← Home

Photo Backup in an Ordinary JPEG

Photo Backup exists for one practical reason: a recovery backup should not have to look like a recovery backup.

Self-custody needs a way back in. Watches are lost. Devices fail. People upgrade hardware. A wallet that cannot be recovered is not a serious wallet. A wallet backup that advertises itself too loudly creates a different problem.

Cryptograph uses two recovery options. The Recovery Sheet is an encrypted QR code printed on paper. Photo Backup is encrypted recovery data hidden inside ordinary JPEG photos. They serve the same recovery purpose, but they have different carriers and different operational postures.

The Recovery Sheet belongs in a safe, a file, or a place where important paper is kept. Photo Backup belongs where photographs already live. A landscape, a family picture, a travel photo, or a quiet image from the camera roll can carry encrypted recovery data without looking like a wallet artifact to a stranger.

What Photo Backup is

Photo Backup contains no photograph of a seed phrase, visible wallet words, plaintext key material, or screenshot of anything the user would type into another app.

A BIP-39 mnemonic exists inside Cryptograph. It is generated on the watch, encrypted at rest, and secured by the Secure Enclave. The user does not handle that mnemonic as a word list during normal onboarding. The iPhone does not receive it. The company does not receive it.

When the user creates a Photo Backup, the watch asks for a recovery PIN or passphrase. The watch uses that secret to encrypt the recovery payload. The iPhone receives opaque ciphertext. It can move the ciphertext into photos and later extract it from photos, but it does not receive the recovery secret and it does not see the mnemonic.

That distinction is the point. The phone is useful because it has the photo library, the larger screen, and the sharing surface. The watch remains the place where recovery material is protected and where the secret is entered.

Why use a photo

Most wallet backups are conspicuous.

A sheet of recovery words is recognizable to anyone who has spent time around crypto. A metal seed plate is even more obvious. A dedicated backup object has one job, and its appearance explains that job to the wrong person.

Photo Backup uses a different signal. The carrier is a normal image file. The encrypted data is embedded inside the JPEG image data, not written as a visible caption or a plaintext note. The result is an ordinary-looking photo that can be stored with other ordinary-looking photos.

The value is discretion. If someone finds the image, they have found a picture. If they also know it is a Cryptograph Photo Backup, the picture alone is still not enough. Restore requires the recovery PIN or passphrase chosen by the user.

That makes Photo Backup useful for a specific kind of holder: someone who wants redundancy without adding another object that announces value. A printed sheet may be right for a safe. A photo may be right for a camera roll, an encrypted archive, a trusted drive, or another place where images already belong.

How the flow works

The flow begins on the watch.

The user chooses Photo Backup and enters a recovery PIN or passphrase. The watch retrieves the wallet mnemonic, encrypts the recovery payload, and sends the encrypted payload to the iPhone. The same recovery purpose as the printed sheet is preserved, but the carrier changes.

On the iPhone, the user chooses several JPEG photos. Cryptograph embeds the encrypted payload into each selected photo and verifies that it can be read back before the flow completes. If a photo is not compatible, the app asks for a different one.

Each successful photo carries the encrypted recovery data. The images can then be saved or shared by the user. The important boundary remains the same throughout the flow: the phone handles photo processing, while the recovery secret and the mnemonic stay out of the phone’s custody.

Restore reverses the path. The user selects the Photo Backup images on the iPhone. The phone extracts the encrypted recovery data and passes it to the watch. The watch asks for the PIN or passphrase and decrypts the payload there. If the secret is wrong or the data has been damaged, restore fails.

Photo Backup remains a local recovery method rather than an account-based service. Cryptograph is not keeping a copy. There is no company-held key, no customer database, and no recovery desk that can override the process. The user chooses where to store the resulting photos and must keep the recovery secret separately.

How it differs from the Recovery Sheet

The Recovery Sheet is physical. It is an encrypted QR code printed on paper. It is easy to put in a safe, a deposit box, or an envelope held by a trusted person. Its strength is clarity. It is obviously the thing to preserve.

Photo Backup is less conspicuous. It uses images as carriers. Its strength is that it can blend into places where images already exist.

Those are separate methods. The Recovery Sheet stays an encrypted QR code on paper. Photo Backup stays encrypted recovery data inside images. Both carry encrypted recovery data, and both require the user’s PIN or passphrase to restore, while solving different storage problems.

The Recovery Sheet is for the part of a recovery plan that should be deliberate and physical. Photo Backup is for the part that benefits from discretion and duplication.

Many people should use both. Paper is durable in ways that digital files are not. Digital images are easy to duplicate in ways paper is not. A serious recovery plan can use those properties together without pretending they are the same object.

What Photo Backup does not solve

Photo Backup does not remove responsibility from the user.

If the watch is lost and every backup image is lost too, Cryptograph cannot reconstruct the wallet. If the recovery PIN or passphrase is forgotten, the encrypted data remains encrypted. If someone obtains both a valid Photo Backup and the recovery secret, that person can restore the wallet.

The feature is designed to change the exposure of the backup, not the rules of self-custody. The backup should be less obvious to a stranger. The secret should remain separate. The resulting files should be stored deliberately.

Photo Backup also does not depend on iCloud as the recovery authority. A user may choose to store images in a cloud photo library, an encrypted drive, an offline archive, or somewhere else. Cryptograph is not delegating recovery to that service. The service, if used, is only carrying files the user chose to place there.

The same caution applies to editing. Photo Backup data lives inside the JPEG carrier. Cropping, filtering, recompressing, or sending through a service that rewrites the image may damage the embedded data. The backup images should be preserved as generated.

The security boundary

The architecture is deliberately narrow.

The watch owns the sensitive recovery step. The mnemonic exists, and it is protected on the watch. It is secured by the Secure Enclave at rest, then used only where it is needed. When a recovery backup is created, the watch encrypts the payload before the phone receives anything.

The phone owns the media step. It lets the user pick photos, prepares the resulting images, and later extracts encrypted data from those images during restore. It is allowed to be a good interface. It is not allowed to become the custodian of the wallet.

That boundary matters because recovery is where many wallets become least precise. A product can be careful during signing and then casual during backup. It can keep keys away from the phone during everyday use and then ask the user to type a seed phrase into a phone during restore. Cryptograph avoids that shape.

The recovery secret is chosen by the user. The encrypted payload can move through the iPhone and through ordinary storage. The mnemonic does not become phone-resident plaintext as part of the flow.

The practical posture

The best recovery method is the one the user can keep without turning it into a liability.

For some holders, paper is right. It is legible to the person who needs it, easy to put in a known place, and independent of digital accounts. For others, an additional digital backup gives useful redundancy. Photo Backup exists for that second layer.

Photo Backup makes recovery quieter.

An ordinary photo can sit among ordinary photos. It can be copied like a file. It can be stored without looking like a wallet backup at first glance. The recovery data inside remains encrypted, and restore still requires the PIN or passphrase.

That is the posture Photo Backup is meant to provide: recoverable without being obvious, redundant without becoming custodial, and precise about what is actually protected.

Cryptograph is available now on the App Store.

The Cryptograph Team

← All posts