Introduction

The Master Key is the key that encrypts and opens the data. This key is generated
using the Shamir  algorithm and distributed in different parts to the Key Keeper
Masters.

senhasegura exports all privileged information to the configured storage directory,

such as:

 Cloud IAM credential

 Cloud IAM User
 Credential
 DSM Secret
 Secret
 SSH key
 Others

They are encrypted using the advanced encryption standard AES-256  and made
available in separate files for each piece of information and respecting the different
values it may have. By putting together the parts of each guardian's key, it is possible
to access the complete Master Key and use it to recover the encrypted backup.

Info

The process of issuing and distributing the key parts is called the Master Key
Ceremony.

To configure the Master Key, follow the steps below:

Backup directory
Configure the encrypted data storage directory

Before creating the Master Key, it is necessary to configure the export location of the
encrypted data. Remember that this directory must be known to the parties' guardians.

Caution

This step is unnecessary if you are configuring a senhasegura SaaS instance. Go to

step Generate remote ceremony from the master key .

Within the module and menu Settings ➔ Backup ➔ Servers, you will access the
records of the directory where senhasegura internally forwards the backup.

1. Create a new record via the New report action button

2. Choose how the backup will be stored
3. Fill in your directory

Caution

If you choose Local Directory, keep the default data and click Save.

4. Fill in the Host, Port, and the Credential for authentication

5. Click Save

Master key ceremony

Add guardians

In scenarios where participants are remotely and cannot meet physically for special
reasons, senhasegura offers a way to perform the Master Key ceremony remotely.
That way, guardians have access to your parts safely.

Caution

This functionality is only present in versions 3.6 and higher. And an SMTP e-mail

account must be configured and set as default.

Info

The following events from the Master Key ceremony are displayed in Syslog:

 Start of the ceremony

 Preview of the key part
 Download the PDF file containing part of the key
 Ceremony closing
Form to define a new Master Key

To perform the master key ceremony remotely, access the menu: Settings ➔ Backup
➔ Define a new master key.

1. Fill in the Number of parts to restore

2. Add the Guardians
3. Click on Generate New Key

Info

The minimum number of parts to restore is 2.

Caution

For security reasons, we recommend choosing two or three times as many guardians as
the number of parts needed to restore your key.

Info
The selected Guardians must have their e-mails registered in the system.

 Only active users in the system can be selected as guardians.

 The guardians of the master key process must belong to the View password profile
to access the key part.
 The user cannot be the guardian of more than one part of the key.

The organization must trust these guardians, as keys are a critical component of
system security.

Master key ceremony progress

It is to follow the progress of the ceremony and the relationship of the guardians with
their possible parts through the dashboard, access: Settings ➔ Backup ➔ Master
Key Ceremony.
In this panel, you will be able to follow the following:

 Information such as Name, Phone, Email, Ceremony Status, User Status in Vault,
Last Login, Last Viewed, and Last Download of the part.
 The minimum amount of guardians for restoration
 Ceremony start date and time
 End date and time of the ceremony
 Shortcut to set a new master key

Info

To view the backup log information, go to Setting ➔ Backup ➔ Backup logs.

View master key parts

Upon completing the issuance of the Master Key, guardians will receive an email,
SMS, or a notification system message about their selection as guardians of one of the
parts of the master key.

Caution

Whenever there is a guardian with inactive status, the system will report it as an
incident via Orbit Web and SYSLOG. A message will be displayed warning of the
inactive guardian status and suggesting that the master key ceremony procedure be
redone.

Each guardian must access their account on senhasegura to view their share.

1. The guardian must click on their username in the top bar

2. Click on Master Key

 3. In the window that is opened, you can View part, Copy part, and Download
the file containing your part

MFA Required

Guardians must enter their tokens before viewing their part of the master key. If the
guardian does not have the second authentication factor configured, he must do so
before viewing his part of the key.
This requirement can be removed from the system parameters screen:

1. Go to Settings ➔ System Parameters ➔ System Parameters

2. Access the Application section
3. Go to Master Key Ceremony
4. Indicate whether a token and MFA are required for this action

Remember that disabling this obligation will decrease the security of senhasegura.

Info

This screen also informs which part of the Master Key the user is the guardian, the
day it was generated, and the date of the last view.
Master Key

4. The PDF emission presents the same information on the preview screen
 Master Key PDF

Revealing the master key

Get the master key value

1. Gather the guardians and go to the recovery screen via the link: Break Glass
2. Enter each part of the key in the field, keeping the identification number and
following the numerical order
3. Fill in the Total amount of parts
4. Fill in the Number of parts to restore
5. Click on Retrieve Key

Info

A screen will appear with the combined value of the key parts, which is your Master
Key.

6. Copy the value to open the backup

Combine secret
 

Value of key

Open backup files

How to do it on Windows

Prerequisite:

 You must have installed AES Crypt for Windows  to decrypt the backup files.

1. Access a shared folder that receives the senhasegura backup data

2. Locate a folder where the stored files are stored and get it from the secret folder
3. Search for the file you want to open to open the file
4. Click on the desired file that contains the .aes extension
5. Restore encrypted data using Master Key

The software decodes the backup file, generating a file with the CSV extension in the
same directory as the backup file.
By opening the CSV file, you can view all the credentials and passwords that were
registered and saved in the backup file.
How to do it on Linux

Prerequisite:

 You must have installed AES Crypt for Linux  to decrypt the backup files.

1. Access a shared folder that receives the senhasegura backup data

2. Locate a folder where the stored files are stored and look for the
path /srv/backupremoto/secrets/ if you have saved it in your local directory
3. Choose a folder that contains the data you want to backup
4. Choose the information
5. Choose the folder that contains the file with the extension .aes
6. Type  aescrypt -d -p MasterKeyPassword [Link]  to decrypt the file

Follow the progress

Follow the progress of the ceremony

It is to follow the progress of the ceremony and the relationship of the guardians with
their possible parts through the dashboard, access: Settings ➔ Backup ➔ Master
Key Ceremony.
In this panel, you will be able to follow:

 Information such as Name, Phone, Email, Ceremony Status, User Status in

Vault, Last Login, Last Viewed, and Last Download of the part.

 Minimum amount of guardians for restoration

 Ceremony start date and time

  End date and time of the ceremony

 Shortcut to set a new master key

Info

To view the backup log information, go to Setting ➔ Backup ➔ Backup logs