Chapter 6. DRM: Recovering Encrypted Data

Chapter 6. DRM: Recovering Encrypted Data

6.1. List Requests
6.2. Finding and Recovering Keys

This chapter describes how authorized Data Recovery Manager (DRM) agents process key recovery requests and recover stored encrypted data when the encryption key has been lost. This service is available only when the DRM subsystem is installed.

6.1. List Requests

There are three kinds of key service requests:

  • Key archival requests, made by Certificate Manager agents

  • Key recovery requests, made by DRM agents

  • Token key requests for archiving smart card (token) keys in conjunction with server-side key generation requests. This request can only be initiated through a TPS subsystem.

A DRM agent reviews these requests. An agent can search for and list key service requests with a particular status, such as completed or rejected, select a key service request from the returned list, and examine the request details. Key service requests are handled internally; it is not necessary to take any action on them unless the Certificate System is specially configured.

To list key service requests, do the following:

  1. Open the DRM agent services page.

  2. Click List Requests to display the List Requests form. This page specifies which key service requests to list.

  3. Choose the type of requests to see from the Request type menu. There are three request types:

    • Show Key Archivals requests

    • Show Key Recovery requests

    • Show Token Key requests

    • Show all requests

  4. Select the status of requests from the Request status menu.

    • Show canceled requests. Unless the system is specially configured to allow requests to be canceled, there are no canceled requests.

    • Show rejected requests. Rejected requests do not comply with the archival or recovery policies. Unless the system is specially configured to allow requests to be rejected, there are no rejected requests.

    • Show completed requests. Completed requests include archival requests for which proof of archival has been sent and completed recovery requests.

    • Show all requests. All requests stored in the system.

  5. To start the list at a specific place in the queue, enter the starting request identifier in decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A. Key identifiers are displayed in hexadecimal form in the Search Results and Details pages.

  6. Choose the number of matching requests to be returned. The system displays that number of requests, beginning with the starting request identifier.

  7. Click Find.

    The DRM displays a list of the key service requests that match the search criteria. Select a request from the list to examine it in more detail.

  8. On the Key Service Request Queue form, find a particular request. If the desired request is not shown, scroll to the bottom of the list, and use the arrows to move to another page of search results.

  9. Clicking the ID number next to a request opens the Request Details form, which gives the complete information for the request. The request cannot be modified in this page.

NOTE

If the system changes the state of the displayed request, using the browser's Back or Forward buttons or the history to navigate through the pages can cause the data shown to become out of date. To refresh the data, click the highlighted key identifier at the top of the page.