

This guide documents the new AWS Wickr administration console, released on March 13, 2025. For documentation on the classic version of the AWS Wickr administration console, see [Classic Administration Guide](https://docs.aws.amazon.com/wickr/latest/adminguide-classic/what-is-wickr.html).

# Password recovery instruction
<a name="password-recovery-instruction"></a>

## Overview
<a name="password-recovery-overview"></a>

During the Data Retention account generation flow, if the service detects an already configured Data Retention Bot, but no serverless data retention, a password collection script (`collect.py`) is uploaded to your S3 bucket. You need to download and run this script locally to provide your Wickr Data Retention password so the service can recover your bot's identity.

Before running the script, verify that your IAM role or user has the required permissions on the password recovery key and S3 bucket. See the Password Recovery Key Policy section below to configure access.

## Password recovery key policy
<a name="password-recovery-policy"></a>

To run the password recovery script, the IAM principal executing it requires the following permissions:
+ kms:GetPublicKey on the password recovery key
+ s3:PutObject on the DRS S3 bucket

### Finding your resource ARNs
<a name="password-recovery-policy-arn"></a>

If your password recovery key was generated by the product, you can find the key ARN in the Service Catalog outputs:

1. Open the AWS Service Catalog console

1. Navigate to Provisioned products.

1. Select your Wickr Data Retention product.

1. Open the **Outputs** tab.

1. Locate the **PasswordRecoveryKeyArn** output.

1. Locate the **RetentionBucketName** output.

### Adding the required permission
<a name="password-recovery-policy-permission"></a>

Add the following statement to the password recovery KMS key policy. Replace {your-role-or-user-arn} with the ARN of the IAM role or user that will execute the script.

```
{
  "Sid": "PasswordRecoveryScriptAccess",
  "Effect": "Allow",
  "Principal": { "AWS": "{your-role-or-user-arn}" },
  "Action": "kms:GetPublicKey",
  "Resource": "*"
}
```

The same principal also needs s3:PutObject on the data retention DRS S3 bucket. Grant this through an IAM identity policy attached to the role or user.

**Note**  
The password recovery key is only used when migrating data that was previously encrypted under Docker-bot data retention.

## Python script guide
<a name="password-recovery-script"></a>

The script requires:
+ Python 3.8 or later (3.10\+ recommended)
+ pip (Python package manager, included with Python 3.4\+)
+ Two Python packages: `boto3` and `cryptography`
+ AWS credentials configured with access to your DRS KMS key and S3 bucket

## Windows
<a name="password-recovery-windows"></a>

### Install Python
<a name="password-recovery-windows-install"></a>

1. Download the latest Python installer from [python.org](https://www.python.org) — choose the "Windows installer (64-bit)" for Python 3.10 or later.

1. Run the installer. Check the box **Add python.exe to PATH** at the bottom of the first screen before choosing **Install Now**.

1. Verify the installation by opening Command Prompt or PowerShell:

   ```
   python --version
   ```

   You should see output like `Python 3.10.x` or later.

1. Verify pip is available:

   ```
   pip --version
   ```

### Install dependencies
<a name="password-recovery-windows-deps"></a>

Open Command Prompt or PowerShell and run:

```
pip install boto3 cryptography
```

### Configure AWS credentials
<a name="password-recovery-windows-creds"></a>

Make sure your AWS credentials are configured. The simplest approach is to use the AWS CLI:

```
aws configure
```

Provide your Access Key ID, Secret Access Key, and default region. The credentials must have:
+ `kms:GetPublicKey` on your DRS password recovery key
+ `s3:PutObject` on your DRS S3 bucket
+ `s3:GetObject` on your DRS S3 bucket (to download the script)

### Download and extract the script
<a name="password-recovery-windows-download"></a>

1. Download the zip file from your S3 bucket:

   ```
   aws s3 cp s3://{{your-bucket}}/wickr-drs-password-tool/collect.zip .
   ```

1. Extract the zip file:

   ```
   Expand-Archive -Path collect.zip -DestinationPath .
   ```

1. (Optional) Verify the script checksum matches the value shown in the Wickr AWS Console:

   ```
   certutil -hashfile collect.py SHA256
   ```

   The expected hashfile result is:

   ```
   31c5c85ec16587fbc284ed963bc0cae3723713ea9cb54a2cdc3941726bcc662a
   ```

### Run the script
<a name="password-recovery-windows-run"></a>

```
python collect.py
```

After successful completion, delete the local files:

```
del collect.py config.json collect.zip
```

## macOS
<a name="password-recovery-macos"></a>

### Install Python
<a name="password-recovery-macos-install"></a>

macOS ships with a system Python, but it may be outdated. Install a current version using one of these methods:

**Option A: Official installer (simplest)**  


1. Download the macOS installer from [python.org](https://www.python.org) — choose Python 3.10 or later.

1. Run the `.pkg` installer and follow the prompts.

1. Verify:

   ```
   python3 --version
   ```

**Option B: Homebrew**  
If you have Homebrew installed:

```
brew install python@3.12
```

Verify:

```
python3 --version
```

### Install dependencies
<a name="password-recovery-macos-deps"></a>

```
pip3 install boto3 cryptography
```

If you get a permissions error, use:

```
pip3 install --user boto3 cryptography
```

### Configure AWS credentials
<a name="password-recovery-macos-creds"></a>

```
aws configure
```

Provide your Access Key ID, Secret Access Key, and default region. The credentials must have:
+ `kms:GetPublicKey` on your DRS password recovery key
+ `s3:PutObject` on your DRS S3 bucket
+ `s3:GetObject` on your DRS S3 bucket (to download the script)

### Download and extract the script
<a name="password-recovery-macos-download"></a>

1. Download the zip file from your S3 bucket:

   ```
   aws s3 cp s3://{{your-bucket}}/wickr-drs-password-tool/collect.zip .
   ```

1. Extract the zip file:

   ```
   unzip collect.zip
   ```

1. (Optional) Verify the script checksum:

   ```
   shasum -a 256 collect.py
   ```

   The expected shasum result is:

   ```
   31c5c85ec16587fbc284ed963bc0cae3723713ea9cb54a2cdc3941726bcc662a
   ```

   Compare the output with the checksum shown in the Wickr AWS Console.

### Run the script
<a name="password-recovery-macos-run"></a>

```
python3 collect.py
```

After successful completion, delete the local files:

```
rm collect.py config.json collect.zip
```

## Linux
<a name="password-recovery-linux"></a>

### Install Python
<a name="password-recovery-linux-install"></a>

Most Linux distributions include Python 3. Check your current version:

```
python3 --version
```

If Python is not installed or is below 3.8, install it using your distribution's package manager:

**Ubuntu / Debian**  


```
sudo apt update
sudo apt install python3 python3-pip
```

**Amazon Linux 2023 / Fedora / RHEL 9\+**  


```
sudo dnf install python3 python3-pip
```

**Amazon Linux 2 / RHEL 7-8 / CentOS 7-8**  


```
sudo yum install python3 python3-pip
```

Verify:

```
python3 --version
pip3 --version
```

### Install dependencies
<a name="password-recovery-linux-deps"></a>

```
pip3 install boto3 cryptography
```

If you get a permissions error, use:

```
pip3 install --user boto3 cryptography
```

### Configure AWS credentials
<a name="password-recovery-linux-creds"></a>

```
aws configure
```

Provide your Access Key ID, Secret Access Key, and default region. The credentials must have:
+ `kms:GetPublicKey` on your DRS password recovery key
+ `s3:PutObject` on your DRS S3 bucket
+ `s3:GetObject` on your DRS S3 bucket (to download the script)

### Download and extract the script
<a name="password-recovery-linux-download"></a>

1. Download the zip file from your S3 bucket:

   ```
   aws s3 cp s3://{{your-bucket}}/wickr-drs-password-tool/collect.zip .
   ```

1. Extract the zip file:

   ```
   unzip collect.zip
   ```

   If `unzip` is not installed: `sudo apt install unzip` (Debian/Ubuntu) or `sudo dnf install unzip` (Fedora/RHEL/AL2023).

1. (Optional) Verify the script checksum:

   ```
   sha256sum collect.py
   ```

   The expected sha256sum result is:

   ```
   31c5c85ec16587fbc284ed963bc0cae3723713ea9cb54a2cdc3941726bcc662a
   ```

   Compare the output with the checksum shown in the Wickr AWS Console.

### Run the script
<a name="password-recovery-linux-run"></a>

```
python3 collect.py
```

After successful completion, delete the local files:

```
rm collect.py config.json collect.zip
```