.. _recover_lost_data_using_key_escrow_user: Recover lost data using key escrow user ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If a user has forgotten his passphrase or a single user is the only owner of information in StoredSafe and he or she has left the company or is unavailable for other reasons, and if key escrow has been configured by the customer, it is possible to recover the otherwise lost data using key escrow. :: Perform data recovery using key escrow What vault should be recovered? 1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ" 2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet" Select either by using Index Number or by the unique Vault-ID. Default is . Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: 1 [Using Vault-ID: "612a048c55b0a9b2521d6"] Vault: DMZ Vault-ID: 612a048c55b0a9b2521d6 Status: 128 (Active) Password Policy: 7 Description: All servers and network equipment in our DMZ Members: User: "vergil" (User-ID: 62ac3b20395f29df3eb80), Permission: "Write" User: "jamey" (User-ID: 62ac3b20395f29df3eb80), Permission: "Read" User: "escrow4@stored.safe" (User-ID: 165507759456004K3a8ML), Permission: "Admin" Recover vault "DMZ" (Vault-ID: 612a048c55b0a9b2521d6)? (/n): y INFO: Marking vault "DMZ" (Vault-ID: 612a048c55b0a9b2521d6) for recovery by Escrow. 1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ" 2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet" Select either by using Index Number or by the unique Vault-ID. Default is . Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: 2 Vault: Intranet Vault-ID: 62a6799350e0ede5255c4 Status: 128 (Active) Password Policy: 7 Description: All servers and network equipment for our Intranet Members: User: "jamey" (User-ID: 62ac3b20395f29df3eb80), Permission: "Read" User: "escrow2@stored.safe" (User-ID: 165495448749091Ae68Lp), Permission: "Admin" User: "escrow4@stored.safe" (User-ID: 165507759456004K3a8ML), Permission: "Admin" Recover vault "AAA-Escrow" (Vault-ID: 62a6799350e0ede5255c4)? (/n): y INFO: Marking vault "AAA-Escrow" (Vault-ID: 62a6799350e0ede5255c4) for recovery by Escrow. What vault should be recovered? 1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ" 2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet" Select either by using Index Number or by the unique Vault-ID. Default is . Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: . Selected Vault-ID 612a048c55b0a9b2521d6, 62a6799350e0ede5255c4 for recovery. What user should inherit the recovered data? 1) User: "keiran" (UID: 627e25362b101a539ba05), Name: "Keiran Lenox" 2) User: "jamey" (UID: 61fae4d83fb1aff2366a9), Name: "Jamey Colin" 3) User: "vergil" (UID: 62ac3b20395f29df3eb80), Name: "Vergil Maverick" Select either by using Index Number or by the unique User-ID. Default is . Index # or User-ID of User? (Q to quit, L to list) <62ac3b20395f29df3eb80>: 1 Login: keiran User-ID (UID): 627e25362b101a539ba05 Fullname: Keiran Lenox Email: keiran.lenox@corp.com Yubikey clientid: cccccccccccc PGP Fingerprint: 1E1D24C4105AA2755F2E36BA5FFF62BD68F2357A Capabilities: 129 (User, Active) Vault membership: Vault: "DMZ" (Vault-ID: 61f1c7dc9862ee1cad760), Permission: "Write" Vault: "Intranet" (Vault-ID: 61f1c8adb4127e8dfc266), Permission: "Read" Login: vergil Fullname: Vergil Maverick Email: vergil.maverick@corp.com Yubikey clientid: cccccxyzzyy PGP Fingerprint: B5F2049839D4ED31AA872F33063C21BA95E66268 Permissions: 130 (Create vaults, Active) Vault membership: None (User belongs to no vaults) Recover vault 1, 2 to user "Vergil Maverick"? (/n): Y 1) Escrow User What key escrow user should be used to recover the data? (q to quit) <5>: Login: escrow@corp.com Fullname: Escrow User Email: escrow@corp.com Yubikey clientid: cccccccxyzzy PGP Fingerprint: 91F4357BF25CCEB02D51E9519C656F0BF6AC1EC9 Permissions: 16 (Escrow user) Vault membership: "DMZ" "Intranet" Summary: Use the key escrow user "Escrow User" (userid: 5) to recover the vaults 1, 2, and assign the vaults to the user "Vergil Maverick" (userid: 4). Next step: The secret key for the escrow user is stored offsite and needs to be made available for the recovery. Please insert the USB key that was used to hold the secret key when the escrow user was created. Insert a USB disk and press enter when ready. Ready? (/n): Available files in /mnt/usb: escrow.corp.com.sec.key What file holds the secret key for the escrow user "Escrow User"? : Enter the passphrase for the imported key. (PGP secret KeyID F6AC1EC9) Passphrase: Re-enter passphrase: INFO: Recovered vault 1 to user "Vergil Maverick" via the key escrow user "Escrow User". INFO: Recovered vault 2 to user "Vergil Maverick" via the key escrow user "Escrow User".