End-to-end encryption (E2EE) provides strong confidentiality guarantees to users by preventing service providers from accessing their data. At the same time, it introduces new operational challenges, most notably the restoration of an E2EE-protected backup on a new device after loss of the original device. In recent years, major instant messengers have deployed increasingly sophisticated key-retrieval schemes for encrypted backups, ranging from simple recovery codes to designs that depend on tru