Introduction

There are too many systems, services, and other things that require some sort of user account and password to access or use them. These are generally refereed to as credentials.

Some credentials are set, used, and managed by CCCC IT staff, others by other staff, and so on. In the event that authorized staff need to access something but the primary person who uses it is unavailable, we have setup this "Credentials Escrow" Procedure.

All staff and volunteers who have credentials to any sort of system that is used by/for the church are required to provide those credentials to the IT director who maintains the main collection of credentials.

These credentials are stored in the KeePassXC password manager application. Note that "KeePass" is a more widely used version, but not as secure or usable as KeePassXC which is available for phone and host.

The basic process is that the IT Directory store all credentials in the KeePassXC application in a single "database" on their local host. That host, usually a laptop, must have full disk encryption with a very strong password set.

Once a month or so, that database is exported to an HTML file. That file is then edited to make it smaller and more printable. The instructions for this are below.

Once prepared, one copy of that HTML file is printed. A copy of the database file (which is encrypted by default) is copied to a USB drive.

Both the printout and the USB are put into a folder, in a cabinet, in Doc's office.

Senior staff and others know where this information is kept so they can refer to it as necessary.

The printed copy is most commonly used, but the digital copy of the database on the USB can be imported to the KeePassXC application to work with online.

After this has been done, the html file and any others created during this process are securly removed from all hosts.


Procedures

From within Keppassxc select File/Export/HTML. When prompted give the output the file name of CCCC.Credentials.html and note the directory you are saving this file to.

  1. Open the CCCC.Credentials.html file in a text editor.
  2. Add a few blank lines after the body tag.
  3. Find the beginning of the actual information and select that point. Then work down to the end of the actual information making sure that all of the actual information is highlighted.
  4. Replace the html head section with the example shown below. Do this by copying the example that is commented out in the source code at this point in the page. Do not copy and paste the block displayed below. 
        <html><head><meta charset="UTF-8"><title>CapCity Credentials</title><style>body
    { font-family: "Open Sans", Helvetica, Arial, sans-serif; }h3 { margin-left: 2em; }
    caption { text-align: left; font-weight: bold; font-size: 100%;
    border-bottom: .15em solid #4ca; margin-bottom: .5em;} th, td { text-align: left;
    vertical-align: top; padding: 1px; }th { min-width: 7em; width: 15%; } .username,
    .password, .url, .attr { font-size: larger; font-family: monospace;
    overflow-wrap: word-break;} .notes { font-size: small; } </style></head>
  5. Change the updated date to the current date in the first line after the html body tag.
  6. Search and delete all regular expression instances of this string; "<rarr; "
  7. Find each instance of this regular expression string "(?s)<img src="data:image(.*?)\"\/>" without the double quotes and delete all instances of it. This will use Regular Expressions to identify all instances beginning with <img src="data:image" and then ends with />. Note that the actual string to search and delete for is commented out in the source code at this point.
  8. Search for the regular expression "CCCC</h2>" without the double quotes.
  9. Find the end-table-tag just before the string you just searched for.
  10. Select everything from that end-table-tag (inclusive) back up to the point just after the start-body-tag and delete that material.
  11. Next search for "Entertainment</h2>"
  12. Find the <hr> tag a bit to the left and select everything from that <hr> tag (not inclusive) down to the very last end-table-tag (not inclusive) at the end of the file and delete it. This will make the html table tags unbalanced, but it does not effect the rendering.
  13. Search and replace the regular expression "<td width="1%"></td>"</li> (which is also shown verbatim in the source code at this point)
  14. Search for the string "overflow-wrap: anywhere" and change it to "overflow-wrap: word-break" if it is found.
  15. Save and close the file you are editing.
  16. Copy the file onto the USB drive used to store this information.
  17. Update the USB drive in the folder in the cabinet in Doc's office closet.
  18. Print a copy of this page.
  19. Replace the printout in the folder in the cabinet in Doc's office closet.