Create a key escrow user

The StoredSafe appliance can be configured with several key escrow users. The key escrow user/s can be used in an emergency situation to recover otherwise lost data. The use of key escrow is entirely optional and completely up to each customers discretion and policy.

Key escrow might be needed in several situations, such as:

  • A user forgets his login passphrase

  • A user with sole access to some information leaves the company

The StoredSafe appliance supports up to 100 simultaneous key escrow users.

Create a key escrow user

This process will create a escrow user for StoredSafe, it's a process in several stages:

- Create a new GnuPG key pair
- Export the GnuPG secret key to a USB memory stick
- Import the GnuPG public key to StoredSafe
- Activate the new escrow user

Stage 1: Create a new GnuPG key pair

Full name <Not set>: Escrow User
Email <Not set>: escrow@corp.com

NOTE: Store this passphrase securely since it can potentially read all information in StoredSafe.

Passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2>
Re-enter passphrase: <passphrase stored on yubikey #1><passphrase stored on yubikey #2>

Press once on the Yubikey assigned to the key escrow user.
Yubikey client id <Not set>: cccccccxyzzyrbhtchtrunehdgihdglvlfdtgigevlek

Name: Escrow User
Email: escrow@corp.com
Passphrase: <not shown>
Yubikey client id: cccccccxyzzy

Is the above configuration correct? (<Y>/n):

Stage 2: Export the GnuPG secret key to a USB memory stick

Insert a USB disk and press enter when ready. Ready? (<Y>/n):

It is essential to the system security of StoredSafe to ensure to
move (copy and remove) the secret keys manually before using the system.

Ready to copy the secret key to "/mnt/usb"? (<Y>/n):
Copying the secret key to "/mnt/usb/escrow.corp.com.sec.key"
Comparing SHA256 checksum on "secring.gpg" and "escrow.corp.com.sec.key" ... SHA256 checksum matches.

Ready to remove the GnuPG secret key from StoredSafe? (<Y>/n):
Successfully removed the GnuPG secret key from StoredSafe.

Stage 3: Import the GnuPG public key to StoredSafe

Ready to import the GnuPG public key for "Escrow User"? (<Y>/n):
Successfully imported the GnuPG public key for "Escrow User".

Stage 4: Activate the new escrow user

Import "Escrow User" into the StoredSafe user database table? (<Y>/n):
Successfully imported "Escrow User" into the StoredSafe user database table.

Press any key to continue