Recover lost data using key escrow userΒΆ

If a user has forgotten his passphrase or a single user is the only owner of information in StoredSafe and he or she has left the company or is unavailable for other reasons, and if key escrow has been configured by the customer, it is possible to recover the otherwise lost data using key escrow.

Perform data recovery using key escrow

What vault should be recovered?

1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ"
2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet"

Select either by using Index Number or by the unique Vault-ID. Default is <Vault-ID>.
Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: 1
[Using Vault-ID: "612a048c55b0a9b2521d6"]

Vault:               DMZ
Vault-ID:            612a048c55b0a9b2521d6
Status:              128 (Active)
Password Policy:     7
Description:         All servers and network equipment in our DMZ
Members:
  User: "vergil" (User-ID: 62ac3b20395f29df3eb80), Permission: "Write"
  User: "jamey" (User-ID: 62ac3b20395f29df3eb80), Permission: "Read"
  User: "escrow4@stored.safe" (User-ID: 165507759456004K3a8ML), Permission: "Admin"

Recover vault "DMZ" (Vault-ID: 612a048c55b0a9b2521d6)? (<Y>/n): y
INFO: Marking vault "DMZ" (Vault-ID: 612a048c55b0a9b2521d6) for recovery by Escrow.

1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ"
2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet"

Select either by using Index Number or by the unique Vault-ID. Default is <Vault-ID>.
Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: 2

Vault:               Intranet
Vault-ID:            62a6799350e0ede5255c4
Status:              128 (Active)
Password Policy:     7
Description:         All servers and network equipment for our Intranet
Members:
  User: "jamey" (User-ID: 62ac3b20395f29df3eb80), Permission: "Read"
  User: "escrow2@stored.safe" (User-ID: 165495448749091Ae68Lp), Permission: "Admin"
  User: "escrow4@stored.safe" (User-ID: 165507759456004K3a8ML), Permission: "Admin"

Recover vault "AAA-Escrow" (Vault-ID: 62a6799350e0ede5255c4)? (<Y>/n): y
INFO: Marking vault "AAA-Escrow" (Vault-ID: 62a6799350e0ede5255c4) for recovery by Escrow.

What vault should be recovered?

1) Vault: "DMZ" (VID: 612a048c55b0a9b2521d6), Desc: "All servers and network equipment in our DMZ"
2) Vault: "Intranet" (VID: 62a6799350e0ede5255c4), Desc: "All servers and network equipment for our Intranet"

Select either by using Index Number or by the unique Vault-ID. Default is <Vault-ID>.
Index # or Vault-ID of Vault? (Q to quit, L to List, . to end input) <62a6799350e0ede5255c4>: .
Selected Vault-ID 612a048c55b0a9b2521d6, 62a6799350e0ede5255c4 for recovery.

What user should inherit the recovered data?

1) User: "keiran" (UID: 627e25362b101a539ba05), Name: "Keiran Lenox"
2) User: "jamey" (UID: 61fae4d83fb1aff2366a9), Name: "Jamey Colin"
3) User: "vergil" (UID: 62ac3b20395f29df3eb80), Name: "Vergil Maverick"

Select either by using Index Number or by the unique User-ID. Default is <User-ID>.
Index # or User-ID of User? (Q to quit, L to list) <62ac3b20395f29df3eb80>: 1

Login:               keiran
User-ID (UID):       627e25362b101a539ba05
Fullname:            Keiran Lenox
Email:               keiran.lenox@corp.com
Yubikey clientid:    cccccccccccc
PGP Fingerprint:     1E1D24C4105AA2755F2E36BA5FFF62BD68F2357A
Capabilities:        129 (User, Active)
Vault membership:
  Vault: "DMZ" (Vault-ID: 61f1c7dc9862ee1cad760), Permission: "Write"
  Vault: "Intranet" (Vault-ID: 61f1c8adb4127e8dfc266), Permission: "Read"

Login:               vergil
Fullname:            Vergil Maverick
Email:               vergil.maverick@corp.com
Yubikey clientid:    cccccxyzzyy
PGP Fingerprint:     B5F2049839D4ED31AA872F33063C21BA95E66268
Permissions:         130 (Create vaults, Active)
Vault membership:    None (User belongs to no vaults)

Recover vault 1, 2 to user "Vergil Maverick"? (<Y>/n): Y

  1) Escrow User

What key escrow user should be used to recover the data? (q to quit) <5>:

Login:               escrow@corp.com
Fullname:            Escrow User
Email:               escrow@corp.com
Yubikey clientid:    cccccccxyzzy
PGP Fingerprint:     91F4357BF25CCEB02D51E9519C656F0BF6AC1EC9
Permissions:         16 (Escrow user)
Vault membership:    "DMZ" "Intranet"

Summary:

Use the key escrow user "Escrow User" (userid: 5) to recover the vaults 1, 2, and
assign the vaults to the user "Vergil Maverick" (userid: 4).

Next step:

The secret key for the escrow user is stored offsite and needs to be made
available for the recovery.

Please insert the USB key that was used to hold the secret key when the
escrow user was created.

Insert a USB disk and press enter when ready. Ready? (<Y>/n):

Available files in /mnt/usb:

escrow.corp.com.sec.key

What file holds the secret key for the escrow user "Escrow User"? <escrow.corp.com.sec.key>:

Enter the passphrase for the imported key. (PGP secret KeyID F6AC1EC9)
Passphrase: <press key escrow yubikey #1><press key escrow yubikey #2>
Re-enter passphrase: <press key escrow yubikey #1><press key escrow yubikey #2>

INFO: Recovered vault 1 to user "Vergil Maverick" via the key escrow user "Escrow User".
INFO: Recovered vault 2 to user "Vergil Maverick" via the key escrow user "Escrow User".