Glossary

Recovery key

Definition

A recovery key is generated, word-based material you store yourself that can restore access to your encrypted workspace when no approved device is available. The service never holds it in plaintext, so it cannot reset it for you. It is the fallback path when every trusted device is lost at once.

When workspace decryption access normally comes from an already-trusted device, one question remains: what happens if you have no trusted device left, with every machine lost, wiped, or replaced at the same time. A recovery key is the answer. It is generated material, a set of words the service produces and you store outside it, that can grant a fresh device access without another device to vouch for it.

A recovery key is deliberately not a passphrase you choose, which keeps it from being guessable, and the service never stores it in plaintext, which keeps it from being resettable server-side. That is the trade: strong, self-custodied recovery in exchange for responsibility. If you lose the words and have no trusted device, the data cannot be recovered, so the key is something you create before you need it.

Why it matters

End-to-end encryption means the provider cannot read or reset your workspace, which is the point, but it also means account support cannot rescue you if every device is gone. A recovery key is the one path back in, and it only works if it exists before the emergency, stored somewhere safe and offline.

In practice

Your laptop is stolen and your only other trusted machine was wiped last week. With a recovery key stored in a password manager, you bring up a new device and regain access. Without one, there is no trusted device left to approve it, and the workspace stays sealed.

How Bowline relates

Bowline generates a word-based recovery key that you store outside the service. It decrypts a recovery envelope locally and then runs the normal device-approval path, so you can regain access when no trusted device is available. The service holds only encrypted material, never your key words or plaintext workspace key.

Read the docs on recovery key

ready when you are

Your ~/Code, on every machine and every agent.

Install bowline and your projects follow you. It just works.

Get started
curl -fsSL https://install.bowline.sh | sh

macOS app · Linux CLI. Then run bowline login.