Recover lost data using key escrow user¶

If a user has forgotten his passphrase or a single user is the only owner of information
in StoredSafe and he or she has left the company or is unavailable for other reasons,
and if key escrow has been configured by the customer, it is possible to recover the
otherwise lost data using key escrow.

Perform data recovery using key escrow

  1) DMZ                  All servers and network equipment in our DMZ
  2) Intranet             All servers and network equipment for our Intranet

What vault should be recovered? (. to end selection or q to quit) <2>: 1

Vaultname:           DMZ
Status:              128 (Active)
Password policy:     7
Description:         All servers and network equipment in our DMZ
Members:             "Keiran Lenox" "Jamey Colin" "Escrow User" 

Recover vault "DMZ" (vault 1)? (<Y>/n): 

  1) DMZ                  All servers and network equipment in our DMZ
  2) Intranet             All servers and network equipment for our Intranet

What vault should be recovered? (. to end selection or q to quit) <2>: 2

Vaultname:           Intranet
Status:              128 (Active)
Password policy:     7
Description:         All servers and network equipment for our Intranet
Members:             "Keiran Lenox" "Jamey Colin" "Escrow User" 

Recover vault "Intranet" (vault 2)? (<Y>/n): 

  1) DMZ                  All servers and network equipment in our DMZ
  2) Intranet             All servers and network equipment for our Intranet

What vault should be recovered? (. to end selection or q to quit) <2>: .
Selected vault 1, 2 for recovery.

  2) Keiran Lenox        
  3) Jamey Colin         
  4) Vergil Maverick     

What user should inherit the recovered data? (q to quit) <4>: 4

Login:               vergil
Fullname:            Vergil Maverick
Email:               vergil.maverick@corp.com
Yubikey clientid:    cccccxyzzyy
PGP Fingerprint:     B5F2049839D4ED31AA872F33063C21BA95E66268
Permissions:         130 (Create vaults, Active)
Vault membership:    None (User belongs to no vaults)

Recover vault 1, 2 to user "Vergil Maverick"? (<Y>/n): Y

  5) Escrow User         

What key escrow user should be used to recover the data? (q to quit) <5>: 

Login:               escrow@corp.com
Fullname:            Escrow User
Email:               escrow@corp.com
Yubikey clientid:    cccccccxyzzy
PGP Fingerprint:     91F4357BF25CCEB02D51E9519C656F0BF6AC1EC9
Permissions:         16 (Escrow user)
Vault membership:    "DMZ" "Intranet" 

Summary:

Use the key escrow user "Escrow User" (userid: 5) to recover the vaults 1, 2, and
assign the vaults to the user "Vergil Maverick" (userid: 4).

Next step:

The secret key for the escrow user is stored offsite and needs to be made
available for the recovery.

Please insert the USB key that was used to hold the secret key when the
escrow user was created.

Insert a USB disk and press enter when ready. Ready? (<Y>/n): 

Available files in /mnt/usb:

escrow.corp.com.sec.key

What file holds the secret key for the escrow user "Escrow User"? <escrow.corp.com.sec.key>: 

Enter the passphrase for the imported key. (PGP secret KeyID F6AC1EC9)
Passphrase: <press key escrow yubikey #1><press key escrow yubikey #2>
Re-enter passphrase: <press key escrow yubikey #1><press key escrow yubikey #2>

INFO: Recovered vault 1 to user "Vergil Maverick" via the key escrow user "Escrow User".
INFO: Recovered vault 2 to user "Vergil Maverick" via the key escrow user "Escrow User".