Setting Up Key Archival And Recovery; About Key Archival And Recovery - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 3.

Setting up Key Archival and Recovery

This chapter explains how to use the Data Recovery Manager (DRM) to archive private keys and to
recover these archived keys to restore encrypted data.
NOTE
Server-side key generation is an option provided for smart card enrollments performed
through the TPS subsystem. This chapter deals with archiving keys through client-side
key generation, not the server-side key generation and archivals initiated through the TPS.
Archiving private keys offers protection for users, and for information, if that key is ever lost.
Information is encrypted by the public key when it is stored. The corresponding private key must be
available to decrypt the information. If the private key is lost, the data cannot be retrieved. A private
key can be lost because of a hardware failure or because the key's owner forgets the password or
loses the hardware token in which the key is stored. Similarly, encrypted data cannot be retrieved if the
owner of the key is unavailable to supply it.
When the DRM is configured, joins a security domain, and is issued a subsystem certificate by a
Certificate System CA, it is configured to archive and recover private encryption keys. However, if the
DRM certificates are issued by an external CA rather than one of the CAs within the security domain,
then the key archival and recovery process must be set up manually.

3.1. About Key Archival and Recovery

Key archival requires only two things: a client (meaning a browser) which can generate dual keys and
a certificate profile which is configured to support key archival.
NOTE
For user dual key pairs, only keys that are used exclusively for encrypting data should
be archived; signing keys should never be archived. Having two copies of a signing key
would defeat the certainty with which the key identifies its owner; a second archived copy
could be used to impersonate the digital identity of the original key owner.
With single keys, the same key is used for encryption and signing, so single keys should
not be archived, for the same reason that signing keys should not be.
The DRM automatically archives private encryption keys if archiving is configured.
If an end entity loses a private encryption key or is unavailable to use the private key, the key must
be recovered before any data that was encrypted with the corresponding public key can be read.
Recovery is possible if the private key was archived when the key was generated.
The DRM stores private encryption keys in a secure key repository in its internal database; each key is
encrypted and stored as a key record and is given a unique key identifier.
When a Certificate Manager receives a certificate request that contains the key archival option,
it automatically forwards the request to the DRM to archive the encryption key. The private key is
encrypted by the transport key, and the DRM receives the encrypted copy and stores the key in its key
repository.
69