Back up a wallet

This guide will walk you through how to create a backup of a Portal client's wallet.

Portal-Managed Backups

Portal lets you securely back up your users' MPC wallets so they can recover their wallets even if their device is lost or damaged. By default, Portal encrypts and stores both backup shares ("Portal-Managed Backups"):

The client backup share is encrypted on the user's device, with the encryption key stored using their chosen backup method (Google Drive, iCloud, Password, or Passkey). The encrypted share is then stored by Portal.
The custodian backup share is encrypted and stored by Portal, with the encryption key stored in our KMS infrastructure.

By default, Portal manages storing both the encrypted client backup share and the custodian backup share for you. If you prefer to store and manage the backup shares in your own infrastructure instead of using Portal-Managed Backups, see our Self-Managed Backups guide.

Both the client backup share and the custodian backup share are necessary to recover a Portal wallet.

Backup Methods

You can choose one or more backup methods for storing the encryption key for the client backup share.

Passkey + Enclave

Allow customers to create a native passkey on their device that is used to authenticate into a secure enclave that holds the encryption key for the user. Customer's passkeys are backed up to the native cloud storage for their device.

Implementation Requirements

Initialize passkey storage as a backup option in the Portal Config Object.
Configuring the relying party

Use Portal as your relying party

Add portalhq.io as a web credential domain in your app.
Share your app bundle id with the Portal Team.

Use your own domain as the relying party

Ensure you have set up your associate domain correctly in your app and that you are serving an aasa file from whatever your relying party domain is set to. You will need to be sure you have the webcredential field set properly for your app in your aasa file.

Resources from apple:

Relying party

A relying party is a trusted domain that is tied to the public key credentials of your users for their passkey . We offer the option to use portalhq.io as your relying party domain. It requires you to add portalhq.io as an Associated Domain in your iOS application and share your team id + application bundle id. If you already have your domain as a webcredential for your application then you can simply pass in your domain as the relying party and everything should work.

  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.Passkey) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }

  // Your API URL
  let yourApiUrl: String = "https://YOUR_API_URL.com"
      
  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.Passkey) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }
      
  // Obtain your API's URL for storing the encrypted user backup share.
  guard let url = URL(string: "\(yourApiUrl)/users/\(userId)/store-encrypted-user-backup-share") else {
    throw URLError(.badURL)
  }

  // Store the encrypted user backup share on your API.
  let requests = PortalRequests()
  try await requests.post(
    url,
    andPayload: [
      "backupMethod": withMethod.rawValue,
      "encryptedClientBackupShare": encryptedClientBackupShare,
    ]
  )

  // Call the storageCallback to notify Portal you stored the user backup share successfully.
  try await storageCallback()
  
  // ✅ The user has now backed up with their passkey successfully

Password/PIN

Allow customers to create a password/pin. Customers can either remember the password or store it in a password storage manager.

Implementation Requirements

Create a UI for password input.
Enforce password requirements. Customer can choose between password, PIN code, passcode, or any other text-based input.
If user forgets password there are no additional recovery options.

  // Set the user's password.
  try portal.setPassword("THE-USER-PASSWORD")
  
  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.Password) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }

  // Your API URL
  let yourApiUrl: String = "https://YOUR_API_URL.com"
    
  // Set the user's password.
  try portal.setPassword("THE-USER-PASSWORD")
      
  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.Password) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }
      
  // Obtain your API's URL for storing the encrypted user backup share.
  guard let url = URL(string: "\(yourApiUrl)/users/\(userId)/store-encrypted-user-backup-share") else {
    throw URLError(.badURL)
  }

  // Store the encrypted user backup share on your API.
  let requests = PortalRequests()
  try await requests.post(
    url,
    andPayload: [
      "backupMethod": withMethod.rawValue,
      "encryptedClientBackupShare": encryptedClientBackupShare,
    ]
  )

  // Call the storageCallback to notify Portal you stored the user backup share successfully.
  try await storageCallback()
  
  // ✅ The user has now backed up with their password successfully

iCloud

See the docs on how to configure iCloud.

For the iCloud action handling:

  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.iCloud) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }

  // Your API URL
  let yourApiUrl: String = "https://YOUR_API_URL.com"
    
  // Set the user's password.
  try portal.setPassword("THE-USER-PASSWORD")
      
  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.iCloud) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }
      
  // Obtain your API's URL for storing the encrypted user backup share.
  guard let url = URL(string: "\(yourApiUrl)/users/\(userId)/store-encrypted-user-backup-share") else {
    throw URLError(.badURL)
  }

  // Store the encrypted user backup share on your API.
  let requests = PortalRequests()
  try await requests.post(
    url,
    andPayload: [
      "backupMethod": withMethod.rawValue,
      "encryptedClientBackupShare": encryptedClientBackupShare,
    ]
  )

  // Call the storageCallback to notify Portal you stored the user backup share successfully.
  try await storageCallback()
  
  // ✅ The user has now backed up with their iCloud successfully

Google Drive

See the docs on how to configure GDrive.

After initializing Portal, you will need to configure the following:

  // Set GDrive Configuration
  try portal.setGDriveConfiguration(
        clientId: "your-google-client-id",
        backupOption: .appDataFolder
  )
    
  // Set the GDrive presenting view
  try portal.setGDriveView(self)

setGDriveConfiguration function parameters:

clientId: The client ID for the Google Drive integration.
backupOption: An option from the GDriveBackupOption enum that specifies the backup storage type:
- appDataFolder: Stores backups in the hidden, app-specific "App Data Folder" in Google Drive. This folder is not visible to the user.
- appDataFolderWithFallback: Attempts to store backups and recover using the "App Data Folder". If recover fails, it automatically falls back to a user-visible Google Drive.
- gdriveFolder(folderName: String): Stores backups in a user-visible folder in Google Drive with the specified folderName.

setGDriveView function parameters:

view: A UIViewController instance that will be used to present Google Drive UI components.

For the GoogleDrive action handling:

  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.GoogleDrive) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }

// Your API URL
  let yourApiUrl: String = "https://YOUR_API_URL.com"
    
  // Set the user's password.
  try portal.setPassword("THE-USER-PASSWORD")
      
  // Run backup.
  let (
    encryptedClientBackupShare,
    storageCallback
  ) = try await portal.backupWallet(.GoogleDrive) { status in
    // (Optional) Create a progress indicator here in the progress callback.
  }
      
  // Obtain your API's URL for storing the encrypted user backup share.
  guard let url = URL(string: "\(yourApiUrl)/users/\(userId)/store-encrypted-user-backup-share") else {
    throw URLError(.badURL)
  }

  // Store the encrypted user backup share on your API.
  let requests = PortalRequests()
  try await requests.post(
    url,
    andPayload: [
      "backupMethod": withMethod.rawValue,
      "encryptedClientBackupShare": encryptedClientBackupShare,
    ]
  )

  // Call the storageCallback to notify Portal you stored the user backup share successfully.
  try await storageCallback()
  
  // ✅ The user has now backed up with their Google Drive successfully

App Data Folder vs. GDrive Files

App Data Folder: A hidden, app-specific storage area that is not visible to the user in their Google Drive interface. This is ideal for sensitive data or configurations that the user doesn't need to manage directly.
Google Drive Files: A visible folder in the user's Google Drive, accessible and manageable by the user. This is suitable for backups the user might want to view, share, or organize manually.

The App Data Folder feature is supported starting from SDK version 4.2.0. If you enable this feature, ensure that you do not use any SDK version older than 4.2.0, as it will result in the loss of App Data Folder backups.

Related Documentation

PreviousSimulate a transaction NextRecover a wallet

Last updated 2 months ago

Was this helpful?