Password Recovery

If a user forgets their password for an encrypted volume, these functions enable recovery when combined with a server.

Password recovery (like Temporary Offline Policies) is a mechanism that requires server input. The client operations are two-step with server validation and operations coming between the client operations.

Request Password Recovery: The first step is for the client to provide the path to the encrypted device from which they are locked out to the HSDCPasswordRecoveryRequest function documented below. The returned value is then communicated to the server. This communication mechanism is provided for when the integrator using a recognized IDAC Server, but otherwise is left to the integrator to implement.
Server Validation: If the integrator is using a recognized IDAC Server then this is taken care of for them using the normal mechanism for password recovery.
The server validates the request by finding the MEDIUM-ENCRYPTED log entry corresponding to the id value returned by the HSDCPasswordRecoveryRequest. From there the server must:
- Decrypt the data field other in the MEDIUM-ENCRYPTED log using RSA private key to get the MedKey. See the HSDCCryptoDecryptBuffer.
- The security value returned from HSDCPasswordRecoveryRequest is a Base32 encoded Salt value. Decode it get the Salt. See HSDCCryptoBase32Decode.
- Hash the Salt using SHA256. See HSDCCryptoHashBuffer.
- Encrypt the MedKey using AES-256-CTR, and hash above as the key. See HSDCCryptoSymEncryptBuffer.
- Base32 encode the encrypted MedKey. See HSDCCryptoBase32Encode.
Password Recovery Response: As with the request communication to the server, the response must be communicated back to the endpoint. Once the endpoint has the encoded and encrypted MedKey it must call the HSDCPasswordRecoveryAnswer function using the value from the server as the input for passphrase.

Functions

HSDCError HSDCAPI HSDCPasswordRecoveryRequest (const wchar_t *path, char **pJstr)

Builds the initial request after extracting encrypted volume information from a path/drive letter.

HSDCError HSDCAPI HSDCPasswordRecoveryAnswer (const wchar_t *path, const char *jstr)

Recovers access to encrypted medium.

Function Documentation

HSDCPasswordRecoveryRequest()

HSDCError HSDCAPI HSDCPasswordRecoveryRequest ( const wchar_t * path, char ** pJstr )

Builds the initial request after extracting encrypted volume information from a path/drive letter.

Parameters

path	Specifies the path/drive letter of the encrypted volume.
pJstr	Returns a JSON string with all details, formatted as below: Copy `{ "id": "0123456789ABCDEF0123456789ABCDEF", "security" : "XXXXX-XXXXXX-XXX" }`

HSDCPasswordRecoveryAnswer()

HSDCError HSDCAPI HSDCPasswordRecoveryAnswer ( const wchar_t * path, const char * jstr )

Recovers access to encrypted medium.

Parameters

path

Specifies the path/drive letter of the encrypted volume.

jstr

Details of the recovery as below:

Copy

{
    "id": "0123456789ABCDEF0123456789ABCDEF",
    "security": "XXXXX-XXXXXX-XXX",
    "password": "Trust no 1", // The NEW password
    "passphrase": "XXXXX-XXXXXX-XXXXX-XXXXXX-XXXXX-XXXXXX-XXXXX-XXXXXX-XXXXX-XXXXXX-XX",
    "user": "name", // optional, User to apply the new password to
    "export": true  // optional, defaults to true
}