Setting Up Key Archival - Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual

Chapter 3. Setting up Key Archival and Recovery
The archived copy of the key remains wrapped with the DRM's storage key. It can be decrypted, or
unwrapped, only by using the corresponding private key pair of the storage certificate. A combination
of one or more key recovery (or DRM) agents' certificates authorizes the DRM to complete the key
recovery to retrieve its private storage key and use it to decrypt/recover an archived private key.
The DRM indexes stored keys by key number, owner name, and a hash of the public key, allowing for
highly efficient searching.
Figure 3.1, "How the Key Archival Process Works"
when an end entity requests a certificate.
Figure 3.1. How the Key Archival Process Works
Both subsystems subject the request to configured certificate profile constraints at appropriate stages.
If the request fails to meet any of the profile constraints, the subsystem rejects the request.
The DRM supports agent-initiated key recovery, when designated recovery agents use the key
recovery form on the DRM agent services page to process and approve key recovery requests. With
the approval of a specified number of agents, an organization can recover keys when the key's owner
is unavailable or when keys have been lost.
In key recovery authorization, one of the key recovery agents informs all required recovery agents
about an impending key recovery. All recovery agents access the DRM key recovery page. One of
the agents initiates the key recovery process. The DRM returns a notification to the agent includes
a recovery authorization reference number identifying the particular key recovery request that the
agent is required to authorize. Each agent uses the reference number and authorizes key recovery
separately.

3.2. Setting up Key Archival

NOTE
Key archival is only possible using clients which support dual key pairs.
70
illustrates how the key archival process occurs