This article introduces you to :xRecovery Disaster Recovery with a brief exercise in acquiring secured offline :Recover content.
There are times when you need to acquire and consolidate User Data, whether as a result of a Legal Hold, a GDPR request, or to recover content a disgruntled ex-employee attempted to destroy on the way out. In any case, SSProtect makes secure acquisition of KODiAC Managed Data Archives easy (and affordable).
Execution requires that you've Licensed :xRecovery as directed in this section's Overview.
STEP guidance uses Profiles created in the Walkthrough, Third Party Trust Sharing. This is a matter of convenience rather than a requirement; execution is straightforward and simple.
IMPORTANT: Avoiding :xRecovery Resource Consolidation
SSProtect/ KODiAC go to great lengths to make certain that remote, compromising access to a host computer does not have an easy means for acquiring plaintext associated with managed content. From patented KODiAC cryptographic offloading to host-based, fine-grained 2FA requiring a physical presence and finally consolidated, application-independent workflow integration with in-use plaintext isolation, SSProtect provides the most aggressive form of document/ file and email protection available.
:xRecovery provides a means for you to acquire KODiAC Managed Data Archives in a fashion suitable for offline access. This alone should pique your interest with respect to the above-noted protections, since it provides an opportunity for attackers to bypass these protections.
As such, :xRecovery first requires that Archive Requests use in-person authentication from a predetermined list of qualified resources. This authentication request includes an ArchiveIV that's provided over the phone, or using an agreed upon alternate method, as it's the one piece of information that, "unlocks" :xRecovery Offline Access.
Second, we strongly recommend against the use of the :xRecovery Access Panel on a network-connected host computer.
This procedure violates these stipulations by a) bypassing the in-person authentication while using a Trial License, and b) providing a procedure that consolidates materials on a single network-connected host computer, i.e. we don't include instructions for isolating content once it's acquired.
In truth, you want to make certain the following materials remain independent from one another except when consolidated on the secured host:
- Your Exported Organization Keys
- An ArchiveKey you download as part of this procedure
- The :xRecovery Archive files that are encoded for offline access
- An ArchiveIV* you receive through authenticated voice communication
For guidance, suggestions, and further insight, submit questions to our Support team or work through your Authorized :xRecovery Points of Contact who coordinate these activities when executing :xRecovery procedures with Licensed software.
USE THIS PROCEDURE FOR PROOF OF CONCEPT PURPOSES ONLY: DO NOT CARRY OUT THESE PROCEEDINGS IF YOUR TRIAL ACCOUNT HOLDS PRODUCTION DATA OR CONTENT YOU INTEND TO USE LONG-TERM.
* The ArchiveIV is short for Archive Initialization Vector, and it is required to, "unlock" an :xRecovery Archive delivered via Internet download or some form of managed media.
Submit a Request for your Offline Archives
STEP 1: Log In to your Org1_Admin SSProtect Profile.
STEP 2: Right-click the SSProtect icon in the notification tray and from the resulting context menu choose Offline Archives:
STEP 3: Check both All Versions and Entire Organization then click Request. Choose OK to dismiss the notification message.
This automatically generates a request for our Support Team, and a first response generally takes between 5 and 15 minutes. For more details, refer to the article, Trial Support Response.
Email Notification for Archive Readiness
When you submit your Request for an Archive, Support will respond and create the Archive which, depending on the amount of data, can take some time. For Trial requests, they're limited to small data sets and as a result, processing is fairly quick.
You will receive email notification when the Archive is ready, more completely described in the article, Email Notifications.
STEP 4: Monitor the email associated with your Org1_Admin Profile for the message indicating your Archive is ready. This will come from the SSProtect Administrator <firstname.lastname@example.org> with the Subject: [SSProtect] :xRecovery Request Processed. This includes instructions on next steps, which align with these procedures.
Licensed :xRecovery In-Person ArchiveIV
As previously noted, the normal procedure using pre-authorized, in-person contacts is bypassed when using a Trial License. For this reason, your ArchiveIV is delivered via standard email from our Support Team.
STEP 5: Check your email for an additional note from email@example.com which will include your Archive IV, the 32-character reference required to access offline archive data.
Acquire Archive Credentials
STEP 6: Navigate back to the Offline Archive UI, which will present a different state for you to proceed:
STEP 7: Choose Get Key to proceed, at which point you'll be prompted to save the ArchiveKey file; we used C:\SSProtect-Export. Once complete, your UI transitions to display sensitive materials required for S3 download:
The top control contains the name of the S3 Bucket that contains your protected materials, while the bottom control contains a combination of Key/ Secret resources used to access the Bucket, in the form:
These credentials do not utilize the period (.), the delimiter we use to separate the two related items.
STEP 8: Copy/ paste these details to a temporary location and/ or into your download software, then choose Clear SAS. Pay special attention to the following note before you address the confirmation prompt.
IMPORTANT: DO NOT Acknowledge the subsequent confirmation prompt until after you have both copied AND PASTED the displayed materials: As soon as you choose Yes, the references are removed and the Clipboard is cleared. If you haven't retained a temporary instance for ongoing use, you cannot proceed and, as a result, would have to submit a new Request in order to acquire content.
Download your Archive
You can use any viable facility to access your S3 Bucket and download content using the (temporary) credentials you acquired in STEP 8, above. The following procedure uses a simple applet called the S3 Browser available at https://s3browser.com.
STEP 9: Start the S3 Browser. The first time you use it, you may be prompted with the Add New Account dialog. If not, navigate to the Accounts menu and choose, Add new account... to achieve the same.
STEP 10: Use the credentials you acquired from STEP 8, above, to enter the Access Key ID and Secret Access Key before clicking Add new account:
STEP 11: You may be notified that S3 Browser cannot acquire a bucket list then prompted to add an External Bucket. Choose Yes to proceed:
STEP 11a: If you were not prompted, navigate to the Buckets menu, then choose Add External Bucket...to display the Add External Bucket dialog.
STEP 12: Enter the S3 Bucket Name you acquired from the :xRecovery dialog in STEP 8, above, then click Add External bucket:
STEP 13: Use any of the application's facilities to download all bucket files to C:\SSProtect-Export, then close the application. For example, you can use the Buckets\Download all files to... menu item.
Export Your Organization Keys
The :xRecovery Archive is comprised of files that remain protected, but they utilize a slightly different form of protection from native content. This provides offline access independent from KODiAC Cloud Services, and requires the ArchiveIV noted in previous text.
Access also requires your Account/ Organization keys. Though you may have Exported them when you created your Test Account, let's do that here and place the results alongside the ArchiveKey we downloaded, above.
STEP 14: In SSProtect, navigate to Administer Resources from the notification icon's context menu:
STEP 15: Click Export to begin the process, then enter the Password you want to use with this instance of your key file, then Confirm it. Make sure you retain checks for Org Key Pair and Acct Key Pair, then Browse and choose the target location C:\SSProtect-Export\Org1_Admin-Keys.ssp to line things up for subsequent activity:
STEP 15: Choose OK then OK again to dismiss the dialog, and finally right-click the notification icon then choose Exit from the context menu.
Access Your :xRecovery Archive
Use the following procedure to gain access to your :xRecovery Archive:
STEP 16: Make sure you are not running the :Foundation Client, which you can check in the notification tray. If you see the SSProtect icon, right-click and choose Exit on the Context Menu.
STEP 17: Start the :xRecovery Access Panel using the Desktop icon of the same name (created when you installed the :Foundation Client). If when you double-click the shortcut you are presented with an SSProtect dialog or the Login dialog, return to STEP 16 to Exit the :Foundation Client.
STEP 18: Browse to set your Archive Folder to C:\SSProtect-Export.
STEP 19: Enter your ArchiveIV in the associated field.
STEP 20: Browse to set your Keystore to C:\SSProtect-Export\Org1_Admin.ssp.
STEP 21: Enter your key file Passphrase then click Import to access your :xRecovery Archive.
Access Plaintext Content
The :xRecovery Access Panel is described in the article, Using the :xRecovery Access Panel, with input/ output opportunity summarized below.
Scope your Input File List
- Use Filter by Username to limit the File List to content associated with a specific User/ Account
- Set the Filter Match then Filter to further limit the File List to targeted content
- Limit the File List to the most recent instance using the Latest Only checkbox
- Select File List entries to view associated FileID, HostGUID, and ServerGUID
Configure/ Review Your Output
- Choose to Replicate Struct
- Choose to Group by Owner
- Include the HostGUID Prefix in output filenames
- Include a Version Suffix in output filenames
- Preview the Decrypt Path, Replica Path, and target Filename
Once you've configured the noted controls to choose Input scope and plaintext Output details, select one or more files from the File List then Decrypt to plaintext or Replicate scoped Ciphertext to assemble content for shared use by existing SSProtect Profiles.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
This article was updated w/ v10.7.1 of the :Foundation Client