Skip to content
opentusk

Disaster Recovery

OpenTusk is designed so you can recover your data independently — without the OpenTusk API or platform. Your files live on the Walrus decentralized network, and you hold the keys needed to decrypt them.

Export your data

Section titled “Export your data”

The opentusk export command produces a JSON manifest containing everything needed for recovery:

Terminal window
opentusk export                          # Export all files to opentusk-export.json
opentusk export -o backup.json           # Custom output path
opentusk export --vault <vaultId>        # Export specific vault only

The manifest includes:

  • All file metadata: names, sizes, vault info, folder IDs
  • Walrus blob IDs (walrusBlobId) for fetching from any Walrus aggregator
  • Walrus object IDs (walrusBlobObjectId) for epoch renewal via Walrus CLI
  • Encryption metadata: wrappedKey, encryptionIv, plaintextChecksumSha256
  • Walrus network info and aggregator URL
  • Step-by-step recovery instructions

Recovery without OpenTusk

Section titled “Recovery without OpenTusk”

Three operations you can perform independently:

1. Download from Walrus

Section titled “1. Download from Walrus”

Fetch any file directly from the Walrus network using its blob ID:

Terminal window
curl -o file.enc https://aggregator.walrus.space/v1/blobs/<walrusBlobId>

Or use the CLI:

Terminal window
opentusk file rehydrate <blobId> --output myfile.enc

2. Decrypt files

Section titled “2. Decrypt files”

For shared vault files (SEAL encrypted), use the CLI:

Terminal window
opentusk decrypt myfile.enc --export opentusk-export.json -o myfile.txt

The decrypt command supports multiple key sources:

Terminal window
# Using export manifest (recommended)
opentusk decrypt myfile.enc --export opentusk-export.json -o myfile.txt


# Using file ID (online — fetches metadata from API)
opentusk decrypt myfile.enc --file-id <id> -o myfile.txt


# Manual keys
opentusk decrypt myfile.enc --wrapped-key <b64> --iv <b64> -o myfile.txt

A zero-dependency standalone decryption script is also available at scripts/opentusk-decrypt.mjs — it uses only Node.js built-in crypto and can be saved alongside your export manifest for offline use.

3. Renew Walrus epochs

Section titled “3. Renew Walrus epochs”

Walrus stores data for a set number of epochs (~24 hours each). After expiry, data is garbage collected permanently. To extend storage independently:

Terminal window
walrus extend <walrusBlobObjectId> --epochs 5

This requires the Walrus CLI and a Sui wallet with WAL tokens.

Best practices

Section titled “Best practices”
  • Export regularly — run opentusk export periodically and store the manifest somewhere safe
  • Save the standalone decrypt script — keep scripts/opentusk-decrypt.mjs alongside your export manifest
  • Monitor epoch expiry — if you stop using OpenTusk, you’re responsible for epoch renewals to prevent data loss
  • Back up your Sui private key — it’s needed for SEAL decryption of shared vault files
Upload & file lifecycle How files move through hot, synced, and cold states.
CLI reference Full export and decrypt command reference.