During the backup creation, a secure encrypted communication channel is established between the cards using the cryptography key exchange protocol (Diffie-Hellman). The keys are then transferred from one card to the other.

This process is highly secure, employing a two-way attestation for mutual card authentication and 256-bit key encryption, making it resistant to man-in-the-middle attacks. This mechanism ensures that the private key can only be read and saved by the corresponding backup card, so that your phone, the DAU Vault application, or any other entity does not have access to the unexposed private key at any time or under any circumstances.