The PAS Escrow feature is a disaster recovery capability. It allows administrators to securely export PAS credentials over e-mail for offline access in case of an issue with the PAS service that impairs access to vaulted items (systems, domains, databases and their child accounts).
The following steps can be used to securely export encrypted data attributes, including vaulted account passwords for Systems, Accounts, Domains, and Databases from Centrify’s Privileged Access Service. Centrify has introduced PowerShell modules that make the escrow commands possible. The data will get saved into a CSV file that could be helpful in a disaster recovery scenario.
Individuals belonging to the PAS System Administrator role can execute the commands individually, or through a PowerShell script. The resulting file will be securely emailed to intended recipients using PGP encryption. An OpenPGP secret key will be required to open the secure email attachment.
Note: The PAS Escrow feature is not designed to export Secrets or the PAS configuration.
Prerequisites: 1. Centrify Privileged Access Service 19.1 or above. 2. If using PAS OnPremises, the SMTP capability has to be configured and working. 3. Centrify PowerShell Samples. 4. Platform System Administrator account (user that will be running the command) 5. PGP Client. E.g. gpg4win
Begin by installing Gpg4win so that email encryption with public and private keys can be established.
Go to https://www.gpg4win.de/index.html to install an email encryption tool. This is a freely downloadable tool (donations appreciated) that can easily be implemented for testing or for production.
During the installation of Gpg4win, there will be an option to install Kleopatra. Please install this tool as it will provide a GUI For key management:
Now that Kleopatra is installed, click on ‘New Key Pair’
Enter the details and protect the key with a passphrase, if needed:
Once the keypair is generated, a confirmation window will appear. The key will now be visible in the Kleopatra console as below:
Click on Export to export the key to a file:
Save the key to the desired location. For example, C:\Users\Dwirth.
Additionally, right-click the public key and choose Backup Secret Keys... This is so the email can be decrypted. Make note of the path to where this file gets saved.
Now that the keypair has been created, the next step would be to set the public key so that the PAS portal will use it for encrypting the escrow email. Before this can happen though, please go to the following site for downloading the Centrify Powershell Modules for PAS:
A bearer token must be obtained before any of the above commands can be run. Having a bearer token is required as it is proof that the person running the escrow job has been properly authenticated to the tenant. There are a few different options for this, but a basic command like below can be used:
The above 4 commands are the minimum required for exporting vaulted data. In most cases, incorporating the commands in to a script would save much time and effort.
In the zip file that gets downloaded from Github, there is a Centrify.Samples.PowerShell.Example.ps 1 script. This script can be edited to include the commands that were used above.
Scroll down in the sample script to find the following area. The values here can be replaced with the appropriate values for the tenant, username, emails, etc.
Whether the commands have been executed individually, or through a script, please check the email inbox associated to the specified email address. There should be an email with an encrypted attachment. This is a .csv file that will have all of the account information, usernames, passwords, etc. that have been ‘escrowed.’
Once the file has been saved, right-click and choose ‘Decrypt and Verify’. Use the Secret key that was backed up earlier.
There should now be a .csv file with the .pgp extension removed.
Open the file and all the exported user info is here: