Setup KSS Profile
Install and onboard Atakama on your workstation. The Atakama Profile on your workstation will be used to secure the backup key for the KSS. This Atakama Profile should have at least two mobile devices and at least five total devices (including the workstation). The more devices, the greater the redundancy for business continuity and disaster recovery purposes.
Enable the KSS
- Copied the attached policy template (keyserver.yml) to %localappdata%\Atakama.
(Additional configurations to policy can be made by following this KB article) - Shut down Atakama and run the following command in cmd or Powershell:
atakama keyserver create --backup-path [PATH] [--ignore-security-checks]
Example:
atakama keyserver create --backup-path %homepath%\backup-key.txt --ignore-security-checks
Note: If there are multiple security groups, please use atakama sg list to list all available security groups. Then specify the security group to use via --security-group parameter. - Copy the Keyshard Server ID. It will be used for setting up additional endpoints using the Key Shard Server.
The setup will require a minimum threshold of three (3) devices required to approve and five (5) total devices as part of the profile unless the [--ignore-security-checks] flag is passed.
Adding, removing, or replacing keys and devices should be done via Command Line Interface.
If needed, the following command can create a new KSS backup key if the previous one is lost. The [Path] section in the command should specify the file that will be created:
keyserver save-backup-key [PATH]
Example:
keyserver save-backup-key "%homepath%\backup-key.txt"
After initialization, the KSS ID should be output onto the screen. This ID is required to onboard users using the KSS.
WARNING: When using a virtualized server, scheduling automated daily backups is recommended over manual backups as manual backups might not be kept up-to-date and might not have the current administrator devices. In addition, VMWare's vMotion will require re-activation of the license key as the license activation's signature will not match due to different hardware configuration.