# Recover a cold vault

Use this page to plan recovery for a cold vault workstation or cold bridge deployment.

Critical operation
Recovering a cold vault is a high-control operation. Use dual-control access, document each action, and follow your KMS or HSM vendor recovery procedures.

## Recovery model

The cold bridge and vault software are stateless. The online Ripple Custody environment manages vault state, accounts, and transaction history. The cold vault workstation must be rebuilt with the same vault configuration and access to the same protected key material.

Do not register a new vault to recover an existing cold vault. Rebuild the cold bridge and vault stack with the original vault configuration.

## What to protect

| Asset | Why it matters |
|  --- | --- |
| KMS or HSM key material | Required for the recovered vault to sign with the same keys. |
| Vault configuration | Required to redeploy the same vault rather than a new vault. |
| Vault UUID and public key | Required to match the existing vault entity in Ripple Custody. |
| Cold bridge payload passphrase, if used | Required to decrypt or encrypt payload files consistently between the online system and the air-gapped workstation. |
| Operational records | Needed to prove chain of custody for recovery actions. |


## Recovery procedure

### Step 1: Prepare replacement hardware

1. Provision replacement hardware that meets [Cold vault workstation planning](/products/custody/deployment/planning/cold-vault-workstation).
2. Verify the air-gap controls.
3. Install and harden the operating system.
4. Prepare approved transfer media.


### Step 2: Restore KMS or HSM access

If the original KMS or HSM is available, reconnect it according to your operating procedure. If it is lost or damaged, follow your KMS or HSM vendor recovery process before restarting cold vault operations.

### Step 3: Redeploy cold bridge and vault

1. Deploy the cold bridge and vault stack with the same configuration as the original deployment.
2. Use the original vault UUID and public key.
3. Configure the same payload encryption passphrase, if payload encryption is enabled.
4. Start the cold bridge and vault components.


Verify the cold bridge:


```sh
curl -X GET "{ColdBridgeURL}/v1/feed/status"
```

### Step 4: Verify operation

Perform a test export, sign, and import cycle:

1. Export pending operations from the online environment.
2. Transfer the `.dat` file to the air-gapped workstation.
3. Decode and review the payload.
4. Sign with the cold vault.
5. Transfer the signed `.dat` file back to the online environment.
6. Import the signed operations.
7. Verify that the affected account, transaction, or manifest continues processing.


## Preventive checklist

Maintain:

- Offline copy of vault deployment configuration.
- Offline copy of cold bridge configuration.
- Vault UUID and public key records.
- KMS or HSM backup and recovery procedure.
- Payload encryption passphrase backup, if used.
- A tested recovery runbook.


## Related topics

- [Cold vaults](/products/custody/identity-and-access/vault-management/cold-vaults)
- [Deploy a cold bridge](/products/custody/deployment/install/cold-bridge-deployment)
- [Process cold vault operations with the API](/products/custody/identity-and-access/vault-management/cold-vault-setup-api)
- [Back up, restore, and recover](/products/custody/operations-and-maintenance/backup-and-restore)