Data Recovery Manager; Pki Setup For Archiving And Recovering Keys; Clients That Can Generate Dual Key Pairs; Data Recovery Manager Certificates - Red Hat CERTIFICATE SYSTEM 7.2 - ADMINISTRATION Administration Manual

Chapter 6.

Data Recovery Manager

This chapter explains how to use the Data Recovery Manager (DRM) to archive private keys and to
recover these archived keys to restore encrypted data.
NOTE
Server-side key generation is an option provided for smart card enrollments performed
through the TPS subsystem. This form of server-side key generation is handled in
Chapter 7, Token Processing
client-side key generation, not the server-side key generation and archivals initiated
through the TPS.
Archiving private keys offers protection for users, and for information, if that key is ever lost.
Information is encrypted by the public key when it is stored. The corresponding private key must be
available to decrypt the information. If the private key is lost, the data cannot be retrieved. A private
key can be lost because of a hardware failure or because the key's owner forgets the password or
loses the hardware token in which the key is stored. Similarly, encrypted data cannot be retrieved if the
owner of the key is unavailable to supply it.

6.1. PKI Setup for Archiving and Recovering Keys

To archive private encryption keys and recover them later, the PKI configuration must include the
following elements:
• Clients that can generate dual keys and that support the key archival option (using the CRMF/
CMMF protocol).
• An installed and configured DRM.
• HTML forms with which end entities can request dual certificates (based on dual keys) and key
recovery agents can request key recovery.

6.1.1. Clients That Can Generate Dual Key Pairs

Only keys that are used exclusively for encrypting data should be archived; signing keys in particular
should never be archived. Having two copies of a signing key makes it impossible to identify with
certainty who used the key; a second archived copy could be used to impersonate the digital identity
of the original key owner.
Clients that generate single key pairs use the same private key for both signing and encrypting data,
so a private key derived from a single key pair cannot be archived and recovered. Clients that can
generate dual key pairs use one private key for encrypting data and the other for signing data. Since
the private encryption key is separate, it can be archived.
In addition to generating dual key pairs, the clients must also support archiving the encryption key in
certificate requests. This option archives keys at the time the private encryption keys are generated as
a part of issuing the certificate.

6.2. Data Recovery Manager Certificates

The DRM uses the following key pairs and certificates:
System. This chapter deals with archiving keys through
141