Where The Keys Are Stored; How Key Archival Works - Red Hat CERTIFICATE SYSTEM 7.1 - ADMINISTRATOR Administrator's Manual

Key Archival Process
• An employee leaves the company, and company officials need to perform an audit that
requires gaining access to the employee's encrypted mail.

Where the Keys are Stored

If configured properly, the Data Recovery Manager, stores your end-entity's encryption
private keys automatically whenever the associated or connected Registration Manager or
Certificate Manager issues certificates to your users. The Data Recovery Manager stores
encryption private keys in a secure key repository in its internal database; each key is stored
as a key record.
The archived copy of the key remains encrypted (or wrapped) with the Data Recovery
Manager's storage key; see "Data Recovery Manager's Key Pairs and Certificates" on
page 203. It can be decrypted (or unwrapped) only by using the corresponding private key,
to which no individual has direct access. A combination of one or more key recovery
agents' passwords enables the Data Recovery Manager to retrieve its private storage key
and use it to decrypt and recover an archived key. For details on how this process works, see
"Key Recovery Agents and Their Passwords" on page 193.
The Data Recovery Manager indexes stored keys by key number (or ID), owner name, and
a hash of the public key, allowing for highly efficient searching by name or by public key.
The key recovery agents have the privilege to insert, delete, and search for key records. The
search feature works like this:
• When the key recovery agents search by the key ID, only the key that corresponds to
that ID is returned.
• When the agents search by user name, all stored keys belonging to that owner are
returned.
• When the agents search by the public key in a certificate, only the corresponding
private key is returned.

How Key Archival Works

When a Certificate Manager or Registration Manager receives a certificate request that
contains the key archival option, it automatically forwards the request to the Data Recovery
Manager to archive the end-entity's encryption private key. The Data Recovery Manager
receives an encrypted copy of the end-entity's private key and stores the key in its key
repository. To archive the key, the Data Recovery Manager uses two special key pairs:
• A transport key pair and corresponding certificate
• A storage key pair
190 Red Hat Certificate System Administrator's Guide • September 2005