Provides backups of private keys and persona information
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.

Key Backup Service


Provides backups of private keys and basic persona information - enough to reconstruct your messenger experience on another device.

Uses an email address as your unique id, and a hopefully semi-strong text password.

This service is intended as a stop-gap until more energy can be put into a robust key backup architecture.


For each account being backed up, the effective server directory structure is

/<email address>
    /user.json - { email: , password: { type:, hash: } }
        /<persona id>.zip (suggested layout below...)


POST /accounts

Creates a new account for an email address that has not been registered yet.  Email is case-insensitive.
Request body: { email:, password: }
Response 409: email already registered, try again or reset password

POST /personas/<persona id>

Basic authentication required
Request body: Zip file of persona

GET /personas

Authentication required
Response body: { personas:[ "<persona id>",... ] }

GET /personas/<persona id>

Authentication required
Response body: Zip file
Response 410: Zip file doesn't exist

DELETE /personas/<persona id>

Authentication required
Response 200: When deleted or file doesn't exist

PUT /password/reset

Request body: { email: <email address> }
Response 200: Email sent with code if recognized, otherwise ignored

GET /password/reset/<email>

Alternative to PUT method above to ease testing with a browser.
Response 200: Email sent with code if recognized, otherwise ignored

GET /password/reset.html?email=<email>&code=<code>

Query string parameters:
	 email: email address of account to reset password
	 code: challenge code to provide to server
 Response: HTML page that provides a form for the user to create a new password and submit back to server.

POST /password/reset

Request body: { email:, code:, new_password: }
Response 409: code doesn't match expected, try again 

General responses:

  • 200 - Success
  • 400 - Bad request; The server cannot or will not process the request due to an apparent client error (e.g., malformed request syntax, size too large)
  • 401 - Authorization missing or invalid
  • 5xx - Server problems

Configuring AWS

  1. Create S3 bucket:

    • Bucket name:
    • Region: US West (Oregon) "Create Bucket"
  2. Create Lambda Execution Role:

    • IAM service...

    • Roles...

    • Type: Lambda

    • Name: lambda-keyBackupService-execution-role

    • Add policy names:

      • AwsLambdaFullExecute
    • "Create Role"

    • Add inline policy:

      • Name: keybackups-s3-policy

             "Version": "2012-10-17",
             "Statement": [
                     "Sid": "VisualEditor0",
                     "Effect": "Allow",
                     "Action": [
                     "Resource": "*"
                     "Sid": "VisualEditor1",
                     "Effect": "Allow",
                     "Action": "s3:*",
                     "Resource": [
    • Add another inline policy to allow SES/email

      • Name: keybackups-SES-policy

  3. Create Lambda function:

    • Name: keyBackupService
    • Runtime: Node.js 8.10
    • Role: lambda-keyBackupService-execution-role
    • "Create"
    • Update index.handler to lambda.handler
    • "Save"
  4. Create API Gateway for lambda function

    • API Gateway service...
    • "Create API"...
    • New API
    • API Name: keyBackupService
    • Endpoint type: Regional
    • "Create"
    • Select newly created API which shows submenu with Resource...
    • Select "Resources"
    • Action: "Create Resource"
      • Checkmark "Configure as proxy resource"
      • Checkmark "Enable API Gateway CORS"
      • "Create Resource"
    • Edit newly created "ANY" resource
      • Lambda Function: keyBackupService
      • "Save"
    • Select "Resources"
    • Create ACM Certificate for a custom domain name
      • Certificate Manager...
      • Change to US-WEST-1 (Oregon)
      • Create certification for domain name...
    • "Custom Domain Names"
      • "Create Custom Domain Name"
      • Domain Name:
      • Endpoint Configuration: Regional
      • ACM Certificate: (the one created above)
      • "Create"
      • "Edit"
      • Add custom domain name
      • Path: /
      • Destination: keyBackupService:prod
      • "Save"
      • Copy Target domain name: i.e.
    • Route 53
      • "Create Record Set"
      • Name: keybackups
      • Type: CNAME
      • Alias: No
      • Value: i.e.
      • "Create"
    • Binary Media Types
      • Select keyBackupService, "Settings"
      • Add these Binary Media Types:
        • application/octet-stream
        • application/zip