Create a key escrow user¶
The StoredSafe appliance can be configured with several key escrow users. The key escrow
user/s can be used in an emergency situation to recover otherwise lost data. The use
of key escrow is entirely optional and completely up to each customers discretion and policy.
Key escrow might be needed in several situations, such as:
- A user forgets his login passphrase
- A user with sole access to some information leaves the company
The StoredSafe appliance supports up to 100 simultaneous key escrow users.
Create a key escrow user This process will create a escrow user for StoredSafe, it's a process in several stages: - Create a new GnuPG key pair - Export the GnuPG secret key to a USB memory stick - Import the GnuPG public key to StoredSafe - Activate the new escrow user Stage 1: Create a new GnuPG key pair Full name <Not set>: Escrow User Email <Not set>: firstname.lastname@example.org NOTE: Store this passphrase securely since it can potentially read all information in StoredSafe. Passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2> Re-enter passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2> Press once on the Yubikey assigned to the key escrow user. Yubikey client id <Not set>: cccccccxyzzyrbhtchtrunehdgihdglvlfdtgigevlek Name: Escrow User Email: email@example.com Passphrase: <not shown> Yubikey client id: cccccccxyzzy Is the above configuration correct? (<Y>/n): Stage 2: Export the GnuPG secret key to a USB memory stick Insert a USB disk and press enter when ready. Ready? (<Y>/n): It is essential to the system security of StoredSafe to ensure to move (copy and remove) the secret keys manually before using the system. Ready to copy the secret key to "/mnt/usb"? (<Y>/n): Copying the secret key to "/mnt/usb/escrow.corp.com.sec.key" Comparing SHA256 checksum on "secring.gpg" and "escrow.corp.com.sec.key" ... SHA256 checksum matches. Ready to remove the GnuPG secret key from StoredSafe? (<Y>/n): Successfully removed the GnuPG secret key from StoredSafe. Stage 3: Import the GnuPG public key to StoredSafe Ready to import the GnuPG public key for "Escrow User"? (<Y>/n): Successfully imported the GnuPG public key for "Escrow User". Stage 4: Activate the new escrow user Import "Escrow User" into the StoredSafe user database table? (<Y>/n): Successfully imported "Escrow User" into the StoredSafe user database table. Press any key to continue