KSS Recovery

There can be only one active instance of a KSS with a given ID. If that instance dies and there is no backup server, the one KSS instance must be recovered.

WARNING: Setting up a new KSS without performing recovery initializes a completely new key, requiring all existing users to re-onboard and sharing operations to be repeated.

Once the recovery procedure has been completed, end users who were previously onboarded with the KSS will continue to function uninterrupted and new end users can be onboard with the existing KSS ID.

Recovery Walkthrough:

If possible, identify the profile ID (4 words with dashes in between) of the KSS server that has failed. It is listed in the settings section of the mobile application.
Retrieve the keyserver.yml policy file from the KSS server that has failed if possible.
Install Atakama on the new server. Do not perform onboarding.
Locate/download and copy the “backup-key.txt” file that was created during the initial KSS installation into the “c:\temp” on the new server.
Copy the keyserver.yml policy file to %localappdata%\Atakama on the new server. If the Atakama folder is missing, you can manually create it.
Load a profile from a device of the target profile by running the following command:
```
atakama device add --method qr "My Smartphone"
```
Scan the QR code.
Run the following command to list the device list:
```
atakama device list
```
Run the following command to load a profile from the added device:
```
atakama profile recovery load-profiles --device [id]
```
Note: Device ID is a 4-word ID from the step above
To list the profiles run:
```
atakama profile recovery list-profiles
```

Select the needed profile by running:

atakama profile recovery select-profile --profile [id]

Run the following command to list the device list from the selected profile:
```
atakama device list
```
Input the recovery words (14 words or 24 words) into the new computer using this command:
```
atakama profile recovery ingest-words [words]
```
Run the following command to shutdown Atakama background processes:
```
atakama --shutdown 
```

Run the following command to ingest the backup key:

atakama keyserver recovery-ingest-key c:\temp\backup-key.txt

A MofNop will be sent to ALL the devices associated with the KSS profile (similar to the finalize MofNop).
Approve the MofNop.
Run the following command to shutdown Atakama background processes:
```
atakama --shutdown 
```
Run the following command to finalize the recovery process:
```
atakama profile recovery finalize
```
Approve the MofNop.
You can now add the Secure Folder(s) and launch Atakama normally.
Add the License Key after executing the following command:
```
atakama settings update-license 
```
Run the following command to initialize the KSS:
For Atakama versions prior to Quantum Quetzalcoatl run the following command:
On a regular Keyserver:
```
atakama keyserver enable --backup-path %homepath%\Atakama\backup-key.txt 
```
For Atakama versions of Quantum Quetzalcoatl and newer run the following command:
On a regular Keyserver:
```
 atakama keyserver create --backup-path %homepath%\backup-key 
```
On Cluster Mode:
To load the policy file to the database and update the ruleset
```
 atakama keyserver create --db-uri "mysql:host=[IP ADDRESS from the machine with MySQL],port=3306,user=[User],password=[Password assigned to that user],database=cvfs
```
Run the following command to load the policy file to the database and update the ruleset:
```
atakama keyserver policy --load 
```