Workspace Recovery Kit

Recovery Kit

Offline recovery for protected workspace data.

Written by uartnet

@uartnet

The Recovery Kit is the workspace-wide offline recovery path for Workspace Protection. It exists because a real zero-trust model has a hard failure mode. If every trusted browser and device is lost, rstream cannot recover protected workspace data from server-side storage alone.

Recovery Kit flows require an Enterprise workspace with Workspace Protection enabled. The kit belongs to the workspace, not to a single WebTTY server, browser, or user.

Keep one current Recovery Kit offline and treat it as a high-value secret. Anyone with the current kit can recover protected workspace data.

The Recovery Kit is not used for normal daily access. It is the fallback when no trusted browser or device remains available.

trusted browsers and trusted devices available
        |
        | normal daily access
        v
protected workspace data
 
trusted browsers and trusted devices lost
        |
        | Recovery Kit used locally
        v
new trusted browser
        |
        v
protected workspace data

The Recovery Kit is not a convenience login method. It is the emergency path that keeps an Enterprise workspace recoverable without giving rstream server-side decrypt authority.

What it contains

The Recovery Kit contains recovery private key material for the workspace keyset. It is encoded as a printable document with a bounded payload:

-----BEGIN RSTREAM WORKSPACE RECOVERY KIT-----
...
-----END RSTREAM WORKSPACE RECOVERY KIT-----

The kit does not bypass authorization by itself in the product flow, but cryptographically it is powerful material. Store it outside the normal rstream account path and outside the browser profile that already holds trusted browser keys.

The printable document can include metadata that helps an operator identify the right workspace and verify the document format. The sensitive part is the recovery private key material. Do not paste it into support tickets, chat tools, or logs.

Property	Behavior
Scope	One current kit per workspace.
Owner	The workspace, not one user, browser, device, or WebTTY server.
Storage	Offline or through an organization-approved offline secret process.
Server visibility	rstream stores metadata and encrypted envelopes, not plaintext recovery private material.
Replacement	Rotation creates a replacement kit; stop using the old kit once the new kit is active and stored.

Setup

Workspace Protection setup creates the first Recovery Kit in the same flow that trusts the initial owner/admin browser. Setup is complete only after the kit has been saved offline.

This is why Workspace Protection requires at least one trusted owner/admin browser and one current Recovery Kit. A trusted browser gives day-to-day access, and the Recovery Kit gives recoverability if day-to-day access is lost.

The setup flow asks the operator to pause and store the kit deliberately. Automatic download is convenient but can be operationally unsafe because the browser may silently save the only recovery copy to an uncontrolled location. The owner/admin chooses where to save or print the kit, then confirms that the workspace has a current recovery path.

Use this setup sequence:

Choose the owner/admin browser that will bootstrap Workspace Protection.
Create Workspace Protection.
Save or print the Recovery Kit.
Confirm the kit has been stored offline.
Enroll additional browsers and devices as needed.

Recovery

Use the Recovery Kit when no trusted browser or device is available. The browser parses the kit locally, uses the recovery private key to decrypt the workspace key bundle, and then trusts the current browser as a new access path.

The server records the recovery operation and updates metadata. It does not receive the recovered private workspace key bundle in plaintext.

Recovery is explicit. Accepting the kit locally decrypts the workspace key bundle and turns the current browser into a trusted access path for that workspace.

During recovery, the sensitive decrypt step happens in the browser. rstream stores only the resulting metadata and encrypted envelope.

operator opens recovery flow
        |
        | pastes or imports Recovery Kit payload
        v
browser validates kit locally
        |
        | decrypts workspace key bundle locally
        v
browser creates new trusted-browser envelope
        |
        | rstream stores metadata and encrypted envelope
        v
workspace is accessible again from that browser

Rotation

Rotate the Recovery Kit if the document may have been exposed, if it was used on a machine that must not keep long-term access, or if organization policy requires periodic offline-secret rotation.

Rotation creates new recovery material and registers a new encrypted envelope. Treat the previous kit as invalid only after the replacement is active and stored offline.

Rotation is not the same operation as revoking a browser or device:

Action	Use when
Revoke browser/device	One online access path must no longer decrypt protected data.
Rotate Recovery Kit	The offline recovery document may be exposed, outdated, or used during recovery.
Re-enroll device	The local CLI, agent, or service needs a new trusted key.
Disable Workspace Protection	Enterprise workspace policy no longer permits protected-data use.

Do not rotate the only Recovery Kit and close the flow before the replacement is stored. The old kit remains the emergency path until the new kit is active.

Operational storage

Print the Recovery Kit or store it through an offline secret-management process. Do not keep the only copy in the same browser profile, password manager account, laptop, or cloud drive that holds the trusted browser or trusted device keys.

Owners and admins periodically confirm that the organization knows where the current kit is stored and who is authorized to access it.

What it does not do

The Recovery Kit does not remove the need for permissions, audit, and device hygiene.

It does	It does not
Recover protected workspace key material locally.	Let rstream decrypt protected data without a trusted client.
Trust a new browser after local recovery.	Automatically trust every browser or CLI device.
Preserve recoverability if day-to-day devices are lost.	Replace normal owner/admin approval for routine device enrollment.
Provide an offline break-glass path.	Eliminate the need to revoke exposed devices or rotate exposed material.

WebTTY impact

Workspace-managed WebTTY E2E and encrypted session recordings depend on the same workspace keyset. Losing every trusted browser, every trusted device, and the current Recovery Kit means encrypted WebTTY recordings cannot be decrypted later.

WebTTY production setup verifies three independent facts:

The registered server is enrolled.
The clients that need access are trusted browsers or trusted devices.
The workspace has a current Recovery Kit stored offline.

Trusted Browsers and Devices Encryption Model