Table of Contents
Advertisement
CAUTION
The PKCS #12 package contains the private key. To minimize the
risk of key compromise, the recovery agent must use any secure,
out-of-band means to deliver the PKCS #12 package and password
to the key recipient. As an administrator, you should recommend
the recovery agent to use a good password for encrypting the PKCS
#12 package, and also consider setting up an appropriate delivery
mechanism.
Key Recovery Agent Scheme
The key recovery agent scheme consists of configuring the Data Recovery Manager to
recognize a fixed number of key recovery agents (a minimum of one) and
specifying how many of these agents are required to authorize a key recovery
request before the archived key is restored. Each recovery agent provides the Data
Recovery Manager with a password, which it uses to generate a unique PIN; the
Data Recovery Manager uses the PIN to protect its storage key pair, which in turn
protects end-entity's keys.
The Data Recovery Manager tracks the key recovery agent password for each agent
and allows you to facilitate changing agents' passwords; you do not have direct
access to these passwords or the actual storage key password. Each password
retrieves only a part of the private storage key.
You first specified the key recovery agent scheme when you installed the Data
Recovery Manager.
Changing the Key Recovery Agent Scheme
You can change the total number of key recovery agents for a Data Recovery
Manager and the number of key recovery agents required to retrieve an
end-entity's encryption private key from the Data Recovery Manager's key
repository.
To change the key recovery agent scheme:
Access the CMS window (see "Logging Into the CMS Console" on page 245).
1.
Click the Configuration tab.
2.
Key Recovery Process
Chapter 6
Data Recovery Manager
209
Advertisement
Table of Contents
