Your Recovery Kit, Explained#

Your vault is protected by a random master key, and that master key is itself wrapped by a key derived from your master password (the encryption article covers this in detail). If you forget your master password, the normal unlock path is closed. The Recovery Kit exists for exactly this scenario. Below: what it is, how it works, and why it demands careful storage.

What the Recovery Kit Actually Is#

The Recovery Kit is not a "hint" or a backup email address. It is your vault's master key itself, encoded in a portable text format.

Technically: RabbitKey generates a 32-byte (256-bit) master key for your vault. The Recovery Kit encodes this key using RFC 4648 Base32, groups the resulting 52-character string into 13 groups of 4 characters, and prefixes it with RKRK- to identify it as a RabbitKey Recovery Kit.

The result is a 69-character code:

This code is exported as a .txt file.

Because it encodes the master key directly, possessing the Recovery Kit gives complete access to your vault — it bypasses master-password derivation entirely. That is its purpose, and also why it must be guarded as carefully as the master password itself.

How to Export Your Recovery Kit#

1. Open RabbitKey and go to Settings → Security
2. Select Export Recovery Kit
3. Verify your identity when prompted — enter your master password, or use biometrics if you have them configured
4. Save the exported .txt file to a secure location

The verification step matters: it prevents someone who briefly accesses your unlocked app from silently exporting your Recovery Kit.

Where to Store It#

The Recovery Kit must be treated with the same level of protection as your master password. Anyone who obtains it can restore your vault without knowing your master password.

Appropriate storage options:

• Printed and stored in a locked physical location (safe deposit box, home safe)
• Stored in a separate, strongly secured system that is not linked to your primary device
• Provided to a trusted person through a structured arrangement (for example, a sealed envelope held by an attorney for estate access) — not handed over as plaintext, since whoever holds it can open your vault

Inappropriate storage:

• In the same password manager you are backing up (circular dependency)
• Unencrypted in a cloud folder without additional access control
• In an email draft or notes app with weak or no authentication

How Recovery Works#

When you restore from a Recovery Kit:

1. You enter the 69-character RKRK-... code (or load the .txt file)
2. RabbitKey decodes the Base32 payload to recover the 32-byte master key
3. That key is used directly to decrypt the vault — no password derivation step is needed
4. You may be prompted to set a login password for the restored account on this device

Because this path bypasses the password-based key derivation entirely, it works even if you have completely forgotten your master password.

For the full step-by-step restore flow on a new device, see Restoring Your Vault on a New Device.

Biometric Unlock as an Alternative#

If you have biometric unlock (Face ID / Touch ID) configured, you can regain access to your vault after forgetting your master password by using biometrics to unlock it. This is a lower-friction alternative to the Recovery Kit for everyday access, though it is subject to OS-level biometric security.

The Hard Limit: No Kit, No Biometrics, No Password#

If you lose your master password and have not exported a Recovery Kit and do not have biometric unlock configured, your vault is permanently unrecoverable.

This is not a support escalation that RabbitKey can resolve: there is no server-side copy of your key and no account-reset mechanism. The design provides no path for third-party recovery, because any recovery path open to a support team would be equally open to an attacker who compromises that team or process.

This tradeoff is intentional and is the correct consequence of a local-first, no-account architecture. See Local-First Security Architecture & Threat Model for the broader context.

Recommendations#

• Export your Recovery Kit immediately after setting up your vault
• Store it in a physically secure location, separate from your device
• Understand that changing your master password does not rotate the master key, so a previously exported Recovery Kit stays valid indefinitely. If you believe a Recovery Kit has been exposed, treat it as a vault compromise — a new password will not invalidate the old kit
• Before filing it away, confirm the .txt file opens and the code is complete (13 groups of 4 characters after the RKRK- prefix, 69 characters total)