AboutHTTP APITypescript SDKAppCrypto PaymentsTusky Encryption

User Private Key backup & recovery

To encrypt/decrypt data in Tusky, user needs to provide their User Key Pair.

User Key Pair is generated on the client side upon first login, ensuring it is never visible to Tusky server in an unencrypted form. However, for convenience, users can back up their User Private Key with a password or backup phrase and store it encrypted on Tusky server for easier retrieval.

Using PasswordCopied!

On each login the encrypted User Private Key is decrypted using user provided password.

Backing up User Private Key with the password

  • the user authenticates

  • the user provides the password for the first time

  • User Key Pair is generated

  • the random salt is generated

  • the AES key is derived from password & salt by using PBKDF2

  • User Private Key is encrypted with the AES key and stored encrypted on Tusky server along with the salt

Retrieving User Private Key with the passwordCopied!

  • the user authenticates & retrieves encrypted User Private Key along with the salt from Tusky server

  • the user provides the password

  • the AES key is derived from password & salt by using PBKDF2

  • User Private Key is decrypted with the AES key

Using Backup PhraseCopied!

In addition to the password, users can back up their User Private Key using a backup phrase.

The 24-word backup phrase is generated following BIP-39 standard, a method for generating a human-readable mnemonic sentence from a random number.

If the user forgets their password, the backup phrase allows them to regain access to their encrypted data.

Backing up User Private Key with the backup phraseCopied!

  • the user authenticates

  • the backup phrase is generated

  • the seed is generated from the backup phrase

  • the recovery key is derived from the seed

  • User Private Key is encrypted with the recovery key and stored encrypted on Tusky server as backup

Retrieving User Private Key with the backup phraseCopied!

  • the user authenticates & retrieves encrypted User Private Key backup from Tusky server

  • the user provides the backup phrase

  • the seed is generated from the backup phrase

  • the recovery key is derived from the seed

  • User Private Key is decrypted with the recovery key

End-to-end encryption means that the User Private Key remains encrypted on the server, and the Tusky team does not have access to it be

© 2025 Zero Knowledge Collective