StoredSafe Secure Platform includes only one "user" account, this account is used during installation and configuration, maintenance and upgrades. This account has no direct privileges in the application or database rights, only privileges for system maintenance. The account password is 64 characters long and is set by the customer at the time of installation. This password is divided into two YubiKeys configured in the "static mode". This is to assure segregation of duty. To log in as system user the system administrator needs access to both keys as well as access to the console (optional SSH-access not recommended)
The system user can not access the system through the web interface.
This account has no permissions in the application, however the system user has indirect privileges in the database, as the database also partly is used by the system console gui.
The system user is not able to read or decrypt information stored in StoredSafe Secure Platform.
The overall system, uses a few other system accounts, upon delivery all passwords are changed by the customer according to a checklist. This is to ensure that no accounts have default password.
Escrow User Account¶
In case the optional escrow functionality is enabled, an escrow user will be enabled. The password of the private key of the escrow user will be distributed to two or optional more YubiKeys in static mode. the private key and password of the escrow user will be exported and transferred to USB memory stick as part of the checklist procedure. The key and password is also printed on paper to be stored in a safe, this is to ensure the ability to restore critical information in case the usb stick fails when needed.
We strongly recommend that escrow YubiKeys are not stored together but distributed to two persons (e.g. CSO and Compliance officer).