StoredSafe System Administration Guide

System administration is mainly done on the system console connected to the StoredSafe appliance, it is possible to enable remote login over SSH, but for security reasons it's use is discouraged unless absolutely necessary, such as when a HA pair is geographically dispersed.

Conventions used

Press Q to exit from one menu to another. If you press Q from the top level menu Main, you will be logged out from the Console.

Any prompts with text contained between angle brackets, such as "Confirm (<Y>/N)?", will indicate the standard answer if just a return is entered.

Logon to the System Console

Logon to the system console as the user "storedsafe", the initial password is "changeme".

StoredSafe recommends you change the default password to a strong password using the 2 supplied yubikeys for this purpose.

If the default password has been changed according to the StoredSafe recommendations, you will have 2 yubikeys containing the password for the "storedsafe" user. This is to make it possible to facilitate "Dual Control", since each yubikey contains one piece of the password needed to authenticate as the "storedsafe" user. Typically one key is given to the CIO and the other key to the CSO.

On the console, press return a couple of times until you see a "login:" prompt. Enter "storedsafe" at the login prompt and at the "Password:" prompt insert the first yubikey (marked "Console login 1") and press the button on the yubikey, remove the first yubikey and insert the second yubikey marked "Console login 2". The second key is programmed to emit a 32 character long password and finally transmit a return.

Navigating the Console Menu

As soon as you have logged in you will see the initial StoredSafe console application, with the following options:

│           StoredSafe Console on node1 (Version 2.x.x build xxxx)           │

│1│User Management                                                           │
│2│System Settings                                                           │
│3│Module Settings                                                           │
│4│Provisioning                                                              │

Move the cursor or enter a it's corresponding number (Q to Quit)              


1. User Management

  • Manage StoredSafe Users and Vaults (List users & vaults, Replace a lost Yubikey)
  • Password policy for user login passphrases
  • Everything needed for Key Escrow (Creating Key Escrow users, Performing Key Escrow)
  • Undeleting Vaults or Objects

2. System Settings

  • Network management (IPv4, IPv6 settings, DNS, SNMP, NTP, syslog, NIC settings, hostname of the appliance)
  • Web GUI settings (Timeout and MOTD)
  • Manage Backup settings (PGP and SSH keys, Backup configuration, Backup tests)
  • Storage Management (Manage USB disks, Examine available disk space)
  • Service Management (Web, NTP and SNMP)
  • Firmware Management (Install new firmware, select firmware to boot)
  • Database Maintenance (Check or repair a database)
  • Appliance Maintenance (View installed features, Audit filesystem, Reboot or Halt appliance)

3. Module Settings

  • Password module management (If installed)
  • File module management (If installed)
  • Certificate module management (If installed)
  • RADIUS module management (If installed)
  • HA module management (If installed)

4. Provisioning

System features needed to provision (install) a newly deployed StoredSafe appliance.

  • Access the provisioning wizard
  • Change password on Service accounts
  • Generate new SSH host keys
  • Manage Web Server Settings (Review or install X.509 certificate)
  • Manage 2FA settings for Yubikeys and the YubiHSM
  • View or install System features
  • Enable or disable the system install script

You can either navigate with the arrow keys on the keyboard or use the keyboard shortcut to select a menu item. In the example above, pressing the digit 2 on the keyboard takes you directly to the System Settings menu.