Skip to main content
This guide covers how to migrate or replicate your wallet infrastructure for incident response, provider migration, and wallet backups.

Why Turnkey for Enterprise Disaster Recovery?

Turnkey provides a secure foundation for enterprise disaster recovery that eliminates the tradeoffs between security and operability. Our approach combines secure enclaves, end-to-end encryption, and programmable policies to ensure recovery material is protected at rest, in transit, and during use.

Core principles

Bulleted list of key components to keep in mind for this solution:
  • End-to-end encryption: All key import material is encrypted directly to Turnkey’s secure enclave using HPKE (Hybrid Public Key Encryption). The plaintext never exists outside the enclave boundary.
  • Zero exposure during import: When importing wallets or private keys, the material is encrypted on the user’s device before transmission. Turnkey’s infrastructure only ever sees encrypted blobs.
  • Cryptographic audit trail: Every recovery operation during transmission and import is cryptographically stamped, ensuring that recoveries can not be tampered with along the way.
  • Policy-based guardrails: Turnkey’s policy engine restricts what recovered wallets can do, like limiting fund movement to allowed addresses or requiring multiple approvals from your organization.

Direct Import Flow

turnkey enclave secure wallet import ceremony

How to Get Started on Enterprise Disaster Recovery with Turnkey

  1. Secure organization setup and recovery policies: Create your Turnkey org, configure the root quorum, and define recovery policies.
  2. Set up the Turnkey SDK: Integrate React Wallet Kit or @turnkey/sdk-server into your application.
  3. Import wallets: Use handleImportWallet() to import wallet keys into Turnkey’s secure enclave.
  4. Sweep funds to a treasury: Execute policy-controlled fund movement to approved addresses.

Use Cases

NeedConfiguration
A key holder becomes unavailable or a hardware wallet fails, requiring immediate recovery of treasury assets.Treasury recovery: Import wallet keys into Turnkey’s secure enclave with quorum-controlled access and policy-restricted fund sweeping.
Migrating from another key management provider with no plaintext exposure during transit.Provider migration: Encrypt keys to Turnkey’s secure enclave on a hardened machine, import directly with full policy controls inherited immediately.
Operations need to continue even if a primary signer or infrastructure goes down.Redundancy and failover: Import backup copies of critical wallet keys into Turnkey so a secondary signing path is always available.

1. Secure Organization Setup and Recovery Policies

Create a Turnkey organization and establish the security foundation for recovery operations:
  • Create dedicated recovery users with specific, limited permissions
  • Configure the Root Quorum to require multiple approvers for sensitive operations
    • Require quorum approval for high-value operations to prevent any single person from unilaterally moving recovered funds. This ensures no single credential compromise can trigger unauthorized recovery. See Policy overview for setup guidance.
{
  "policyName": "DR-Sweep-Only-Policy",
  "effect": "EFFECT_ALLOW",
  "condition": "activity.type == 'ACTIVITY_TYPE_SIGN_TRANSACTION_V2' && eth.tx.to in ['<SAFE_TREASURY_1>', '<SAFE_TREASURY_2>']",
  "consensus": "approvers.any(user, user.id == '<DR_AUTOMATION_USER_ID>')"
}
  • Distribute authenticators (passkeys, YubiKeys) across geographic locations if possible
  • Define policies that restrict what can be done with recovered wallets. For example, limit fund sweeping to pre-approved treasury addresses only:

2. Set up the Turnkey SDK

Integrate Turnkey into your application to enable wallet import and recovery operations. The React Wallet Kit provides a drop-in component that handles the entire import flow, including encryption and secure transport. 

import { TurnkeyProvider } from "@turnkey/react-wallet-kit";

const turnkeyConfig = {
  organizationId: process.env.NEXT_PUBLIC_ORGANIZATION_ID!,
  authProxyConfigId: process.env.NEXT_PUBLIC_AUTH_PROXY_CONFIG_ID!,
};

export function Providers({ children }: { children: React.ReactNode }) {
  return (
    <TurnkeyProvider config={turnkeyConfig}>
      {children}
    </TurnkeyProvider>
  );
}
For server-side recovery operations, use the @turnkey/sdk-server package.

3. Import Wallets

Use handleImportWallet() to import wallet keys into Turnkey’s secure enclave. Behind the scenes, the SDK encrypts the mnemonic or private key to Turnkey’s enclave public key using HPKE (Hybrid Public Key Encryption), transmits the encrypted bundle, and the enclave decrypts and stores the key material. Plaintext key material never leaves the user’s device. 
const handleImportWallet = async () => {
  const defaultWalletAccounts = ["ADDRESS_FORMAT_ETHEREUM", "ADDRESS_FORMAT_SOLANA"];

  await turnkey.handleImportWallet({
    defaultWalletAccounts,
    successPageDuration: 5000,
  });
};

4. Sweep funds to treasury

With policies in place, execute fund movement to approved treasury addresses. See example for sweep native ETH 
const txStatusId = await apiClient.ethSendTransaction({
  transaction: {
    from: "<RECOVERED_WALLET_ADDRESS>",
    to: "<SAFE_TREASURY_ADDRESS>",
    caip2: "eip155:1",
    value: "<SWEEP_AMOUNT_IN_WEI>",
    data: "0x",
  },
});

const result = await apiClient.pollTransactionStatus({
  sendTransactionStatusId: txStatusId,
});
All fund movements are logged with cryptographic signatures, providing a complete audit trail of the recovery operation.

The Result: Enterprise-grade Key Recovery

Turnkey transforms enterprise disaster recovery from a high-risk, manual operation into a secure, verifiable process. Import wallet keys directly into Turnkey’s secure enclave and gain immediate operational capability with full policy controls:
  • Cryptographic guarantees: Key material is protected by secure enclaves and end-to-end encryption
  • Organizational controls: Quorum policies prevent unilateral action on sensitive operations
  • Operational flexibility: Support for all major chains and key types through a unified interface
  • Audit compliance: Every operation is logged with cryptographic signatures

Resources

Explore the complete implementation in our GitHub ‘Disaster Recovery’ example.