> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turnkey.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Disaster Recovery

> Import and recover wallets with strict access controls. 

This guide covers how to backup your wallets on Turnkey for incident response, provider migration,
and wallet backups.

## Why Turnkey for Enterprise Disaster Recovery?

Turnkey provides a secure foundation for disaster recovery. Our approach combines
[secure enclaves](/security/secure-enclaves), end-to-end encryption, and
[programmable policies](/concepts/policies/overview) to ensure recovery material is protected at
rest, in transit, and during use.

## Core principles

* **End-to-end encryption:** All key import material is encrypted directly to Turnkey's secure
  enclave using [HPKE (Hybrid Public Key Encryption)](/security/enclave-secure-channels). The
  plaintext never exists outside the enclave boundary.
* **Cryptographic audit trail:** Every recovery operation during transmission and import is
  cryptographically stamped, ensuring that recoveries can not be tampered with along the way.
* **Policy-based guardrails:** Turnkey’s [policy engine](/concepts/policies/overview) restricts how
  wallets are accessed, like limiting fund movement to allowed addresses or requiring multiple
  approvals from your organization.

## Direct Import Flow

<Frame>
  <img src="https://mintcdn.com/turnkey-0e7c1f5b/O0eHJyArty3qEnge/images/key-management/enterprise-disaster-recovery.png?fit=max&auto=format&n=O0eHJyArty3qEnge&q=85&s=a592325675e76a521a72eba2ed9ee2e8" alt="turnkey enclave secure wallet import ceremony" width="2160" height="1215" data-path="images/key-management/enterprise-disaster-recovery.png" />
</Frame>

## How to Get Started on Enterprise Disaster Recovery with Turnkey

1. **Secure organization & policy setup**: Create your Turnkey org, configure the root quorum, and
   define recovery policies.
2. **Set up the Turnkey SDK**: Integrate
   [React Wallet Kit](/sdks/react/using-embedded-wallets#importing-and-exporting-wallets) or
   [@turnkey/sdk-server](/embedded-wallets/code-examples/import#nodejs) into your application.
3. **Import wallets**: Use handleImportWallet() to import wallet keys into Turnkey's secure enclave.

## **Use Cases**

| Need                                                                                                          | Configuration                                                                                                                                            |
| :------------------------------------------------------------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------- |
| A key holder becomes unavailable or a hardware wallet fails, requiring immediate recovery of treasury assets. | **Treasury recovery**: Import wallet keys into Turnkey's secure enclave with quorum-controlled access and policy-restricted fund sweeping.               |
| Migrating from another key management provider with no plaintext exposure during transit.                     | **Provider migration**: Encrypt keys to Turnkey's secure enclave on a hardened machine, import directly with full policy controls inherited immediately. |
| Operations need to continue even if a primary signer or infrastructure goes down.                             | **Redundancy and failover**: Import backup copies of critical wallet keys into Turnkey so a secondary signing path is always available.                  |

### 1. Secure Organization Setup and Recovery Policies

Create a [Turnkey organization](https://app.turnkey.com/dashboard/auth/initial) and establish the
security foundation for recovery operations:

* Create dedicated recovery users with specific, limited permissions

* Configure the [Root Quorum](/concepts/users/root-quorum) to require multiple approvers for
  sensitive operations
  * Require [quorum approval](/concepts/users/root-quorum) for high-value operations to prevent any
    single person from unilaterally moving recovered funds. This ensures no single credential
    compromise can trigger unauthorized recovery. See [Policy overview](/concepts/policies/overview)
    for setup guidance.

* Distribute authenticators ([passkeys](/authentication/passkeys/introduction), YubiKeys) across
  geographic locations if possible

* Define [policies](/concepts/policies/examples/signing-control) that restrict what can be done with
  recovered wallets.

### 2. Set up the Turnkey SDK

Integrate Turnkey into your application to enable wallet import and recovery operations. The
[NodeJS server SDK](https://github.com/tkhq/sdk/tree/main/examples/import-in-node) is well oriented
to handle the entire import flow, including encryption and secure transport.

```ts theme={"system"}
import { Turnkey } from "@turnkey/sdk-server";
import { encryptPrivateKeyToBundle, encryptWalletToBundle } from "@turnkey/crypto";

const initResult = await turnkeyClient.apiClient().initImportWallet({
  userId,
});

const walletBundle = await encryptWalletToBundle({
  mnemonic,
  importBundle: initResult.importBundle,
  userId,
  organizationId,
});
```

### 3. Import Wallets

Use [importWallet()](/generated-docs/core/turnkey-client-import-wallet) to import wallet keys into
Turnkey's secure enclave. In the last step the SDK encrypts the mnemonic or private key to Turnkey's
enclave public key using [HPKE (Hybrid Public Key Encryption)](/security/enclave-secure-channels),
and now transmits the encrypted bundle. The enclave decrypts and stores the key material.

```ts theme={"system"}
const walletImportResult = await turnkeyClient.apiClient().importWallet({
  userId: userId,
  walletName: "Your imported wallet!",
  encryptedBundle: walletBundle,
  accounts: [],
});
```

All fund movements are logged with cryptographic signatures, providing a complete audit trail of the
recovery operation.

## The Result: Enterprise-grade Key Recovery

Turnkey transforms enterprise disaster recovery from a high-risk, manual operation into a secure,
verifiable process. Import wallet keys directly into Turnkey's secure enclave and gain immediate
operational capability with full policy controls:

* **Cryptographic guarantees**: Key material is protected by secure enclaves and end-to-end
  encryption
* **Organizational controls**: Quorum policies prevent unilateral action on sensitive operations
* **Operational flexibility**: Support for all major chains and key types through a unified
  interface
* **Audit compliance**: Every operation is logged with cryptographic signatures

## Resources

Explore the complete implementation in our
[GitHub 'Disaster Recovery' example](https://github.com/tkhq/sdk/tree/main/examples/disaster-recovery).

* [Import Wallets Guide](/wallets/import-wallets)
* [Export Wallets Guide](/wallets/export-wallets)
* [Root Quorum Configuration](/concepts/users/root-quorum)
* [Secure Enclaves Overview](/security/secure-enclaves)
* [Enclave Secure Channels](/security/enclave-secure-channels)