> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/drive-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/drive-support/concepts-in-1-minute/user-key-recovery-and-devices.md).

# User Key, Recovery & Devices

**What it is:** Your account identity is a **User Key**, created on your first device and stored in the operating system's secure storage (Keychain on macOS/iOS). It is *not* tied to any single device — it's tied to you.

Two recovery keys matter, and they do different jobs:

* **User Recovery Key** — restores your **account identity** on a new device. Shown once during onboarding.
* **Vault Recovery Key** — restores access to **one specific vault** if you forget its password. Each vault has its own.

**Why it matters:** Because the server holds no keys, these recovery keys are the *only* way back in. There is no "reset by email" that Oten can perform.

**Good to know:**

* **Adding a device:** sign in with the same Oten account, enter your **User Recovery Key**, and the app pulls your vault list. Open each vault with its password.
* **Sync:** encrypted blobs sync via Oten Cloud with conflict-aware versioning. Only ciphertext moves; keys never do.
* **Vault key storage choice (at vault creation):** you pick **Convenience** (the vault key is not stored, so resets rely on your keys) or **Security** (you store and manage the vault key yourself). Password reset then follows whichever choice you made.
* **Transfer Drive:** you can move or reassign Drive ownership to another device or account while your Vault data stays isolated.

> Store your User Recovery Key and each Vault Recovery Key **separately** from the device — a password manager or a physical safe. Losing a password *and* its recovery key means that data is gone for good.
