Password Vaults
Password vaults are a security feature in Shield Guard, providing an additional layer of protection inside the Shield Guard portal. The user authentication process during login protects the portal from external breaches while password vaults (together with Shield Guard roles) protect data within the portal.
Use of Shield Guard requires a password vault. The first time you attempt to access a vault-protected page in the Shield Guard portal, the Create Vault window appears and prompts you to create your vault.
Each vault requires a master key to unlock it. During the vault-creation process, you generate your vault master key. If using the Decentralized method for vault key management, you must manually create your vault key. If using the Centralized method, Shield Guard creates the key for you.
Once created, you must unlock your vault the first time in each Shield Guard session that you attempt to access a vault-protected page. If using the Decentralized method for vault key management, the Unlock Vault window appears and you must manually provide your vault key. If using the Centralized method, Shield Guard provides the key for you.
Once unlocked, the vault remains open until you perform an action that causes Shield Guard to lock the vault, for example logging out of the Shield Guard session. Shield Guard’s automatic vault-locking process:
-
Takes a snapshot of your current data,
-
Stores the data in your vault, and
-
Encrypts the vault.
Vault Protections
Password vaults provide the following protections for Shield Guard tenants:
-
Store and encrypt the admin passwords of devices added to the tenant, protecting the devices from unauthorized access.
-
Protect pages on the portal containing sensitive information against unauthorized access. Such pages are vault-protected, and require a vault key to access.
Note: Depending on your method for vault key management, your vault key may be stored outside of your vault, thus providing additional security for your vault key.
Managing a Password Vault
Password vault management involves the following major elements:
-
Vault - Password vaults are associated with tenant members. Your vault protects your data across all tenants of which you are a member. That is, vaults are user-specific, not tenant-specific.
-
Vault master key - As part of the vault-creation process, you generate a vault master key that will be used to unlock your vault thereafter.
-
Tenant member vault key management method - Tenant members can choose from two methods by which to manage their vault keys:
-
Decentralized - Tenant members create and manage their vault key.
-
Centralized - Shield Guard creates and manages their vault key.
-
-
Tenant Vault Key Management setting - Authorized tenant members (members with the License Plan Management permission) can use the Tenant Vault Key Management section of the Settings page to restrict tenant members to the Decentralized method only, such that tenant members have no access to the Centralized method.
In summary:
-
Each tenant member creates a vault and generates a vault key to unlock the vault thereafter.
-
The steps tenant members must take when creating their vault, and the tasks each must perform to maintain their vault key, are determined by the tenant member vault key management method they choose.
-
An authorized tenant member can restrict the tenant to use of the Decentralized vault key management method only.
Creating Your Password Vault
The first time in a Shield Guard session that you attempt to access a vault-protected page, Shield Guard checks for your vault key. If you have not yet created your password vault, the Create Vault window appears and you must create it.
The contents of the Create Vault window, and the information you are required to provide, differ depending on your membership status in the tenant and the tenant vault key management configuration for the tenant. The following list describes the scenarios that determine the contents of the Create Vault window.
-
You are a tenant owner who is accessing the tenant for the first time.
-
You are a tenant member whose tenant has been configured for Decentralized Only vault key management.
-
You are a tenant member whose tenant has been configured for Decentralized or Centralized vault key management.
-
You are a member of no Shield Guard tenants, but have been invited to join one.
Vault Creation for Tenant Owners
If you are the tenant owner accessing the tenant for the first time, once you log in to the tenant, the Create Vault window appears:
Note: The above window also appears for Shield Guard invitees who have been invited to join a tenant but are currently not a member of any tenant.
Use this window to specify a master key for your vault. Do the following:
-
In the Create Vault window, in the Master Key field, specify a master key for your vault.
-
In the Confirm Master Key field, re-enter the master key. Once the contents of the two fields match, the CREATE button activates.
-
To activate the vault, click on the CREATE button. To abandon the process, click outside of the window.
-
Once you activate the vault, the Vault Created window appears. To continue, you must download a recovery key. See the following illustration:
-
In the Vault Created window, click on the Download button.
-
If a navigation window appears, navigate to the location where you want to store the recovery key and click on Open. If no navigation window appears, the key downloads to the default download location on your local drive.
Important! Be sure to complete the download process of your recovery key and take note of where you store it. If you forget your master key, you can use the recovery key to create a new master key. If you lose the recovery key as well, you must use the Reset Vault feature to regain access to your vault.
Note: As the first member of your tenant, the tenant defaults to the Decentralized vault key management method and so you are not required to specify one for your vault. Thus, the Management Type field does not appear in the Create Vault window. Conversely, the Management Type field will appear for all other tenant members as part of their vault-creation process. The options available at that field are controlled by the Tenant Vault Key Management field in your tenant.
Once you complete the vault-creation process, you can begin to configure your tenant.
Vault Creation for Decentralized Only
If the Tenant Vault Key Management field for your tenant is set to Decentralized Only, the Management Type field in the Create Vault window is inactive and you must use the Decentralized method. See the following illustration:
To create your vault, do the following:
-
In the Create Vault window, in the Master Key field, specify a master key for your vault.
-
In the Confirm Master Key field, re-enter the master key. Once the contents of the two fields match, the CREATE button activates.
-
To activate the vault, click on the CREATE button. To abandon the process, click outside of the window.
-
Once you activate the vault, the Vault Created window appears. To continue, you must download a recovery key. See the following illustration:
-
In the Vault Created window, click on the Download button.
-
If a navigation window appears, navigate to the location where you want to store the recovery key and click on Open. If no navigation window appears, the key downloads to the default download location on your local drive.
Important! Be sure to complete the download process of your recovery key and take note of where you store it. If you forget your master key, you can use the recovery key to create a new master key. If you lose the recovery key as well, you must use the Reset Vault feature to regain access to your vault.
Vault Creation for Decentralized or Centralized
If the Tenant Vault Key Management field for your tenant is set to Decentralized or Centralized, the Management Type field in the Create Vault window is active and you can make a selection. See the following illustration:
To create your vault, do the following:
-
In the Create Vault window, in the Management Type field, select a vault key management method for your vault.
a. If you select Centralized, then when you click on the CREATE button, Shield Guard creates and stores your vault key for you, and the process is complete. To abandon the process, click outside of the window.
b. If you select Decentralized, follow the steps listed in the Vault Creation for Decentralized Only section to create your vault.
Vault Maintenance for Decentralized Key Management
Once you create your vault, Shield Guard manages your vault data regardless of your vault key management method. If you use the Decentralized method, you are responsible for several vault key management tasks:
- Unlocking your vault when prompted by Shield Guard.
- Changing your vault key when necessary.
- Using the Recovery key when necessary.
- Resetting your vault when necessary.
Unlocking Your Password Vault
If you use the Decentralized method for vault key management, you must manually unlock your vault when prompted by Shield Guard. The Unlock Vault window appears for this purpose. This window appears the first time in a Shield Guard session that you attempt to access a vault-protected page. To unlock the vault, enter your master key. See the following illustration:
Once you unlock the vault, it remains open until you do any of the following, each of which cause the vault to lock automatically:
-
Refresh the page.
-
Navigate away from the site by modifying the URL for your Shield Guard page.
-
Log out of the Shield Guard site.
Changing Your Vault’s Master Key
If you use the Decentralized method for vault key management, you can manually change your vault master key. We recommend you update your vault key on a regular basis. You have the following options:
-
Use the Forgot master key? option on the Unlock Vault window. This option requires that you provide a valid recovery key.
-
Use the CHANGE MASTER KEY option in the Vault Key Options section of the My Profile page. Do the following:
-
Access the My Profile page.
-
In the Vault Key Options area, click on the CHANGE MASTER KEY button. The Change Master Key window appears. See the following illustration:
-
- In the Change Master Key window, enter the master key in the New Master Key field and then re-enter it in the Confirm Master Key field. Once the contents of the two fields match, the CHANGE MASTER KEY button activates. Click on this button to change your master key. The Master Key Updated window appears. To continue, you must download a recovery key. See the following illustration:
-
In the Master Key Updated window, click on the Download button.
-
If a navigation window appears, navigate to the location where you want to store the recovery key and click on Open. If no navigation window appears, the key downloads to the default download location on your local drive.
Important! Be sure to complete the download process of your recovery key and take note of where you store it. If you forget your master key, the recovery key is the only means by which you can create a new master key.
Using the Recovery Key
If you use the Decentralized method for vault key management and you forget your master key, you can use your recovery key to create a new master key. Shield Guard prompts you to generate a recovery key as part of the vault-creation process, and each time you update the master key thereafter. Your recovery key should be stored on your local drive. If not, you can download a new recovery key.
When the Unlock Vault window appears and you do not have the master key to unlock the vault, do the following:
- Click on the Forgot master key? option. The SELECT RECOVERY KEY button appears:
- Click on the SELECT RECOVERY KEY button. A navigation window appears:
-
Navigate to the location where the recovery key is stored and open the file. The Change Master Key window appears, as in the following illustration:
Note: If you select an improper recovery key, an error message appears. To continue, you must select the proper recovery key or click on the Back button to return to the previous screen.
- In the Change Master key window, enter the master key in the New Master Key field and then re-enter it into the Confirm Master Key field. Once the content of the two fields matches, the CHANGE MASTER KEY button activates. Click on this button to change your master key. The Master Key Updated window appears. To continue, you must download a recovery key. See the following illustration:
-
In the Master Key Updated window, click on the Download button.
-
If a navigation window appears, navigate to the location where you want to store the recovery key and click on Open. If no navigation window appears, the key downloads to the default download location on your local drive.
Important! Be sure to complete the download process of your recovery key and note of where you store it. If you forget your master key, the recovery key is the only means by which you can create a new master key.
About Recovery Keys
-
When you download a recovery key, it becomes associated with the master key and is valid until you change the master key. Whenever you create or modify a master key, Shield Guard prompts you to download a recovery key. That recovery key becomes associated with the new master key, and any previous recovery keys are invalidated.
-
If you download multiple recovery keys, you can identify the valid recovery key by selecting the file with the most recent date.
-
We recommend you delete any invalid recovery keys.
Resetting Your Vault
If you use the Decentralized method for vault key management and you lose both your vault master key and its recovery key, you can attempt to reestablish access to your vault by clicking on the Can’t find your recovery key? option in the Unlock Vault window.
Note: If you use the Centralized method for vault key management, Shield Guard maintains your vault key and you will never need to use the Reset Vault procedure.
The Reset Vault process alerts other members (if any) of your tenant to send you a link, via which you can reset your vault master key and regain access to your vault data (including device admin passwords). If you are the only member of your tenant, you can manually reset your vault master key but all data in the vault will be destroyed.
The Reset Vault window lists the tenants of which you are a member and the recovery option available for each. See the following illustration:
User-Assisted Recovery
If any of your tenants has active members other than you, the Recovery Options column in the Reset Vault window displays “User-assisted recovery” and you may be able to restore your access to the tenant and recover the contents of your vault. When you click on the SAVE button, Shield Guard sends an email to all members of all your tenants indicating you are locked out of the tenant and require an invitation to rejoin. The email includes a link that, when clicked on, sends you an invitation email containing a link to rejoin the tenant. When you rejoin a tenant, you will be prompted to reset your vault master key. Your access to the tenant, and your vault data associated with it, is now restored.
Note: If no other tenant member is able to send you an invitation email (for example, they have lost their master and recovery keys, too), you must contact your support representative to assist you in accessing the Manual Reset option to reset your vault.
Manual Reset
If you are the only member of a tenant, the Recovery Options column in the Reset Vault window will display “Manual Reset” for that tenant. This indicates that no one else is able to access the tenant and send you an invitation to rejoin the tenant. In such cases, your only option to rejoin your tenant is to use the Manual Reset procedure. You will be prompted to create a new vault, and your access to the tenant will be restored, but your vault data for the tenant will be lost. If you have no other access to the admin passwords of the devices in the tenant, you will need to contact your support representative to arrange for a technician to retrieve the passwords for each of the devices.
Vault Maintenance for Centralized Key Management
Once you create your vault, Shield Guard manages your vault data regardless of your vault key management method.
For vault key management, if you use the Centralized method, then Shield Guard manages the key for you and you have no manual tasks for key management. Shield Guard assumes responsibility for:
-
Unlocking your vault
-
Updating your vault key
-
Safeguarding your vault key. Shield Guard will never lose the key, so you will not need to:
- Create a recovery key or use a recovery key
- Reset your vault
Vault-Protected Pages
In addition to storing sensitive data in the vault, password vaults restrict access to pages in the Shield Guard portal that contain sensitive information. These pages are called “vault-protected” pages. In each Shield Guard session, Shield Guard restricts access to these pages until the vault master key is provided. Once the vault has been unlocked, all vault-protected pages become accessible.
The following Shield Guard pages are vault-protected:
Vault Master Keys
As part of the vault creation process, each tenant member generates a vault master key they will use thereafter to unlock their vault. Vault key management is an important aspect of Shield Guard best practices. If a vault master key is lost, the tenant member can be blocked from accessing the tenant and the device password data in the vault can be lost. Shield Guard provides ways for tenant members to safeguard their vault keys and restore them if lost. And, Konica Minolta technicians can retrieve a device’s admin password in the event that no tenant member can provide the password. However, it is recommended you safeguard your vault keys to avoid downtime from your tenants and their devices.
Vault Key Management
Vault key management involves the following tasks for tenant members:
-
Selecting a vault key management method.
-
Creating a vault master key to unlock their vault.
-
Safeguarding the key once created.
-
Changing the key as needed.
-
Restoring the key if lost.
Note: For tenant members who select the Centralized method for vault key management, Shield Guard performs these tasks automatically.
The vault key management method determines:
-
The location at which the vault master key is stored (locally or in the cloud).
-
Who is responsible for securing and preserving the key (the tenant member or Shield Guard).
-
Who provides the key when Shield Guard requires it (the tenant member or Shield Guard).
Vault Key Management Methods
Shield Guard provides two methods for tenant members to manage their vault keys:
Decentralized Key Management
In this method, Shield Guard manages the vault but not the vault key. By storing the key in a “decentralized” location (separately from Shield Guard), an additional element of security is provided.
Tenant members using the Decentralized method are responsible for:
- Creating their vault key,
- Safeguarding their vault key,
- Changing their key as needed,
- Recovering their vault key if lost,
- Resetting their vault key if both the master and recovery keys are lost, and
- Entering their vault key whenever requested by Shield Guard.
Centralized Key Management
In this method, Shield Guard manages both the tenant member’s vault and vault key in the cloud and provides it automatically when requested by Shield Guard. This method provides a level of convenience for tenant members, and Shield Guard will never lose the key.
Note: Tenants can be configured to block the use of the Centralized method within the tenant.
Tenant Vault Key Management Options
Authorized Tenant members (members with the License Plan Management permission) can edit the Tenant Vault Key Management section of the Settings page. This section contains the following options for tenant vault key management:
-
Decentralized Key Management - Require tenant members to use the Decentralized key management method.
-
Centralized or Decentralized Key Management - Allow tenant members to choose their vault key management method (Decentralized Key Management or Centralized key management).
Note: Tenant vault key management applies to tenants as a whole. It is distinct from “tenant member vault key management”, which refers to the vault key management method that must be applied to each individual password vault.
Viewing the Device Admin Password
Once you unlock the password vault, you can view the admin passwords for devices in your tenant.