The recovery flow described here — split-knowledge, Zoom-call verification, server-blind reconstruction — is the locked design. Setup ships in the June 2026 release alongside multi-device enrollment. Early-access customers can request access via support@clavitor.ai.
For the day you lose your hardware key
Real encryption needs real recovery.
Most password managers have a recovery flow that's a security disaster — email resets, SMS codes, security questions, all bypasses around the encryption. Clavitor's recovery goes through the encryption. It's the only honest answer when "we can't decrypt your vault" is the real promise.
The 2 AM moment
You're in a hotel. Your laptop died. Your YubiKey is in a drawer back home. Your phone screen is cracked. You need a credential to log into the system that's down.
This is the moment the setup you did at signup matters. With Clavitor, two steps:
1. Email support@clavitor.ai and book a Zoom call. 2. On the call, you read out the verification material you chose at setup — a code phrase, a video link, a photo, your choice. The operator reads you back a session code. Your browser reconstructs the key on-device.
That's the entire flow. No SMS. No security questions. No "click the link in your email" that's only as strong as the security of a different account. The server never sees the reconstructed key, even during recovery.
Why other recovery flows are theater
A password manager that lets you "click here to reset" is admitting that their encryption was a suggestion, not a guarantee. If support can let you back in with a click, support can let anyone back in with the same click — under coercion, with a stolen email account, after a social-engineering call.
Recovery as strong as your email account. Which is recovery as strong as its email account. The weakest link in the chain becomes your vault.
Recovery via a number you don't control. Recovery for the SIM-swap attacker, not you.
Recovery via facts on your LinkedIn profile, in your high-school yearbook, on your mother's maiden name. Trivial to social-engineer.
These aren't recovery flows. They're admissions that the encryption was decorative.
Why ours is different
Three properties make Clavitor's recovery cryptographically sound rather than procedural theater:
Split-knowledge
You hold a 48-character recovery code (8×6 grid). We hold a 32-byte recovery anchor. Both are 256 bits of pure entropy; neither alone unlocks anything. Math, not policy.
Human gate
No automated endpoint. No rate limit to brute-force around. To get our half, a person at Clavitor verifies you on a Zoom call against material you stored with us at setup — your choice of what.
Server-blind, even mid-recovery
Our half travels to your browser. The math happens on your device. We never see the reconstructed key, even during recovery. The same architecture that hides your vault from us hides it from us during recovery too.
Two layers of safety net
Set up both. Each protects against a different category of loss:
Enroll multiple devices
The same vault key registered against your laptop's Touch ID, your phone's Face ID, and a YubiKey in a drawer. Any one of them unlocks the vault. Lose your laptop — still got your phone. Lose both — still got the YubiKey.
Set up recovery
For the day every registered device is gone at once. Generate your recovery code, choose your verification material, store both safely. Two minutes of work at signup. The Zoom-call flow above kicks in when you need it.
Each is its own layer. Most customers will only ever need the first — a second device. The recovery flow exists for the day the first layer isn't enough. On that day, you'll be very, very thankful you spent the two minutes.
What setup actually looks like
Two minutes during onboarding:
1. Generate — Clavitor produces a 48-character code in an 8×6 grid. We never store it. 2. Save — print it, email it to yourself, write it on a card. Wherever you'll find it. 3. Confirm — type a random subset back to prove you stored it correctly. 4. Choose verification material — a code phrase, a photo, a video link. Whatever a human can use to confirm it's really you, that an attacker can't guess or steal.
You can regenerate the code at any time — the old one stops working the moment a new one is generated.
What we can't do
We're explicit about the limits. The same architecture that makes Clavitor's recovery cryptographically real also means there's no back door if you lose your half.
No override, no backup database we can consult, no engineer who can issue you a new key. We don't have your half; we never did. The cryptography that protects your vault from us also keeps us from rescuing you.
The Zoom call is the gate, not a courtesy. The operator can't skip the verification step "this once" — the verification material you chose is the only path through.
That's the trade. Real encryption costs a scheduled Zoom call instead of an instant reset link. Most customers are happy to pay it, once they understand what the reset link costs.
Two minutes today.
Free forever for up to 10 entries — no card, no trial timer.
Multi-device enrollment + recovery setup are part of every signup flow. Two minutes total. You'll thank yourself.