Skip to content

Backups in Ripple Custody have two distinct scopes:

  • Platform state backups protect operational state such as PostgreSQL data, configuration, request state, events, and recovery metadata.
  • Vault and KMS backups protect the key material or key shares required to recover signing capability.

Do not treat one scope as a substitute for the other. Restore planning must account for both platform state and vault key material.

What to back up

Backup scopeWhat it protectsWhere to go
PostgreSQL databasePlatform source of truth, including state used by accounts, transactions, requests, and events.Database planning, Resilience planning
Anti-rewind file and state review authority processState recovery and rollback protection.Recover anti-rewind file, Register a key
HSM-backed vault key materialHSM-protected master seed or wrapped seed material, depending on the KMS integration.The relevant KMS integration guide under Integrate a KMS
MPC-backed vault key materialCustomer-held encrypted MPC backups and validation artifacts.MPC backups
Cold vault operation payloadsOffline cold-vault operation exchange files and signing workflow material.Cold vaults, Cold vault API operations, Cold vault UI operations

For vault-level key strategy context, see Vaults.

Backup procedures

Use this section to route operators to the correct backup procedure. The exact runbook depends on the deployment model and KMS.

Platform state

Back up PostgreSQL and platform state according to your deployment architecture. For on-premises deployments, your operations team owns database backup, replication, retention, and restore testing. For Ripple-managed environments, coordinate with your Ripple account team.

Review:

HSM-backed vaults

For HSM-backed vaults, follow the backup procedure for the specific HSM platform and deployment model. HSM backup requirements vary by vendor and by whether the deployment uses physical HSMs, cloud HSMs, or wrapped key material.

Start with the relevant KMS guide under Integrate a KMS.

MPC-backed vaults

For MPC-backed vaults, use the customer-held MPC backup workflow:

  1. Generate the backup encryption and decryption keys.
  2. Associate the backup encryption key with the vault.
  3. Submit the v0_CreateBackup intent.
  4. Check backup status.
  5. Download the trusted entity backup payload.
  6. Acknowledge receipt with v0_AcknowledgeBackup.
  7. Verify the downloaded backup.

For the full procedure, see MPC backups.

Restore procedures

Platform state restore

Use your database restore runbook together with the anti-rewind file recovery process. For source material, see:

HSM-backed vault restore

For HSM-backed vaults, use the restore process for the specific KMS and vendor deployment. Requirements vary by HSM provider, cluster model, wrapping-key approach, and whether the HSM backup is managed by the cloud provider or by the customer.

Start with the relevant guide under Integrate a KMS.

MPC-backed vault recovery and exit

For MPC-backed vaults, use the MPC backup material and the exit strategy process described in MPC backups.

Validation

Validate backups before you rely on them in production.

Backup typeValidation activity
PostgreSQL and platform stateRun restore drills in a non-production environment and confirm that requests, events, accounts, and configuration state are usable.
Anti-rewind file recoveryExercise the anti-rewind file recovery process and verify the state review authority key path.
HSM-backed vault materialTest the vendor-specific HSM restore procedure according to your KMS runbook.
MPC-backed vault materialRun the backup verification script against the downloaded backup JSON.

For MPC-specific validation details, see Verify the backup.

NeedProcedure
Register or rotate the state review authority keyRegister the state review authority public key
Recover the anti-rewind fileRecover your anti-rewind file
Recover cold vault operations after workstation lossRecover a cold vault