Skip to main content
A backup protects you against loss or damage of the device. ZeroKeyUSB makes the process deliberate: no credential leaves the device until you physically press the authorization button.
The backup is emitted as plaintext over USB serial. Encrypt it right after capturing it (GPG, age, 7z with password…) and store it offline.

Before you start

You needFor
The device unlockedExport only works with the PIN already entered
A serial toolWeb manager, screen, minicom, PuTTY or similar at 115200 bps
A safe place to store the fileEncrypted disk, locked SD card, etc.

Step 1 — Open the menu

From the first credential, press Left. (You can also get there by pressing Right from the last credential → “Add New” → Right.) See Navigate the menu if in doubt. Open menu from credential 1 Press Left while on credential 1.

Step 2 — Select “Backup”

In the root menu, Backup is selected by default. Press Center to enter the submenu. Root menu with Backup selected Press Center.

Step 3 — Select “Export”

Inside Backup you have Import, Export and < Back. Press Down once to highlight Export, then Center. Export selected Press Down to reach Export, then Center to activate.

Step 4 — Physical authorization

After pressing Center, the authorization screen appears. This is a security measure: the device doesn’t export until you hold Center for more than 800 ms (you’ll see the large button halo). Authorization screen Before continuing, open your serial terminal on the host and connect to the device (115200 bps), or open the web manager. When it’s ready to receive, hold Center for ~1 second.
Changed your mind? Release before 800 ms or press Left — the operation is cancelled and you return to the menu.

Step 5 — Send progress

After authorizing, the device starts decrypting each slot (one by one with AES-128 CBC) and sending it over USB-CDC as a CSV line. The screen shows the progress. Export progress You don’t have to press anything. The device walks through all 62 slots and on completion shows “Export complete” for 1 second before returning to the menu.

Step 6 — Capture the CSV on the host

While the device sends, on your serial terminal you’ll see lines appear: 
62
0,Google,user1,contrasena1,JBSWY3DPEHPK3PXP
1,Apple,user2,password,
2,Netflix,user3,Atalaya,
3,github,user4,no me acuerdo,JBSWY3DPEHPK3PXP;algo=SHA256
4,Amazon,comprador99,123456,
...
FieldMeaning
Line 0Total number of slots (always 62)
slotIndex0–61
siteSite (≤16 chars)
usernameUsername (≤16 chars)
passwordPassword
totpSecretOptional — Base32 (with optional ;algo=SHA256) or empty
Save the whole output to a file (zerokeyusb-2026-05-27.csv, for example). The web manager has a “Save” button that does this for you.

Step 7 — Encrypt immediately

The CSV you just saved contains all your passwords in cleartext. Encrypt it as soon as you’ve captured it and delete the unencrypted version.
# Option A: GPG (symmetric, AES-256)
gpg -c --cipher-algo AES256 zerokeyusb-2026-05-27.csv
shred -u zerokeyusb-2026-05-27.csv

# Option B: age with passphrase
age -p -o zerokeyusb-2026-05-27.csv.age zerokeyusb-2026-05-27.csv
shred -u zerokeyusb-2026-05-27.csv

# Option C: 7z with a strong password (Windows)
7z a -p -mhe=on zerokeyusb-2026-05-27.7z zerokeyusb-2026-05-27.csv
del zerokeyusb-2026-05-27.csv

When to back up

WhenWhy
After adding or importing several credentialsSo you don’t lose new work
Before factory reset or firmware reflashingThe reset is irreversible
Before any Danger submenu actionSame
PeriodicallyAs part of your security routine

Best practices

PracticeWhy
Encrypt right awayPlain CSV is a huge risk
Store in ≥ 2 separate physical locationsProtects against single-disk/cloud failure
Test a restore now and thenGuarantees the file is usable when you need it
Shred old backupsReduces exposure window
Name with date (YYYY-MM-DD)So you know which is most recent

Next steps

Import credentials

Restore from a backup or migrate from another manager.

Navigate the menu

Learn the rest of the menu options.