All posts

A Recovery Phrase for Your Files, Not Your Coins: How BIP39 Backs Up Encrypted Storage

The 12 words you'd write down for a crypto wallet do the same job in encrypted storage — they back up the master key that decrypts your files. Here's how BIP39 works, why Beebeeb uses it, and the honest catch: we can't recover it for you.

The same 12 words, a different job

Set up a crypto wallet and you get handed 12 words on a card, plus a warning never to lose them. Beebeeb hands you the same thing, generated by the same standard: BIP39. The words look identical. The job is not. In a wallet, those words recover the private keys that move your money. In Beebeeb, they recover the master key that decrypts your files. Same mechanism, files instead of coins.

The reuse is deliberate. BIP39 is one of the most battle-tested ways to turn a long, unguessable secret into something a person can write on paper without botching it. Inventing a worse version of that for cloud storage would be pure ego.

What BIP39 actually is

BIP39 is a Bitcoin Improvement Proposal from 2013. It defines how to encode random entropy as words drawn from a fixed list of 2048 English words. Each word maps to exactly 11 bits, and 211 is 2048 — that is why the list is that precise size, not a round 2000. A 12-word phrase carries 128 bits of entropy plus a 4-bit checksum. A 24-word phrase carries 256 bits plus an 8-bit checksum.

The numbers do real work. A 12-word phrase has 204812 possible combinations, roughly 5.4 × 1039. You do not brute-force that. The checksum is the quietly clever part: those last bits are derived by running SHA-256 over the entropy, so a single transcription error fails validation instead of silently unlocking nothing. A mistyped seed gets caught at the door.

And words beat raw hex for a dumb, human reason. People copy ribbon absurd march hello below correctly far more often than 9f3a2c…. BIP39 was built around how someone handles a backup they touch once and then store for years.

Where the phrase sits in Beebeeb's key chain

Here is where Beebeeb differs from most providers. The recovery phrase is not a backup of your key. It is the master secret — the root your encryption keys derive from.

When you create an account, you choose a passphrase. That passphrase doesn't replace the recovery phrase; it wraps it. We run the passphrase through Argon2id — tuned to 256 MiB of memory, 4 iterations, 2 lanes — to derive a key that encrypts the master secret. So two independent paths reach the same master key. Your passphrase is the everyday door: type it, and Argon2id unwraps the master secret on your device. Your recovery phrase is the master secret itself, in writable form: forget the passphrase, and the phrase reconstructs the master key directly.

From that master key, Beebeeb derives a per-file key via HKDF, encrypts each file with AES-256-GCM, and zeroizes key material from memory the moment it's finished. The recovery phrase sits at the very top of that chain. Lose one path and the other still works. Lose both and there is no third. The full key derivation is laid out on our security page, down to the parameters.

This is a subtly leaner design than the common pattern, where the recovery phrase encrypts a separate stored copy of your key. That is how Proton Drive's recovery phrase is documented to work — a second password that decrypts a backup copy of your account key on the server. It is a perfectly legitimate approach, and Proton are good at this. Beebeeb's version just has one fewer moving part: no separate key copy to keep in sync, because the phrase regenerates the real thing.

The flip side, said out loud: we can't recover it for you

Here is the sentence most storage marketing won't write. If you lose your passphrase and your recovery phrase, your files are gone. We cannot get them back. No "forgot password" email helps. No support agent has a backdoor. There is no internal master key, because there is no internal anything that can read your data.

That isn't a gap we apologize for — it's the entire point of zero-knowledge storage. The server only ever holds ciphertext. Your passphrase and recovery phrase never reach us. If we could reset your account and hand back readable files, that would prove we'd held the keys the whole time, and "we can't read your files" would be a lie. The honest version costs us the comfortable safety net of a password reset. We think it's the right trade, and you should know you're making it before you make it.

How to store a recovery phrase so you never need our sympathy

Treat it like a spare key to a house with no locksmith. A few rules that have aged well in crypto and apply identically here:

  • Write it on paper, not in a screenshot. A photo in your camera roll syncs straight to whatever cloud you were trying to escape. A pen and a card don't phone home.
  • Keep at least two copies in separate physical places. A single copy is a single point of failure: a fire, a flood, or a house move ends it.
  • Don't email or message it to yourself. The instant it lands in an inbox, its security drops to the security of that inbox.
  • A password manager is fine, with eyes open. If the manager is itself strongly encrypted and you trust its own recovery, storing the phrase there works. Just don't build a loop where the manager's recovery routes back through Beebeeb.
  • Order matters. BIP39 words are positional. Number them when you write them, and the checksum will catch a swap if you ever re-enter them.

One thing worth stating plainly: writing the phrase down does not weaken your day-to-day security. You log in with your passphrase, protected by OPAQUE so the passphrase never leaves your device, with an optional passkey or TOTP second factor. The recovery phrase is the cold backup you hope to never touch. Passkeys, TOTP two-factor, and configurable file versioning all sit on top of this same key model. None of them change the fact that the recovery phrase is your last line.

Why a storage app borrows a wallet idea at all

Because the problems rhyme. A wallet and a zero-knowledge drive both have to let exactly one person — you — regain access to encrypted data, with no trusted third party able to do the same. Crypto solved the human-writable-backup half of that problem years ago, with billions of dollars riding on whether it held. BIP39 is the proven answer to "how does a normal person back up a 256-bit secret on a slip of paper." Reaching for it instead of a homegrown scheme is the boring, correct engineering call.

If you'd rather feel the model than read about it, And then a card.

Files only you can read

Beebeeb is end-to-end encrypted, zero-knowledge cloud storage — stored in Falkenstein, Germany, open source, with a 14-day free trial on every plan. Encryption happens on your device; we only ever hold ciphertext we can’t read.

Join the waitlist See pricing How the encryption works