10 0 z\" class=\"arrowMarkerPath\" style=\"stroke-width: 1; stroke-dasharray: 1, 0;\"></path></marker><marker id=\"mermaid-1772122727952_flowchart-v2-circleEnd\" class=\"marker flowchart-v2\" viewBox=\"0 0 10 10\" refX=\"11\" refY=\"5\" markerUnits=\"userSpaceOnUse\" markerWidth=\"11\" markerHeight=\"11\" orient=\"auto\"><circle cx=\"5\" cy=\"5\" r=\"5\" class=\"arrowMarkerPath\" style=\"stroke-width: 1; stroke-dasharray: 1, 0;\"></circle></marker><marker id=\"mermaid-1772122727952_flowchart-v2-circleStart\" class=\"marker flowchart-v2\" viewBox=\"0 0 10 10\" refX=\"-1\" refY=\"5\" markerUnits=\"userSpaceOnUse\" markerWidth=\"11\" markerHeight=\"11\" orient=\"auto\"><circle cx=\"5\" cy=\"5\" r=\"5\" class=\"arrowMarkerPath\" style=\"stroke-width: 1; stroke-dasharray: 1, 0;\"></circle></marker><marker id=\"mermaid-1772122727952_flowchart-v2-crossEnd\" class=\"marker cross flowchart-v2\" viewBox=\"0 0 11 11\" refX=\"12\" refY=\"5.2\" markerUnits=\"userSpaceOnUse\" markerWidth=\"11\" markerHeight=\"11\" orient=\"auto\"><path d=\"M 1,1 l 9,9 M 10,1 l -9,9\" class=\"arrowMarkerPath\" style=\"stroke-width: 2; stroke-dasharray: 1, 0;\"></path></marker><marker id=\"mermaid-1772122727952_flowchart-v2-crossStart\" class=\"marker cross flowchart-v2\" viewBox=\"0 0 11 11\" refX=\"-1\" refY=\"5.2\" markerUnits=\"userSpaceOnUse\" markerWidth=\"11\" markerHeight=\"11\" orient=\"auto\"><path d=\"M 1,1 l 9,9 M 10,1 l -9,9\" class=\"arrowMarkerPath\" style=\"stroke-width: 2; stroke-dasharray: 1, 0;\"></path></marker><g class=\"root\"><g class=\"clusters\"><g class=\"cluster\" id=\"customer\" data-look=\"classic\"><rect style=\"\" x=\"386.25\" y=\"8\" width=\"671.78125\" height=\"352\"></rect><g class=\"cluster-label\" transform=\"translate(653.4921875, 8)\"><foreignObject width=\"137.296875\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>Your AWS Account</p></span></div></foreignObject></g></g><g class=\"cluster\" id=\"palisade\" data-look=\"classic\"><rect style=\"\" x=\"8\" y=\"122\" width=\"201.234375\" height=\"124\"></rect><g class=\"cluster-label\" transform=\"translate(53.921875, 122)\"><foreignObject width=\"109.390625\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>Palisade Cloud</p></span></div></foreignObject></g></g></g><g class=\"edgePaths\"><path d=\"M184.234,184L188.401,184C192.568,184,200.901,184,219.819,184C238.737,184,268.24,184,297.742,184C327.245,184,356.747,184,374.999,184C393.25,184,400.25,184,403.75,184L407.25,184\" id=\"L_MPC_IAM_0\" class=\"edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link\" style=\";\" data-edge=\"true\" data-et=\"edge\" data-id=\"L_MPC_IAM_0\" data-points=\"W3sieCI6MTg0LjIzNDM3NSwieSI6MTg0fSx7IngiOjIwOS4yMzQzNzUsInkiOjE4NH0seyJ4IjoyOTcuNzQyMTg3NSwieSI6MTg0fSx7IngiOjM4Ni4yNSwieSI6MTg0fSx7IngiOjQxMS4yNSwieSI6MTg0fV0=\" marker-end=\"url(#mermaid-1772122727952_flowchart-v2-pointEnd)\"></path><path d=\"M638.484,184L650.258,184C662.031,184,685.578,184,708.458,184C731.339,184,753.552,184,764.659,184L775.766,184\" id=\"L_IAM_s3_0\" class=\"edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link\" style=\";\" data-edge=\"true\" data-et=\"edge\" data-id=\"L_IAM_s3_0\" data-points=\"W3sieCI6NjM4LjQ4NDM3NSwieSI6MTg0fSx7IngiOjcwOS4xMjUsInkiOjE4NH0seyJ4Ijo3NzkuNzY1NjI1LCJ5IjoxODR9XQ==\" marker-end=\"url(#mermaid-1772122727952_flowchart-v2-pointEnd)\"></path></g><g class=\"edgeLabels\"><g class=\"edgeLabel\" transform=\"translate(297.7421875, 184)\"><g class=\"label\" data-id=\"L_MPC_IAM_0\" transform=\"translate(-63.5078125, -24)\"><foreignObject width=\"127.015625\" height=\"48\"><div xmlns=\"http://www.w3.org/1999/xhtml\" class=\"labelBkg\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"edgeLabel\">1. AssumeRole<br>(with External ID)</span></div></foreignObject></g></g><g class=\"edgeLabel\" transform=\"translate(709.125, 184)\"><g class=\"label\" data-id=\"L_IAM_s3_0\" transform=\"translate(-45.640625, -24)\"><foreignObject width=\"91.28125\" height=\"48\"><div xmlns=\"http://www.w3.org/1999/xhtml\" class=\"labelBkg\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"edgeLabel\">2. PutObject<br>(encrypted)</span></div></foreignObject></g></g></g><g class=\"nodes\"><g class=\"root\" transform=\"translate(771.765625, 35)\"><g class=\"clusters\"><g class=\"cluster\" id=\"s3\" data-look=\"classic\"><rect style=\"\" x=\"8\" y=\"8\" width=\"253.265625\" height=\"282\"></rect><g class=\"cluster-label\" transform=\"translate(98.140625, 8)\"><foreignObject width=\"72.984375\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>S3 Bucket</p></span></div></foreignObject></g></g></g><g class=\"edgePaths\"><path d=\"M134.633,99.5L134.633,107.75C134.633,116,134.633,132.5,134.633,148.333C134.633,164.167,134.633,179.333,134.633,186.917L134.633,194.5\" id=\"L_KMS_Shards_0\" class=\"edge-thickness-normal edge-pattern-dotted edge-thickness-normal edge-pattern-solid flowchart-link\" style=\";\" data-edge=\"true\" data-et=\"edge\" data-id=\"L_KMS_Shards_0\" data-points=\"W3sieCI6MTM0LjYzMjgxMjUsInkiOjk5LjV9LHsieCI6MTM0LjYzMjgxMjUsInkiOjE0OX0seyJ4IjoxMzQuNjMyODEyNSwieSI6MTk4LjV9XQ==\" marker-end=\"url(#mermaid-1772122727952_flowchart-v2-pointEnd)\"></path></g><g class=\"edgeLabels\"><g class=\"edgeLabel\" transform=\"translate(134.6328125, 149)\"><g class=\"label\" data-id=\"L_KMS_Shards_0\" transform=\"translate(-32.0703125, -12)\"><foreignObject width=\"64.140625\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" class=\"labelBkg\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"edgeLabel\"><p>encrypts</p></span></div></foreignObject></g></g></g><g class=\"nodes\"><g class=\"node default\" id=\"flowchart-KMS-2\" transform=\"translate(134.6328125, 72.5)\"><rect class=\"basic label-container\" style=\"\" x=\"-88.5078125\" y=\"-27\" width=\"177.015625\" height=\"54\"></rect><g class=\"label\" style=\"\" transform=\"translate(-58.5078125, -12)\"><rect></rect><foreignObject width=\"117.015625\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>KMS Encryption</p></span></div></foreignObject></g></g><g class=\"node default\" id=\"flowchart-Shards-3\" transform=\"translate(134.6328125, 225.5)\"><rect class=\"basic label-container\" style=\"\" x=\"-91.6328125\" y=\"-27\" width=\"183.265625\" height=\"54\"></rect><g class=\"label\" style=\"\" transform=\"translate(-61.6328125, -12)\"><rect></rect><foreignObject width=\"123.265625\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>Recovery Shards</p></span></div></foreignObject></g></g></g></g><g class=\"node default\" id=\"flowchart-MPC-0\" transform=\"translate(108.6171875, 184)\"><rect class=\"basic label-container\" style=\"\" x=\"-75.6171875\" y=\"-27\" width=\"151.234375\" height=\"54\"></rect><g class=\"label\" style=\"\" transform=\"translate(-45.6171875, -12)\"><rect></rect><foreignObject width=\"91.234375\" height=\"24\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>MPC Service</p></span></div></foreignObject></g></g><g class=\"node default\" id=\"flowchart-IAM-1\" transform=\"translate(524.8671875, 184)\"><rect class=\"basic label-container\" style=\"\" x=\"-113.6171875\" y=\"-39\" width=\"227.234375\" height=\"78\"></rect><g class=\"label\" style=\"\" transform=\"translate(-83.6171875, -24)\"><rect></rect><foreignObject width=\"167.234375\" height=\"48\"><div xmlns=\"http://www.w3.org/1999/xhtml\" style=\"display: table-cell; white-space: nowrap; line-height: 1.5; max-width: 200px; text-align: center;\"><span class=\"nodeLabel\"><p>IAM Role<br>PalisadeS3BackupRole</p></span></div></foreignObject></g></g></g></g></g></svg></div>"},"children":["flowchart LR\n    subgraph palisade[\"Palisade Cloud\"]\n        MPC[\"MPC Service\"]\n    end\n\n    subgraph customer[\"Your AWS Account\"]\n        IAM[\"IAM Role<br/>PalisadeS3BackupRole\"]\n        subgraph s3[\"S3 Bucket\"]\n            KMS[\"KMS Encryption\"]\n            Shards[\"Recovery Shards\"]\n        end\n    end\n\n    MPC -->|\"1. AssumeRole<br/>(with External ID)\"| IAM\n    IAM -->|\"2. PutObject<br/>(encrypted)\"| s3\n    KMS -.->|encrypts| Shards\n"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"data-structure","__idx":2},"children":["Data structure"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"your-backup-bucket/\n├── <key_id_1>/\n│   ├── recovery_shard-0.txt\n│   ├── recovery_shard-1.txt\n│   └── recovery_shard-2.txt\n└── <key_id_2>/\n    ├── recovery_shard-0.txt\n    └── recovery_shard-1.txt\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites-generate-recovery-key-pairs","__idx":3},"children":["Prerequisites: Generate recovery key pairs"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before setting up your backup strategy, generate RSA-4096 recovery key pairs using either the Palisade Wallet Recovery CLI (recommended) or OpenSSL."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"key-format-requirements","__idx":4},"children":["Key format requirements"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Public key files you upload to Palisade must be:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["RSA-4096 public keys"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["DER encoded (PKIX/SubjectPublicKeyInfo format)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Either binary DER format OR hex-encoded text (auto-detected)"]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Format auto-detection"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Palisade automatically detects whether your public key file is binary DER or hex-encoded text and accepts both formats. The UI displays the detected format when you upload a file. Accepted file extensions are ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":[".der"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":[".hex"]},", and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":[".pem"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"option-1-using-the-palisade-wallet-recovery-cli-recommended","__idx":5},"children":["Option 1: Using the Palisade Wallet Recovery CLI (recommended)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For key generation, validation, and wallet recovery, use the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Palisade Wallet Recovery CLI"]},":"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Repository"]},": https://github.com/palisadeinc/wallet-recovery-cli"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The CLI provides commands for:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["generate-recovery-keypair"]}," - Generate RSA-4096 recovery key pairs"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["validate-private-key"]}," - Validate private key files"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["recover"]}," - Recover wallets from encrypted backups"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["See the ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://github.com/palisadeinc/wallet-recovery-cli"},"children":["wallet-recovery-cli README"]}," for complete documentation."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"danger","name":"Critical: Secure your private key"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Store your private key securely. Without it, you cannot recover your wallets. Consider using a hardware security module (HSM) or secure offline storage."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"option-2-using-openssl-manual-generation","__idx":6},"children":["Option 2: Using OpenSSL (manual generation)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If you cannot use the Palisade CLI, generate keys using OpenSSL:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"# Step 1: Generate an RSA-4096 private key\nopenssl genrsa -out recovery-private.pem 4096\n\n# Step 2: Extract the public key in binary DER format\nopenssl rsa -in recovery-private.pem -pubout -outform DER -out recovery-public.der\n\n# Step 3: Securely store the private key (convert to DER and optionally encrypt)\nopenssl rsa -in recovery-private.pem -outform DER -out recovery-private.der\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Upload ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["recovery-public.der"]}," (the binary DER file) to the Palisade UI. The UI auto-detects the format."]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Optional hex encoding"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["You can optionally convert to hex-encoded format:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"xxd -p recovery-public.der | tr -d '\\n' > recovery-public.hex\n","lang":"bash"},"children":[]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"verify-your-key-files","__idx":7},"children":["Verify your key files"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before uploading, verify your public key file is in the correct format:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"# Check file size\nwc -c recovery-public.der\n# Expected output for binary DER: 550 recovery-public.der\n# Expected output for hex-encoded: 1100 recovery-public.der\n\n# Check file type\nfile recovery-public.der\n# Binary DER output: recovery-public.der: data\n# Hex-encoded output: recovery-public.der: ASCII text, with very long lines, with no line terminators\n\n# For binary DER, check it starts with ASN.1 SEQUENCE tag (0x30)\nxxd recovery-public.der | head -1\n# Expected: 00000000: 3082 0222 300d 0609 2a86 4886 f70d 0101  0..\"0...*.H.....\n\n# For hex-encoded, check content starts correctly\nhead -c 50 recovery-public.der\n# Expected: 30820222300d06092a864886f70d01010105000382020f00\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-create-the-s3-bucket","__idx":8},"children":["Step 1: Create the S3 bucket"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create a new S3 bucket with a descriptive name (e.g., ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["company-palisade-wallet-backups"]},")."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enable versioning to protect against accidental overwrites."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Create a KMS Customer Managed Key (CMK) for encryption, or use an existing one."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enable default encryption with AWS KMS (SSE-KMS):"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"BucketEncryption\": {\n    \"ServerSideEncryptionConfiguration\": [\n      {\n        \"ServerSideEncryptionByDefault\": {\n          \"SSEAlgorithm\": \"aws:kms\",\n          \"KMSMasterKeyID\": \"arn:aws:kms:REGION:ACCOUNT:key/KEY-ID\"\n        },\n        \"BucketKeyEnabled\": true\n      }\n    ]\n  }\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"ol","attributes":{"start":5},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Set bucket ownership and block public access:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Enable \"Block Public Access\" for this bucket"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set Object ownership to \"Bucket owner enforced\" to disable ACLs"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Add a bucket policy to enforce TLS, KMS encryption, and block public access:"]}]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"DenyInsecureTransport\",\n      \"Effect\": \"Deny\",\n      \"Principal\": \"*\",\n      \"Action\": \"s3:*\",\n      \"Resource\": [\n        \"arn:aws:s3:::your-backup-bucket\",\n        \"arn:aws:s3:::your-backup-bucket/*\"\n      ],\n      \"Condition\": { \"Bool\": { \"aws:SecureTransport\": \"false\" } }\n    },\n    {\n      \"Sid\": \"DenyUnencryptedObjectUploads\",\n      \"Effect\": \"Deny\",\n      \"Principal\": \"*\",\n      \"Action\": \"s3:PutObject\",\n      \"Resource\": \"arn:aws:s3:::your-backup-bucket/*\",\n      \"Condition\": {\n        \"StringNotEquals\": { \"s3:x-amz-server-side-encryption\": \"aws:kms\" }\n      }\n    },\n    {\n      \"Sid\": \"DenyWrongKmsKey\",\n      \"Effect\": \"Deny\",\n      \"Principal\": \"*\",\n      \"Action\": \"s3:PutObject\",\n      \"Resource\": \"arn:aws:s3:::your-backup-bucket/*\",\n      \"Condition\": {\n        \"StringNotEquals\": {\n          \"s3:x-amz-server-side-encryption-aws-kms-key-id\": \"arn:aws:kms:REGION:ACCOUNT:key/KEY-ID\"\n        }\n      }\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"ol","attributes":{"start":7},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Configure lifecycle policies for backup retention:"]}]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Rules\": [\n    {\n      \"Id\": \"RetainBackupsAndVersions\",\n      \"Status\": \"Enabled\",\n      \"NoncurrentVersionExpiration\": {\n        \"NoncurrentDays\": 90\n      },\n      \"AbortIncompleteMultipartUpload\": {\n        \"DaysAfterInitiation\": 7\n      }\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-create-the-iam-role-for-s3-access","__idx":9},"children":["Step 2: Create the IAM role for S3 access"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Create an IAM role named ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["PalisadeS3BackupRole"]}," (or similar) with the following configuration:"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"permission-policy","__idx":10},"children":["Permission policy"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Sid\": \"AllowS3BackupWrites\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"s3:PutObject\",\n        \"s3:AbortMultipartUpload\"\n      ],\n      \"Resource\": \"arn:aws:s3:::your-backup-bucket/*\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"s3:x-amz-server-side-encryption\": \"aws:kms\",\n          \"s3:x-amz-server-side-encryption-aws-kms-key-id\": \"arn:aws:kms:REGION:ACCOUNT:key/KEY-ID\"\n        }\n      }\n    },\n    {\n      \"Sid\": \"AllowS3BucketList\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"s3:ListBucket\"\n      ],\n      \"Resource\": \"arn:aws:s3:::your-backup-bucket\"\n    },\n    {\n      \"Sid\": \"AllowKMSEncryption\",\n      \"Effect\": \"Allow\",\n      \"Action\": [\n        \"kms:GenerateDataKey\",\n        \"kms:Encrypt\",\n        \"kms:DescribeKey\"\n      ],\n      \"Resource\": \"arn:aws:kms:REGION:ACCOUNT:key/KEY-ID\"\n    },\n    {\n      \"Sid\": \"AllowStsGetCallerIdentity\",\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:GetCallerIdentity\",\n      \"Resource\": \"*\"\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"KMS permissions required"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["AllowKMSEncryption"]}," statement is required for the role to encrypt objects with your KMS key."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"trust-relationship-policy","__idx":11},"children":["Trust relationship policy"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"for-sandbox-environment-appsandboxpalisadeco","__idx":12},"children":["For sandbox environment (app.sandbox.palisade.co)"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::187316130931:user/mpc-service\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"for-production-environment-apppalisadeco","__idx":13},"children":["For production environment (app.palisade.co)"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::663932549156:user/mpc-service\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"enhanced-security-with-external-id-optional","__idx":14},"children":["Enhanced security with External ID (optional)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For additional security, require an External ID in your trust policy. This prevents the \"confused deputy\" problem where other AWS accounts might try to assume your role."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When you configure an External ID in the Palisade UI, the MPC service includes it when assuming your role. Your trust policy can then require this specific External ID:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"AWS\": \"arn:aws:iam::663932549156:user/mpc-service\"\n      },\n      \"Action\": \"sts:AssumeRole\",\n      \"Condition\": {\n        \"StringEquals\": {\n          \"sts:ExternalId\": \"your-unique-external-id\"\n        }\n      }\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"External ID matching"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The External ID you configure in the Palisade UI must exactly match the value in your trust policy's ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["sts:ExternalId"]}," condition."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-configure-in-palisade-ui","__idx":15},"children":["Step 3: Configure in Palisade UI"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["After creating your S3 bucket and IAM role, configure the backup strategy in the Palisade dashboard."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Settings → Backup & Recovery"]}," and enter the following:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"What to enter"},"children":["What to enter"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Example"},"children":["Example"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Assume Role ARN"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The ARN of the IAM role you created (NOT the bucket ARN)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::123456789012:role/PalisadeS3BackupRole"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Bucket"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Just the bucket name (no ARN, no s3:// prefix)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["company-palisade-wallet-backups"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Region"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The AWS region where your bucket is located"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["eu-west-1"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["External ID (optional)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["A unique identifier for role assumption security"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["palisade-backup-2024-abc123"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["KMS Key ARN (optional)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The KMS key ARN for server-side encryption"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:kms:eu-west-1:123456789012:key/12345678-1234-1234-1234-123456789012"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Common mistake"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Do not enter the S3 bucket ARN in the \"Assume Role ARN\" field. The system expects an IAM Role ARN in the format ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::<account-id>:role/<role-name>"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"pre-flight-validation","__idx":16},"children":["Pre-flight validation"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When you save your backup configuration, Palisade automatically validates that:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The MPC service can assume the specified IAM role"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The role has permission to write to the S3 bucket"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If an External ID is configured, it's accepted by the trust policy"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["If a KMS Key ARN is configured, the role can use it for encryption"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This validation happens ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before"]}," Palisade provisions any wallets, ensuring you discover configuration issues immediately rather than during wallet creation."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"arn-format-reference","__idx":17},"children":["ARN format reference"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Format"},"children":["Format"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Example"},"children":["Example"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["IAM Role ARN (correct)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::<account>:role/<name>"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::123456789012:role/PalisadeS3BackupRole"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["S3 Bucket ARN (incorrect)"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:s3:::<bucket>"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:s3:::my-bucket"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["KMS Key ARN"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:kms:<region>:<account>:key/<key-id>"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:kms:eu-west-1:123456789012:key/..."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-4-advanced-security-configuration-optional","__idx":18},"children":["Step 4: Advanced security configuration (optional)"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"enable-cloudtrail-logging","__idx":19},"children":["Enable CloudTrail logging"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"EventSelectors\": [\n    {\n      \"ReadWriteType\": \"All\",\n      \"IncludeManagementEvents\": false,\n      \"DataResources\": [\n        {\n          \"Type\": \"AWS::S3::Object\",\n          \"Values\": [\"arn:aws:s3:::your-backup-bucket/*\"]\n        }\n      ]\n    }\n  ]\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configure-s3-object-lock-for-immutable-backups","__idx":20},"children":["Configure S3 Object Lock (for immutable backups)"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"json","header":{"controls":{"copy":{}}},"source":"{\n  \"ObjectLockEnabled\": \"Enabled\",\n  \"Rule\": {\n    \"DefaultRetention\": {\n      \"Mode\": \"COMPLIANCE\",\n      \"Days\": 30\n    }\n  }\n}\n","lang":"json"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"security-best-practices-checklist","__idx":21},"children":["Security best practices checklist"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption at rest"]},": Default SSE-KMS with your CMK enforced at bucket and IAM policy"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Encryption in transit"]},": Bucket policy enforces SSL/TLS connections"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Access control"]},": IAM role with minimal required permissions"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["KMS permissions"]},": Role has ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:GenerateDataKey"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:Encrypt"]}," on your CMK"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["External ID"]},": Configure an External ID for enhanced role assumption security"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Versioning"]},": Enabled to protect against accidental overwrites"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Logging"]},": CloudTrail and S3 access logging enabled"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Monitoring"]},": CloudWatch alarms configured"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Backup retention"]},": Lifecycle policies configured"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"input","attributes":{"checked":false,"type":"checkbox","readOnly":true},"children":[]}," ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["MFA Delete"]},": Consider enabling for production buckets"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"troubleshooting","__idx":22},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"access-denied-errors","__idx":23},"children":["Access denied errors"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Trust relationship missing Palisade account"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add correct Palisade account ID to trust policy"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["S3 bucket name mismatch"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure bucket name in policies matches exactly"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Missing KMS permissions"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add required KMS permissions to IAM role"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["External ID mismatch"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Verify External ID matches between UI and trust policy"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"encryption-errors","__idx":24},"children":["Encryption errors"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["SSE not enabled on bucket"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Enable server-side encryption on the bucket"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Bucket policy missing encryption requirement"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add policy requiring encrypted uploads"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Missing KMS permissions"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:GenerateDataKey"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:Encrypt"]}," to IAM role"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["KMS Key ARN mismatch"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure KMS Key ARN in UI matches bucket policy"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"role-assumption-failures","__idx":25},"children":["Role assumption failures"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Wrong principal ARN"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Verify principal matches environment (Sandbox vs Production)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["External ID not configured"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Configure External ID in both Palisade UI and trust policy"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Unknown error"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Check CloudTrail logs for detailed error messages"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"invalid-arn-format-in-palisade-ui","__idx":26},"children":["Invalid ARN format in Palisade UI"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Entered S3 bucket ARN instead of IAM role ARN"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Use IAM Role ARN format: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::<account-id>:role/<name>"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Invalid characters in role name"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Use only alphanumeric characters and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["+=,.@_-"]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"pre-flight-validation-failures","__idx":27},"children":["Pre-flight validation failures"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When saving a backup configuration, you may see validation errors:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Error"},"children":["Error"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["\"Failed to assume role\""]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Trust policy doesn't allow Palisade MPC service"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Check trust policy principal ARN"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["\"External ID mismatch\""]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["External ID in UI doesn't match trust policy"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure External IDs match exactly"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["\"Access denied to bucket\""]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Role lacks S3 permissions"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Check IAM role permission policy"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["\"KMS key access denied\""]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Role lacks KMS permissions"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:GenerateDataKey"]},", ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["kms:Encrypt"]}," to role"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"public-key-validation-errors","__idx":28},"children":["Public key validation errors"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"invalid-format-or-file-rejected-on-upload","__idx":29},"children":["Invalid format or file rejected on upload"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The UI validates public key files on upload. Common causes of rejection:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["File is not a valid DER-encoded public key"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Ensure the file is RSA-4096 in DER format (PKIX/SubjectPublicKeyInfo)"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["File is PEM format with headers"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Use DER format, not PEM. Remove ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["-----BEGIN PUBLIC KEY-----"]}," headers"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["File contains invalid characters"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["For hex-encoded files, ensure only hex characters (0-9, a-f)"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"key-too-small-or-key-rejected-after-upload","__idx":30},"children":["Key too small or key rejected after upload"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This error means your public key is smaller than RSA-4096. Common causes:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Cause"},"children":["Cause"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Solution"},"children":["Solution"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Used RSA-2048 or smaller key size"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Generate RSA-4096 keys"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["File was truncated during transfer"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Re-generate or re-download the key file"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":4,"id":"quick-diagnostic","__idx":31},"children":["Quick diagnostic"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Run this command to check your key file:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"file your-public-key.der && wc -c your-public-key.der\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Expected output for valid RSA-4096 keys:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"# Binary DER format (550 bytes):\nyour-public-key.der: data\n550 your-public-key.der\n\n# Hex-encoded format (1100 characters):\nyour-public-key.der: ASCII text, with very long lines, with no line terminators\n1100 your-public-key.der\n"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"wallet-recovery-process","__idx":32},"children":["Wallet recovery process"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For complete wallet recovery instructions, see the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Palisade Wallet Recovery CLI"]}," documentation:"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Repository"]},": https://github.com/palisadeinc/wallet-recovery-cli"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The recovery process involves:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Downloading the encrypted backup from your S3 bucket"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Using the ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["recover"]}," command with your recovery private key"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Securely handling the recovered wallet private key"]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"danger","name":"Critical: Handle recovered keys with care"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The recovered private key can irrevocably sign transactions affecting assets held by that wallet. Handle with extreme care and follow your organization's key management policies."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"appendix-quick-reference","__idx":33},"children":["Appendix: Quick reference"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"palisade-aws-account-ids","__idx":34},"children":["Palisade AWS account IDs"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Environment"},"children":["Environment"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Account ID"},"children":["Account ID"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"MPC Service Principal"},"children":["MPC Service Principal"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Sandbox"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["187316130931"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::187316130931:user/mpc-service"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Production"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["663932549156"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["arn:aws:iam::663932549156:user/mpc-service"]}]}]}]}]}]}]},"headings":[{"value":"Wallet backup configuration","id":"wallet-backup-configuration","depth":1},{"value":"Architecture overview","id":"architecture-overview","depth":2},{"value":"Data structure","id":"data-structure","depth":3},{"value":"Prerequisites: Generate recovery key pairs","id":"prerequisites-generate-recovery-key-pairs","depth":2},{"value":"Key format requirements","id":"key-format-requirements","depth":3},{"value":"Option 1: Using the Palisade Wallet Recovery CLI (recommended)","id":"option-1-using-the-palisade-wallet-recovery-cli-recommended","depth":3},{"value":"Option 2: Using OpenSSL (manual generation)","id":"option-2-using-openssl-manual-generation","depth":3},{"value":"Verify your key files","id":"verify-your-key-files","depth":3},{"value":"Step 1: Create the S3 bucket","id":"step-1-create-the-s3-bucket","depth":2},{"value":"Step 2: Create the IAM role for S3 access","id":"step-2-create-the-iam-role-for-s3-access","depth":2},{"value":"Permission policy","id":"permission-policy","depth":3},{"value":"Trust relationship policy","id":"trust-relationship-policy","depth":3},{"value":"For sandbox environment (app.sandbox.palisade.co)","id":"for-sandbox-environment-appsandboxpalisadeco","depth":4},{"value":"For production environment (app.palisade.co)","id":"for-production-environment-apppalisadeco","depth":4},{"value":"Enhanced security with External ID (optional)","id":"enhanced-security-with-external-id-optional","depth":3},{"value":"Step 3: Configure in Palisade UI","id":"step-3-configure-in-palisade-ui","depth":2},{"value":"Pre-flight validation","id":"pre-flight-validation","depth":3},{"value":"ARN format reference","id":"arn-format-reference","depth":3},{"value":"Step 4: Advanced security configuration (optional)","id":"step-4-advanced-security-configuration-optional","depth":2},{"value":"Enable CloudTrail logging","id":"enable-cloudtrail-logging","depth":3},{"value":"Configure S3 Object Lock (for immutable backups)","id":"configure-s3-object-lock-for-immutable-backups","depth":3},{"value":"Security best practices checklist","id":"security-best-practices-checklist","depth":2},{"value":"Troubleshooting","id":"troubleshooting","depth":2},{"value":"Access denied errors","id":"access-denied-errors","depth":3},{"value":"Encryption errors","id":"encryption-errors","depth":3},{"value":"Role assumption failures","id":"role-assumption-failures","depth":3},{"value":"Invalid ARN format in Palisade UI","id":"invalid-arn-format-in-palisade-ui","depth":3},{"value":"Pre-flight validation failures","id":"pre-flight-validation-failures","depth":3},{"value":"Public key validation errors","id":"public-key-validation-errors","depth":3},{"value":"Invalid format or file rejected on upload","id":"invalid-format-or-file-rejected-on-upload","depth":4},{"value":"Key too small or key rejected after upload","id":"key-too-small-or-key-rejected-after-upload","depth":4},{"value":"Quick diagnostic","id":"quick-diagnostic","depth":4},{"value":"Wallet recovery process","id":"wallet-recovery-process","depth":2},{"value":"Appendix: Quick reference","id":"appendix-quick-reference","depth":2},{"value":"Palisade AWS account IDs","id":"palisade-aws-account-ids","depth":3}],"frontmatter":{"title":"Wallet backup configuration","seo":{"title":"Wallet backup configuration"}},"lastModified":"2026-02-27T16:34:32.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/user-interface/security-controls/wallet-backup-configuration","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}