Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 40

Chapter 2. Overview of Red Hat Certificate System Subsystems
The DRM stores private encryption keys in a secure key repository in its internal database; each key is
encrypted and stored as a key record and is given a unique key identifier.
The archived copy of the key remains wrapped with the DRM's storage key. It can be decrypted, or
unwrapped, only by using the corresponding private key pair of the storage certificate. A combination
of one or more key recovery (or DRM) agents' certificates authorizes the DRM to complete the key
recovery to retrieve its private storage key and use it to decrypt/recover an archived private key.
The DRM indexes stored keys by key number, owner name, and a hash of the public key, allowing for
highly efficient searching. The key recovery agents have the privilege to insert, delete, and search for
key records.
• When the key recovery agents search by the key ID, only the key that corresponds to that ID is
returned.
• When the agents search by user name, all stored keys belonging to that owner are returned.
• When the agents search by the public key in a certificate, only the corresponding private key is
returned.
When a Certificate Manager receives a certificate request that contains the key archival option,
it automatically forwards the request to the DRM to archive the encryption key. The private key is
encrypted by the transport key, and the DRM receives the encrypted copy and stores the key in its key
repository. To archive the key, the DRM uses two special key pairs:
• A transport key pair and corresponding certificate.
• A storage key pair.
Figure 2.1, "How the Key Archival Process Works"
when an end entity requests a certificate.
Figure 2.1. How the Key Archival Process Works
1. The client requests and generates a dual key pair.
30
illustrates how the key archival process occurs