Ente Locker is for the practical parts of a life: IDs, insurance papers, medical records, passwords, notes, and the documents someone may need in your absence.
Since launch, we learned that someone, without an Ente account, also needs a way to recover your Ente account if you lose access, are incapacitated, or are no longer around.
That is what Legacy Kit is for.
How it works
Legacy Kit is a set of 3 recovery sheets. Each sheet has a secret QR code and instructions to recover your account. You give each sheet a name ("Son", "Lawyer", "that drawer with all the cables", ...), print or save, and share them separately.
Any 2 of the 3 sheets are enough to recover your account. One sheet on its own is not enough.
The person recovering does not need an Ente account or app. They can open legacy.ente.com and scan 2 of the 3 sheets to access your full Ente account – Photos, Locker and Auth.
Waiting period
Each kit has a configurable waiting period: immediate, 1 day, 7 days, 15 days, or 30 days.
Immediate is useful for self-recovery, in case you have locked yourself out of your account. Longer waits are better when the kit is for someone else, because they give you time to notice and block an attempt if something looks wrong.
You can create up to 5 kits per account. This lets you plan for different situations. A short-window helps with self-recovery, and a longer one with inheritance.
Revoking access
When there is an attempt to recover your account, Ente emails you.
You can block an active recovery session within the waiting period you configured.
You can also delete a kit to disable those sheets and prevent any future recovery attempt.
More details
Legacy Kit started as a hackathon project called 2of3. The prototype split a secret into 3 parts. It evolved into Legacy Kit after we made it revocable and server-mediated.
When you create a Legacy Kit, Ente generates a random secret and splits it into 3 shares using the 2-of-3 threshold scheme. Any 2 shares can rebuild the secret. Here is the maths.
This secret never touches our servers. From it, Ente derives an encryption key that protects your recovery material, and a challenge keypair that lets the server verify someone has enough sheets without seeing the secret.
During recovery, a helper combines two sheets in their browser to open a sealed challenge from the server. After the waiting period passes, the server returns the encrypted recovery material, which is decrypted locally to complete a standard password reset.
The server never sees the kit secret, the shares, or your decrypted recovery key.
Legacy Kit is now available on Ente Locker on both Android and iOS.