Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

[HOWTO] Using PAS Escrow Functions to Export Vaulted Data

Privileged Access Service ,  

31 March,21 at 03:54 PM

The following steps can be used to securely export encrypted data attributes, including vaulted account passwords for Systems, Accounts, Domains, and Databases from Centrify’s Privileged Access Service. Centrify has introduced PowerShell modules that make the escrow commands possible. The data will get saved into a CSV file that could be helpful in a disaster recovery scenario.

Individuals belonging to the PAS System Administrator role can execute the commands individually, or through a PowerShell script. The resulting file will be securely emailed to intended recipients using PGP encryption. An OpenPGP secret key will be required to open the secure email attachment.

Note: The PAS Escrow feature is not designed to export Secrets or the PAS configuration.


Prerequisites:
1. Centrify Privileged Access Service 19.1 or above.
2. If using PAS OnPremises, the SMTP capability has to be configured and working.
3. Centrify PowerShell Samples.
4. Platform System Administrator account (user that will be running the command) 
5. PGP Client.  E.g. gpg4win


Begin by installing Gpg4win so that email encryption with public and private keys can be established.

Go to https://www.gpg4win.de/index.html  to install an email encryption tool. This is a freely downloadable tool (donations appreciated) that can easily be implemented for testing or for production. 

User-added image

During the installation of Gpg4win, there will be an option to install Kleopatra. Please install this tool as it will provide a GUI For key management:

User-added image



Now that Kleopatra is installed, click on ‘New Key Pair’

User-added image



Enter the details and protect the key with a passphrase, if needed:

User-added image



Once the keypair is generated, a confirmation window will appear. The key will now be visible in the Kleopatra console as below:

User-added image




Click on Export to export the key to a file:

User-added image



Save the key to the desired location.  For example, C:\Users\Dwirth.

User-added image



Additionally, right-click the public key and choose Backup Secret Keys...  This is so the email can be decrypted. Make note of the path to where this file gets saved.


User-added image



Now that the keypair has been created, the next step would be to set the public key so that the PAS portal will use it for encrypting the escrow email. Before this can happen though, please go to the following site for downloading the Centrify Powershell Modules for PAS:

https://github.com/centrify/centrify-samples-powershell

Choose Code > Download Zip

User-added image



Once the file is unzipped, check to make sure the following files/folders are present:

User-added image


Enter into the module folder and make sure the following 3 powershell modules are present:

User-added image


All 3 of these modules must be imported, either using the “Import-Module <module name>” command or can be done at once with a small powershell script. For example:


User-added image



Now that the modules have been loaded, the following commands will be available:


Set-Escrowkey
Set-EscrowEmail
Get-EscrowEmail
Run-Escrow
Schedule-Escrow

Unschedule-Escrow
Get-EscrowScheduleStatus




A bearer token must be obtained before any of the above commands can be run. Having a bearer token is required as it is proof that the person running the escrow job has been properly authenticated to the tenant. There are a few different options for this, but a basic command like below can be used:

PS C:\Windows\system32> $token = Centrify-InteractiveLogin-GetToken -Username dwirth@ocean.net -endpoint https://aau0937.my.centrify.net
Mechanism 0 => Password
Enter Password: ********



Enter the password for the user when prompted. A successful output will take you back to a prompt. Like below:

User-added image



Now that a token has been obtained, the next step is to use the Set-EscrowKey command to store the public key in the PAS portal. For example:


Set-EscrowKey -Endpoint https://aau0937.my.centrify.net -Token $token.BearerToken -Filepath ‘C:\Users\dwirth\public.asc’

A ‘Success? True’ message should show if successful:

User-added image



Next we set the email email addresses of the designated recipients. Multiple email addresses can be specified but the command would look like below:


Set-EscrowEmail -Endpoint https://aau0937.my.centrify.net -Token $token.BearerToken -Emails ‘dwirth@ocean.net’

User-added image



Finally, the Run-Escrow command is executed to retrieve the vaulted info and send it in an email:


Run-Escrow -Endpoint https://aau0937.my.centrify.net -Token $token.BearerToken

User-added image




The above 4 commands are the minimum required for exporting vaulted data. In most cases, incorporating the commands in to a script would save much time and effort. 

In the zip file that gets downloaded from Github, there is a Centrify.Samples.PowerShell.Example.ps 1 script. This script can be edited to include the commands that were used above.

User-added image



Scroll down in the sample script to find the following area. The values here can be replaced with the appropriate values for the tenant, username, emails,  etc.

User-added image



Whether the commands have been executed individually, or through a script, please check the email inbox associated to the specified email address. There should be an email with an encrypted attachment. This is a .csv file that will have all of the account information, usernames, passwords, etc. that have been ‘escrowed.’


User-added image



Once the file has been saved, right-click and choose ‘Decrypt and Verify’. Use the Secret key that was backed up earlier.

User-added image




There should now be a .csv file with the .pgp extension removed.

User-added image


Open the file and all the exported user info is here:
User-added image