The honest version: macup’s encryption is structural. Keys never leave your Mac unless you export them. That means a lost passphrase plus a lost recovery code equals lost access. This is the same property that means a subpoena served on us can’t read your files — we don’t have the keys to hand over. The article that follows is 80% prevention and 20% last-resort triage.
You have your passphrase but not your recovery code
Straightforward. You’re fine.
Open macup > Preferences > Account > Recovery code > Generate new. macup creates a fresh recovery code, shows it to you once, and writes it nowhere else. Save it somewhere durable — see the prevention checklist below.
Your old recovery code is now invalid. That’s intentional: anyone who has the old one can’t use it against you.
You have your recovery code but not your passphrase
Also fine. On any Mac signed into your account, click Forgot passphrase at the passphrase prompt, enter your recovery code, and set a new passphrase. macup re-derives the key and re-wraps it against the new passphrase. Existing snapshots remain readable.
Tip: after doing this once, generate a fresh recovery code. The old one was used; treat it as spent. Go to macup > Preferences > Account > Recovery code > Generate new and store the replacement.
You have neither
The hard truth. There is no recovery path.
We cannot reset an encryption key we never held. Support staff have no secret override. Subpoenas served on us would not recover your data either — the architecture does not have that door in it.
What’s still salvageable: any Mac that has macup running and a valid Keychain entry can still restore everything. The key is cached on that machine. If you have another Mac logged into the account with its Keychain intact — a work laptop, a studio machine, a partner’s Mac — start there. Restore what you need off that device before anything changes its state.
If every device is gone, the data is gone. We’re sorry. That is the cost of keys we can’t read, and it’s the only guarantee that the rest of the promise holds up.
Prevention — the part that matters
The only way to lose both credentials at once is neglect. Here’s the checklist that makes that impossible:
- Write your passphrase in a password manager. Everyone has one by now. Use it. 1Password, iCloud Keychain, Bitwarden — any of them work.
- Write your recovery code in two places. One local — a notebook in your desk drawer, a printed copy in a home safe. One off-site — a bank deposit box, a sealed envelope with a relative, or a second password manager vault that your partner or co-founder also has access to.
- On Business or MSP plans, enable org escrow. Your org admin holds a wrapped copy of the key under their account. Any admin can recover any member’s access without you needing to remember anything. Individual accounts don’t have this — the cost is operational overhead; the benefit is structural trust. Business tiers take the trade; individuals keep the simpler model.
- Test your recovery code once a year. Open
macup > Preferences > Account > Recovery code > Verifyand paste it in. macup confirms validity — it checks that the code correctly derives your key — without changing anything. No new snapshot, no re-wrap, no side effects. Put a calendar reminder on it.
Four items. None of them are hard. Do them once and the rest of this article is a curiosity.
What we promise
We will never invent a back door. Not for law enforcement, not for ourselves, not for customer support convenience.
We will never add silent key escrow without telling you. If that ever changed for some specific enterprise scenario, it would be opt-in, it would be visible in the UI, and it would be documented here before it shipped.
We will always tell you, at signup and in the UI, that losing both credentials means losing access. No asterisks, no dark patterns, no “contact support and we’ll see what we can do.” Everything else about trust flows from that one guarantee.