# Keys notice

We use **encrypted storage** to store private keys. The root storage password is a cryptographically strong key derived from the **machine key** plus a **`pin`**, which must be provided every time the accounts store should be accessed. The **`pin`** can be provided via CLI or Environment variable. 

* [🖥️](https://emojipedia.org/desktop-computer/) **Machine Key** — the storage file can't be decrypted on other machines (*unless your machine is compromised and a hacker has full access to it, and even then, he must listen to your actions - see the next requirement, the **`pin`**)*
* [🔑](https://emojipedia.org/key/) **PIN** — must be provided every time you want to decrypt the storage. This key won't be stored anywhere

This combination of keys makes the storage file safe from various attack vectors. 

The **pin** is set on the first storage write — *when you add or create an account*. So you must:

* remember the **PIN** - it won't be possible to decrypt the storage without it.
* do not reset the operating system — the **machine key** will be lost and the storage won't be accessible.

> If you forgot the `pin` or the machine key was changed — you can **reset the storage**, and this means - it will be completely cleared.

To summarize: **ALWAYS** back up your keys.