Hej ShellBack to Home

Recovery Key

Recover your data when you forget your vault password

What is a Recovery Key?

A recovery key is the only way to recover your encrypted SSH connection data if you forget your vault password. While your login password can be reset via email, vault encrypted data cannot be recovered without the recovery key.

  • 16-character code in XXXX-XXXX-XXXX-XXXX format
  • Issued after setting up vault password on first desktop app login
  • Essential for recovering encrypted data when vault password is lost
  • A new recovery key is issued when vault password is reset

Why Do You Need a Recovery Key?

HejShell uses end-to-end encryption (E2EE) to protect your SSH connection data (hosts, passwords, keys, etc.).

  • All connection data is encrypted with a DEK (Data Encryption Key)
  • The DEK is encrypted with your vault password and stored on the server
  • If you lose your vault password, the DEK cannot be decrypted and data becomes inaccessible
  • The recovery key stores a separate encrypted copy of the same DEK

How Recovery Key Works

The recovery key is a backup key that can decrypt the DEK independently from your vault password.

  1. A DEK (Data Encryption Key) is generated when you set up your vault password
  2. The DEK is encrypted with your vault password and stored
  3. The same DEK is also encrypted with the recovery key and stored separately
  4. Even if you forget your vault password, you can decrypt the DEK with the recovery key to recover your data

🚨 Critical Warning

If you lose your recovery key and forget your vault password, all stored SSH connection data will be permanently lost.

  • Even HejShell servers cannot recover data without the recovery key (end-to-end encryption)
  • Never store your recovery key online
  • Keep your recovery key in a safe offline location

How to Find Your Recovery Key

A recovery key is issued each time you set up or reset your vault password. Once you leave the screen, it cannot be viewed again, so make sure to save it in a safe place.

  1. Vault password setup screen is shown on first desktop app login
  2. Recovery key screen appears after vault password is set
  3. Copy or download the recovery key
  4. Check the confirmation box and hold the button for 5 seconds
  5. Store it safely offline

How to Use Recovery Key

You can recover your encrypted data with the recovery key if you forget your vault password.

  1. Go to the vault password input screen in the desktop app
  2. Click 'Forgot Password?'
  3. Enter the recovery key in XXXX-XXXX-XXXX-XXXX format
  4. Set a new vault password
  5. A new recovery key will be issued (save it securely)
  6. Your SSH connection data is preserved and ready to use

⚠️ Recovery Key Reissue

When you reset your vault password, a new recovery key is issued.

  • The old recovery key will no longer work
  • Be sure to save the new recovery key securely
  • Dispose of the old recovery key

⚠️ Forgot Vault Password Without Recovery Key

Without the recovery key, encrypted data cannot be recovered. You can reset your login password via email, but vault data will be reset.

  • Login password can be reset via email
  • However, all previously stored SSH connection data will be deleted
  • Start fresh with a new vault password and recovery key

Best Practices for Storing Recovery Key

  • Write it on paper and store in a safe
  • Save it in a password manager
  • Store copies in multiple locations
  • Never save as plain text in email or cloud storage
  • Update with new recovery key after vault password reset

💡 Tips

  • The recovery key is in XXXX-XXXX-XXXX-XXXX format (uppercase letters + numbers)
  • Enter it exactly including the hyphens (-)
  • Case is not sensitive
  • A new recovery key is issued when vault password is reset, so be sure to update it

Need Help?

If you have issues with your recovery key, feel free to contact us. Note that encrypted data recovery is impossible if the recovery key is lost. dev@hej.ai.kr

Hej Shell | Hej Shell