Using the :xRecovery Access Panel

ProtectNow! Support
  • Updated
Follow

This article shows you how to use the :xRecovery Access Panel to access :xRecovery content.

Introduction

:xRecovery is an optional SSProtect component that allows you to recall protected information from users in your Organization for offline access. To request an Archive, and/ or for additional information, see the article, :xRecovery Procedure.

Isolating the Archive

IMPORTANT: DO NOT ACCESS YOUR ARCHIVE ON A NETWORK-CONNECTED HOST.

The :xRecovery Access Panel is designed to run independent from SSProtect and on an isolated host computer not connected to the Internet. This protects critical keys used to access your Archive's content, which comes in protected form.

It is best to limit this article's activities to an environment you isolate and keep isolated after use. This prohibits keys from leaking in any way, and maintains separation from any potential enterprise network compromise or malice.

You cannot execute the :xRecovery Access Panel while SSProtect is running. This is a safeguard to remind you that :xRecovery Archive Access should be carried out independently, in a physically isolated environment.

Transfer your Archive, Archive Key, and Exported Organization Keys to the isolated environment, then proceed as noted below.

:xRecovery Access Panel

Install SSProtect on an independent, network-isolated machine then transfer your Archive, Archive Key, and Organization's Exported keys to its' mass storage. Exit the :Foundation Client, if running, then start the :xRecovery Access Panel using the Desktop shortcut created during installation. From the Credentials section at the top left:

  • Browse to the folder where you have placed Archive files and the ArchiveKey file
  • Enter your 32-character Archive IV from Support
  • Choose Open to see the list of files by HostGUIDs

The HostGUID is a unique identifier specific to the host encryption portion of the Operating Mode. To decrypt the cloud catalog of filenames to plaintext, for the KeyStore:

  • Browse to your exported .ssp key file
  • Enter the Passphrase you used to protect Exported Keys
  • Choose Import

xRecovery-966.png

Content however remains encrypted. Select one or more files from the list, then choose Decrypt to render plaintext. Refer to the text below for insight on filtered lists and target filename options.

Protected Archive Content for Ongoing :Collaborate Use

When you review the Archive's raw materials, you only see the Username and a GUID (the HostGUID) for protected content. Though the :xRecovery Panel at the time of this writing only provides access to decrypted, plaintext content (when all preconditions are met), there is high-value in also offering protected materials in native, plaintext filename form (such as that achieved when performing a Remote Deploy Restore operation on a new Host Computer, or Replicate operation from the Archivelist in File Management).

This capability is useful for ongoing :Collaborate use even after an Account is Deleted and the associated Seat License reclaimed for re-use.

Still further work is under way to permit a transfer of Ownership when carrying out related Account Delete (retirement) operations.

Return to this page for updates on related matters, which will be specified when content is made generally available for public use (through the :Foundation Client Update process).

Enumeration, Filename Decryption, and Content Decryption

The path from a protected, downloaded Archive to plaintext filename enumeration and content decryption not only requires the resources associated with Archive acquisition and download, but also the Organization and Account key exported from Administer Resources. As such, Non-Privileged Users do not have access to Archive content unless Organization Keys are unintentionally disclosed (or maliciously acquired).

For this reason, it's important to maintain host isolation even when working with an :xRecovery Archive that is, by nature of limited Privileged User activities, encrypted: Once keys are provide to a host computer, there are literally hundreds if not thousands of ways for malicious users to gain access to acquire insight. In this case, an entire Organization of protected content could be exposed.

We strongly recommend Archive acquisition, migration to an isolated host, isolated manipulation and single, one-way transfer out.

Using UI Controls

Limit the list of files with the Filter / Clear buttons to the right, searching through content for specific files. You can also use the Filter by Username dropdown listbox to further refine the list. If you hold the Shift key and choose multiple files, subsequent Decrypt operation will loop through each, showing ongoing decryption progress on the lower right side of your display. Notice that the Txt column changes from, "No" to, "Yes" on successful decryption. Click any column to sort, click a second time to reverse the sort order.

Note that Txt decyrption, "State" is session-specific, i.e. if you restart, re-enter your credentials, then view the list, the Txt (plaintext state) column resets to, "No" for all file entries. Future versions will maintain visibility into the target Decrypted Archive to provide continuous state retention.

Selective Plaintext Filenames

You can modify the target filename and path with the checkbox options at the top right of the panel:

  • Replicate Struct - recreates the instance's path beneath the \Decrypted and root base
  • Owner Grouping - groups content with an Owner-named sub-root in the resulting path
  • HostGUID Prefix - adds the HostGUID to the resulting Filename
  • Version Suffix - attaches the instance's version detail to the resulting Filename

Choose a single file in the list, then check various options to preview the resulting target. This will be comprised of a concatenation of the displayed Decrypt Path and Replica Path that hold the given Filename:

<ArchivePath>\Decrypted\<root>\<OwnerUsername>\<SubfolderTree>\<Filename>.<ext>

If you choose one combination of options and Decrypt, then make changes and Decrypt again, you will end up with two matching results though in different target locations.

Decrypting Only the Latest Versions

In some cases, you may have an Archive with all Versions of each file, but you only wish you see the latest version for each in plaintext. Check the Latest Only checkbox to the right of the Decrypt button to bypass version instances that do not represent the most recent.

Name Collisions During Decryption

In some cases, a Decrypt operation results in a target Filename (and path) that collides with an existing file. This can arise in at least three different scenarios:

  1. A filename collides w/ SSProtect conventions used to Restore version instances
  2. Multiple versions of the same file are being decrypted, without the Version Suffix 
  3. The same file has already been decrypted (but maybe the target has been edited)

Version-specific restoration uses the following convention:

<plaintext-filename>-vx.<plaintext.extensions>

...where x is the Version of the Restored file.

Depending on vChain Policy, it's possible to Restore a versioned instance then subsequently access it to create a legitimately-needed filename with the given format.

In this case (scenario #1) - and the closely-related scenario #2, Decrypt operation uses a combination of numbers and letters that are added after the filename but not in the extension, providing differentiated clarity without impact to default Windows Shell behavior (that often relies on known file extensions).

Details are at the time of this writing being reviewed for near-term adjustment - if the situation presents and it's unclear how to meet your needs, contact Support so our team can provide an update suitable to your specific needs and/ or offer an early preview (if applicable). Also as noted above, return to this page for updates that will be reflected when changes are released using the software's Update mechanism.

Managing Decrypted Files

Current releases of the :xRecovery Panel are primarily designed to provide simple and secure access to plaintext Archive content. More feature-rich capabilities will be introduced in a new product in the future, though until that time it may be helpful to rename the \Decrypted subfolder between successive Decrypt operations. In this respect, you can partition individual Users from an Organization Archive, or separate latest version instances from previous versions then manage differences/ overlapping content with file comparison tools such as Beyond Compare.

As previously noted, don't forget to remove unwanted plaintext materials from decrypted state, copied instances, and also the Recycle Bin keep in mind the realities of erasing content from SSDs.

Additional Resources

You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to support@definisec.com, and our staff will respond to your needs as soon as possible.

In the meantime, don't forget to check out our primary website and Insights columns for information on current trends, security topics, and how our technologies relate.

This article was updated w/ v9.6.6 of the :Foundation Client