Create a key escrow user
The StoredSafe appliance can be configured with several key escrow users. The key escrow user/s can be used in an emergency situation to recover otherwise lost data. The use of key escrow is entirely optional and completely up to each customers discretion and policy.
Key escrow might be needed in several situations, such as:
A user forgets his login passphrase
A user with sole access to some information leaves the company
The StoredSafe appliance supports up to 100 simultaneous key escrow users.
Create a key escrow user
This process will create a escrow user for StoredSafe, it's a process in several stages:
- Create a new GnuPG key pair
- Export the GnuPG secret key to a USB memory stick
- Import the GnuPG public key to StoredSafe
- Activate the new escrow user
Stage 1: Create a new GnuPG key pair
Full name <Not set>: Escrow User
Email <Not set>: escrow@corp.com
NOTE: Store this passphrase securely since it can potentially read all information in StoredSafe.
Passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2>
Re-enter passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2>
Press once on the Yubikey assigned to the key escrow user.
Yubikey client id <Not set>: cccccccxyzzyrbhtchtrunehdgihdglvlfdtgigevlek
Name: Escrow User
Email: escrow@corp.com
Passphrase: <not shown>
Yubikey client id: cccccccxyzzy
Is the above configuration correct? (<Y>/n):
Stage 2: Export the GnuPG secret key to a USB memory stick
Insert a USB disk and press enter when ready. Ready? (<Y>/n):
It is essential to the system security of StoredSafe to ensure to
move (copy and remove) the secret keys manually before using the system.
Ready to copy the secret key to "/mnt/usb"? (<Y>/n):
Copying the secret key to "/mnt/usb/escrow.corp.com.sec.key"
Comparing SHA256 checksum on "secring.gpg" and "escrow.corp.com.sec.key" ... SHA256 checksum matches.
Ready to remove the GnuPG secret key from StoredSafe? (<Y>/n):
Successfully removed the GnuPG secret key from StoredSafe.
Stage 3: Import the GnuPG public key to StoredSafe
Ready to import the GnuPG public key for "Escrow User"? (<Y>/n):
Successfully imported the GnuPG public key for "Escrow User".
Stage 4: Activate the new escrow user
Import "Escrow User" into the StoredSafe user database table? (<Y>/n):
Successfully imported "Escrow User" into the StoredSafe user database table.
Press any key to continue