Chapter 22 Setting Up Key Archival And Recovery; Pki Setup For Key Archival And Recovery - Netscape MANAGEMENT SYSTEM 6.0 Installation And Setup Manual

When data is stored in encrypted form, you must have the private key that
corresponds to the public key that was used to encrypt the data in order to decrypt
and read it. If the private key is lost, the data cannot be retrieved. A private key can
be lost because of a hardware failure, for example, or because the key's owner
forgets the password or loses the hardware token in which the key is stored.
Similarly, encrypted data cannot be retrieved if the owner of the key is unavailable
to supply it—for example, has left the organization that owns the data.
This chapter explains how to use the Data Recovery Manager to archive users'
encryption private keys and how to use the archived keys later, in place of missing
encryption keys, to recover encrypted data.
The chapter has the following sections:
• PKI Setup for Key Archival and Recovery (page 715)
• Key Archival Process (page 717)
• Key Recovery Process (page 721)
• Configuring Key Archival and Recovery Process (page 731)

PKI Setup for Key Archival and Recovery

To be able to archive users' encryption private keys and recover them later, you
need a PKI setup that includes the following elements:
• Clients that can generate dual keys and that support the key archival option
(using the CRMF/CMMF protocol)
• An installed and configured Data Recovery Manager
Setting Up Key Archival and
Chapter 22
Recovery
715