The first panel is for authorizing a minimum number of Key Custodians in order to recreate the shared secret—follow these steps:
- Input the appropriate K value in K field. This is the minimum number of Key Custodians required to activate the appliance, which must be the same value chosen when the Key Custodians were first created. Choosing an incorrect value for K will not throw an error, but the resultant keystores produced by the tool will be non functional.
- Input the appropriate N value in the N field. This is the total number of Key Custodians created, which must be the same value chosen when the Key Custodians were first created.
If the values of K or N are unknown, use this command:
mysql -u skles -p`dbpass 2> /dev/null` strongkeylite -e "select k, n from key_custodians;"
The output of that command should look similar to this:
In this image, the rows of numbers under the column marked K (in this case “2”) represent the K value. The rows of numbers under the column marked N (in this case “3”) represent the N value.
- If the KC is physically located in front of the appliance, the KC inserts their USB token into the appliance.
- Click Browse and select the appropriate KC credential file—it will have a filename that matches their role.
- The KC types in their password to the credential file in the Password field.
- Click Verify to ensure that the password unlocks the credential file correctly. If the password is correct, a message will appear at the bottom of the tool stating that it was correct.
- If the password verification is successful, click Validate to submit the secret to the tool. If the process works correctly, a success message will appear on the bottom of the screen: “PIN submitted successfully! (1 of K)”
- Notice that the K and N values are locked after the first Key Custodian authenticates. If an error was made, click Reset to start over.
Once a minimum of KCs have successfully validated their credentials, KC-ReplaceTool will unlock the second and third panels.