Skip to main content

Packing Key Reset

info
This feature is available on all subscription plans.
Team Plan
Available
Business Plan
Available
Enterprise Plan
Available

Overview

Key Concept: Packing Key

When a user loses their Packing Key Passphrase they also lose the capability to decrypt their passwords which can lead to business interruptions and frustrations. Passpack has adopted a "zero-knowledge" model which means that Passpack does not have the capability to view sensitive data, including passwords or notes, of any account. Your data is never viewable except by those to whom you grant access. Passpack cannot reset a packing key on a users behalf as we do not have the knowledge (encryption material) required to reset a key.

Resetting a Packing Key Passphrase is possible, however, at your organization level by leveraging a feature we've built whereby an organization administrator may reset a Packing Key Passphrase for their users.

Requirements

A few important requirements exist for this capabilty to function. If you think you may want this functionality in your organization please ensure that you carefully adhere to these requirements.

  • Administrator Actions One of your administrators must enable the "Packing Key Reset" setting and select the enrollment model as Enabled.
  • User Actions After the administrator enables the functionality:
    • Existing Users Users must log in to the system. An organization setting of Enabled will automatically enroll the user in the Packing Key Reset capability.
    • New Users Any users which are added to your organization after the setting is modified will either automatically be enrolled or have the option to manually enroll, depending on the setting. If the setting is Enabled no action is necessary on the part of the administrator or the user.

Important Considerations

Organization Dependency

The packing key reset functionality is organization-dependent. If a person is an administrator of an organization (ORG-1) and a user within another organization (ORG-2) then the following rules are applied:

  • The user's packing key reset capability is enabled to any administrator within ORG-1.
  • The user's packing key reset capability is disabled to any administrator of ORG-2.

Activation

To activate this setting an administrator should:

  • Log into their account.
  • Click on the gear icon in the upper right corner of the screen and then click on the gear icon to get to Settings.
  • Click on "Organization Settings" in the left side menu.
  • Click on "Policies" which will be across the top.
  • Find the section called "Packing Key Reset" and choose the setting you wish. Only Enabled will enable this feature.

Below is a screenshot indicating how to find the setting.

Enabling Packing Key Reset

Enrollment

Enrollment is a necessary step in that it securely deposits the user's packing key into the organization's secure repository which is only accessible by organization administrators. If your policy set to Enabled then users will have their packing key reset information automatically updated in the organization's secure repository without any manual user interaction after their next login. This enrollment is only performed one time.

Resetting a Packing Key

After the Packing Key Reset setting is Enabled and after a user has logged into Passpack their account is enrolled and ready for Packing Key Reset.

The user should inform one of their organization's administrators that they have lost their packing key through a channel of their choosing.

danger

We encourage the organization to develop an authorization and authentication strategy for when these reset requests are received. They Packing Key is the final security measure (after login and MFA) to gain access to an organization's sensitive information. This is your responsibilty to decide when to recover a packing key depending on your level of comfort with the request.

Suggestions:

  • Treat these requests like an email phishing attempt. View these requests as suspicious by default and verify the authenticity of the request.
  • Enter the request into your trouble ticket system, if available, to track progress. This may prevent multiple people working the problem and confusion in verification.
  • Only use known and pre-defined communication channels with the end user. This may be an alternate form of communication than email as a malicious attacker could gain access to email and reset a password.
    • Phone calls
    • Text messages
    • Instant messages
    • Video conference
    • Sneaker net (walk to the user)

To reset a user's packing key an administrator should:

  • Log into their account.
  • Click on the gear icon in the upper right corner of the screen and then click on the gear icon to get to Settings.
  • Click on "License Management" in the left side menu.
  • Locate the user and then click on the three vertical dots under "Actions".
  • Click on the action labelled "Reset Packing Key"

Enabling Packing Key Action

  • A slide out will appear and allow you to enter a new packing key (technically a Packing Key Passphrase) for the user. In this window you can use a password generator, view a strength gauge, copy the new packing key into your copy buffer.

Enabling Packing Key Change

  • Click the button "Update Packing Key". This will reset the packing key to the value the administrator chose and email all administrators as well as the user that their packing key has been reset. The new Packing Key Passphrase is not emailed and the administrator must securely share it with the user.

How it Works

When a user is enrolled it then the user's packing key needs to be securely deposited into the organization's secure repository in such a way that the unencrypted packing key is never sent over the network nor in a way that Passpack would be able to see or inspect the packing key.

Making a Reset Key

  1. A user logs into Passpack and enters their Packing Key Passphrase. This process will decrypt their Account Encryption Material Keys and make them available within the application.
  2. If the Account Encryption Material Keys needs to be placed in the secure repository then their private ecryption key is encrypted to the organization's public portion of the Reset Key. This encrypted reset key is stored on Passpack's servers. We refer to this encrypted key as the user's User Reset Packing Key.

Technical Details

All of the following occurs after the administrator issues the reset.

  • Within the Passpack application the administrator's account downloads an ephemeral copy of the organization's Reset Key for the packing key reset vault.
  • The Reset Key encryption keys are decrypted using the administrator's encryption keys.
  • The user's User Reset Packing Key is downloaded from the Passpack servers.
  • The User Reset Packing Key is decrypted using the Reset Key private key. This will create a temporary, in memory copy of the end user's Account Encryption Material Keys.
  • The Account Encryption Material Keys are encrypted using the administrator selected Packing Key Passphrase resulting in a new Account Encryption Material Keys which is uploaded to Passpack servers replacing the information associated with the end user's account. The new Account Encryption Material Keys may be used by the end user after the administrator set Packing Key Passphrase is shared with the user.