The encryption key is a private key c created using random entropy on the user's device when they create an account or log in. This key cannot be used to authenticate the user to any service and cannot be used to move funds of tokens or modify any on-chain or off-chain assets or data. The encryption key is only used to encrypt and decrypt data on the client side from the sovereign storage vault backup service. In this way, the security of the user is protected even if the key recovery service network acts maliciously in consensus (very unlikely as many entities need to conspire and lie in synchronised secret).

The recovery protocol uses Shamir’s secret sharing to split the encryption key into multiple shards on the user’s device and send each show to a different service provider. Service providers use the user’s DID and authentication ( a different key) to verify the request comes from the correct account and then save the data. If the user loses their encryption key, they must go through account recovery to recover their authentication and then can request that the encryption key be recent to them.