The Master Key Ceremony
To carry out the Ceremony, the client must have determined which members of high trust will receive the key fraction.
At least 4 members must be seconded. At least 2 members are required to open the key.
For security reasons, we recommend that you choose two or three times more guardians than the number of parts needed to restore your key.
The role of the deployer is to ensure that:
the Master Key is created;
that high-trust members receive their share of the key;
that members are instructed on the responsibility and how to use the key;
ensure that encrypted data is being created in the correct location and that members are aware of this location;
The following events of the Master Key ceremony are displayed in SYSLOG and forwarded to SIEM:
Start of the ceremony
Viewing the key part
Download PDF file containing part of the key
Closure of the ceremony
A SMTP email account must be configured and determined as default.
Because of scenarios where participants are remote and cannot meet physically for special reasons, senhasegura provides a way to perform the Master Key ceremony remotely. Allowing the guardians to access their fractions in a secure manner.
To perform the master key ceremony remotely access the menu: Settings ➔ Backup ➔ Master Key Ceremony.
On the screen displayed click on the option Set a new master key. In the form you can define the number of parts of the key for restoration, remembering that the minimum number of parts is 2.
Then select the users Guardians from the parts of the key. The displayed add button can be used to increase the number of guardians. It is important that these selected users have their e-mails registered in the system.
Only users active in the system can be selected as guardians. Users who are guardians of the master key process must belong to at least the "View password" profile to have access to part of the key. And a user may not be a guardian of more than one part of the key.
If you wish, the form has a shortcut to the user registration, you can use it if a guardian does not yet have a user in the system.
It is important that these guardians are trusted by the organization, as the keys are a critical component to the system's security. To finish click on Save.
If you have not set up a default SMTP sending account, you will be presented with an error message with the description A default account has not been set up.
Guardians
At the end of the Master Key emission, the guardian users will receive an e-mail, SMS or even a message from the notification system about their selection as guardian of one of the parts of the Master Key.
Whenever there is a guardian with status inactive, the sytem will report it as an incident via Orbit Web and SYSLOG. A message will be displayed saying there is an inactive guardian and in order to fix it the user must redo the Marter Key cerimony process.
Each guardian must access the senhasegura to view their part:
When accessing the system, the guardian should click under his username in the top bar, as in the figure masterkey-180.
Top bar of the screen Among the options displayed the user must click on Master key
cautionUsers must enter their token before viewing their part of the master key. If the keeper does not have the second authentication factor configured, they must do so before viewing their portion of the key. This requirement can be removed from the system parameters screen: Settings ➔ System parameters, accessing the Application section and then going to the Master key ceremony part and indicating if the token and MFA will be mandatory for this action. Remember that disabling this obligation will diminish the security of the senhasegura .
Then the screen for viewing the part will be displayed. On this screen the guardian can view, copy and even generate a file
PDF, containing your part, for download, as well as show the image masterkey-195. This screen will also inform which part the user is guardian of, the day it was generated and the date of the last view.
Master Key Display Screen. The PDF emission presents the same information contained in the preview screen.
Master Key File in PDF