- 6 minutes to read
- Print
- DarkLight
- PDF
How to manage the master key
- 6 minutes to read
- Print
- DarkLight
- PDF
In this document, you’ll find a step-by-step guide on how to configure the Master Key in senhasegura.
Requirements
- Have a System Administrator role.
Define master key
To define the master key, you should follow the steps below:
This step is also called the Master Key Ceremony.
- On senhasegura, in the upper-left corner, click the Grid Menu, represented by nine squares, and select Settings.
- In the side menu, select Backup > Set master key.
- When you click on Set master key, the Master key definition window will open.
- In this window, fill in the following fields:
- Number of parts to Restore: indicates the number of parts needed to recover the master key.
- The minimum number of parts is 2, and the maximum is 10.
- Guardians: from the drop-down menu, select the user who should be one of the guardians of the Master Key.
- To add more Guardian users, click on the plus sign next to the word Add above the Guardians drop-down menu.Info
A recommended practice is to select between two and three times more guardians than key parts.
- To add more Guardian users, click on the plus sign next to the word Add above the Guardians drop-down menu.
- Number of parts to Restore: indicates the number of parts needed to recover the master key.
- Click on Generate New Key.
The electronic vault's master key is used to encrypt backup files created by the application. These files are encrypted using the AES algorithm with a 256-bit key and can be decrypted using the AESCrypt application.
Set a new master key
If necessary, you can redefine the Master Key. To redefine the Master Key, you have two paths:
Master key ceremony report
- In senhasegura, in the upper left corner, click on Grid Menu, represented by nine squares, and select Settings.
- In the side menu, select Backup > Master Key Ceremony.
- In the Set key ceremony report, click on Define new master key.
Set a new master key
- On senhasegura, in the upper-left corner, click on Grid Menu, represented by nine squares, and select Settings.
- In the side menu, select Backup > Define master key.
In both cases, the Master key definition window will open. When you define a new master key, however, you have an additional session in this window. To redefine the master key, follow the steps below:
- In the Current key session:
3. Key mode select whether you want to use Parts or Complete Key for your Master Key. In this case, the Master Key field is locked.
4. Complete Key: if you choose the Complete Key option, you must fill in the Master Key field with the master key's value. In this case, the Key Parts field is locked.InfoTo access the complete key, you must join the key parts at https://breakglass.senhasegura.com/. For more information, see the Restore master key section at the end of this document.
- Key Parts (one per line): if you choose the Parts option, you must fill in, in this field, which are the parts that make up the Master Key. Each part should be placed on a separate line. In this case, the Master Key field is locked.
- In the New key session you can follow the same instructions on the previous session of this document.
- Click on Generate New Key.
Information about the Guardian user
- These users will be informed by email, notification, or SMS that they have been chosen to guard one of the key parts, so it’s important that the selected Guardians have at least their emails registered in the system.
- The user cannot be the guardian of more than one part of the key.
Monitor the progress of the master key ceremony
It is possible to monitor the progress of the Master Key Ceremony. To do this, follow the steps below:
To finalize the Master Key Ceremony process, the guardian user must view and/or download the .pdf
file containing the master key.
- Access, through the side menu, Settings > Backup > Master key ceremony.
- In the Master key ceremony report, you can follow the process.
- The fields are:
- Name: indicates the name of the user, as registered in senhasegura.
- Phone: indicates the user's phone, as registered in senhasegura.
- Email: indicates the user's email address.
- It is important that the user has an email registered in senhasegura to receive the guardian notification.
- Ceremony: indicates the state of the master key ceremony. It can assume the values Pending or Finished.
- User status: indicates the user's status within senhasegura. It can assume the values Enabled or Disabled.
- Last login: indicates the date and time of the user's last login. It is displayed in the format
DD/MM/YYYY HH:MM:SS.
- Last part view: indicates the date and time of the user's last view in relation to the key part they are guardian of. It is displayed in the format
DD/MM/YYYY HH:MM:SS.
- Last part download: indicates the date and time of the last download made by the user of the key part they are guardian of. It is displayed in the format
DD/MM/YYYY HH:MM:SS.
- On the left side of the report, you find information about the master key ceremony. The information is:
- Status: indicates the overall status of the ceremony. The status is only completed when all guardian users have viewed and/or downloaded their part of the master key. It can assume the values Pending or Finished.
- Parts to restore: indicates how many parts are needed for the restoration of the master key.
- Start: indicates the date and time of the start of the master key ceremony.
- End: indicates the date and time of the end of the master key ceremony. If it has not yet been completed, the field will show only
--
. - Set new master key: link to define a new master key. Opens the Master key definition window to restart the process.
View master key parts
Each guardian should access their account in senhasegura to view their part. If a guardian happens to have an inactive status, the system will report it as an incident via Orbit Web and SYSLOG, displaying an alert message about the guardian's inactive status and suggesting that the master key ceremony procedure be redone.
By default, to view a part of the Master Key, the Guardian user must have MFA authentication configured. To turn off this requirement, go to Grid Menu > Settings > System Parameters > System Parameters > Application and, in the Master key ceremony section, select No for the option MFA required for master key ceremony?.
Disabling MFA authentication for viewing the master key reduces the security of your vault.
To view a key, as a Guardian user, follow the steps below:
- On senhasegura, in the upper-right corner, click on the user's name and, in the drop-down menu, select Master Key.
- In the Master Key window, you have the following fields:
- Name: indicates the part of the key that the user is a guardian of. It’s informed according to the pattern
Key part number 1
. - Generation: indicates the date the part was generated. It is presented in the format
DD/MM/YYYY HH:MM:SS
. - Query: indicates the date and time the query was made. It is presented in the format
DD/MM/YYYY HH:MM:SS
.
- Name: indicates the part of the key that the user is a guardian of. It’s informed according to the pattern
- Below the informative fields, there are three buttons:
- View part: displays the part of which the user is a guardian.
- When clicking on View part, the Password visualization modal is opened. To view the part, slide the Contrast control located at the bottom of the modal.
- Copy part: copies the part in question to the clipboard.
- Download file: download the file, in
.pdf
format, containing the key part.
- View part: displays the part of which the user is a guardian.
Restore master key
Once the Master Key Ceremony is finished, it is possible to perform the restoration process. To do this, follow the steps below:
- Gather the guardians and access the Combine secret link.
- In the Parts of key text field, enter the key parts, obeying the order.
The key parts should be entered as in the example:
1-dbfcc9e0fef3542c6fe5494aerr284h
2-dbfcc9e0fef3542c6fe5494ae45284g
- In the Total number of parts field, indicate the total number of parts that key has.
- In the Number of parts to Restore field, indicate the number of parts needed to restore the master key.
- Click on Recover Key to restore the master key.
Do you still have questions? Reach out to the senhasegura Community.