Overview Of Archiving Keys; Reasons To Archive Keys; Where The Keys Are Stored; How Key Archival Works - Red Hat CERTIFICATE SYSTEM 7.3 - ADMINISTRATION Administration Manual

7.4. Overview of Archiving Keys

The DRM automatically archives private encryption keys if archiving is configured. For instructions on
setting up a key archival and recovery infrastructure, see
Recovery Process".

7.4.1. Reasons to Archive Keys

If an end entity loses a private encryption key or is unavailable to use the private key, the key must
be recovered before any data that was encrypted with the corresponding public key can be read.
Recovery is possible if the private key was archived when the key was generated.
There are some common situations when it is necessary to recover encryption keys:
• An employee loses the private encryption key and cannot read encrypted mail messages.
• An employee is on an extended leave, and someone needs to access an encrypted document.
• An employee leaves the company, and company officials need to perform an audit that requires
gaining access to the employee's encrypted mail.

7.4.2. Where the Keys Are Stored

The DRM stores private encryption keys in a secure key repository in its internal database; each key is
encrypted and stored as a key record and is given a unique key identifier.
The archived copy of the key remains wrapped with the DRM's storage key. It can be decrypted, or
unwrapped, only by using the corresponding private key pair of the storage certificate. A combination
of one or more key recovery (or DRM) agents' certificates authorizes the DRM to complete the key
recovery to retrieve its private storage key and use it to decrypt/recover an archived private key. For
details on how this process works, see
The DRM indexes stored keys by key number, owner name, and a hash of the public key, allowing for
highly efficient searching. The key recovery agents have the privilege to insert, delete, and search for
key records.
• When the key recovery agents search by the key ID, only the key that corresponds to that ID is
returned.
• When the agents search by user name, all stored keys belonging to that owner are returned.
• When the agents search by the public key in a certificate, only the corresponding private key is
returned.

7.4.3. How Key Archival Works

When a Certificate Manager receives a certificate request that contains the key archival option,
it automatically forwards the request to the DRM to archive the encryption key. The private key is
encrypted by the transport key, and the DRM receives the encrypted copy and stores the key in its key
repository. To archive the key, the DRM uses two special key pairs:
• A transport key pair and corresponding certificate.
• A storage key pair.
Section 7.6, "Configuring Key Archival and
Section 7.5.1, "Key Recovery Agents and Their
Overview of Archiving Keys
Passwords".
175