In a more complex scenario, the organization requires key archival and recovery capabilities along with the CA; for example, when encrypted mail is widely used, the organization risks data loss if it is unable to recover encryption keys. In this case, the Certificate System deployment has both the Certificate Manager and a DRM.

To add key storage and recovery, a DRM can be installed on the same machine or on a different machine. Figure 2.2, “Certificate Manager and DRM in Different Instances” illustrates the relationship between a DRM and a Certificate Manager. All communication between the Certificate Manager and the DRM takes place over HTTPS.

When determining the location of a DRM, consider possible firewall interactions, the physical security required for each subsystem, and the physical location of the Certificate Manager agent, DRM agent, and other people responsible for administering the Certificate Manager and recovering keys.

Like a Certificate Manager, a DRM has special physical security requirements, since a compromised DRM has devastating security consequences for the entire PKI. Consider keeping the DRM in a special locked room or building; this consideration can affect the deployment strategy.