6.2. Finding and Recovering Keys

6.2. Finding and Recovering Keys

If an end user loses a private encryption key or if a key's owner is unavailable, data encrypted with that key cannot be read unless a copy of the private key was archived when the key was created. The archived key can then be recovered and used to read the data.

A DRM agent manages key recovery through the DRM agent services page. Archived keys can be searched to view the details or to initiate a key recovery. Once a key recovery is initiated, a minimum number of designated DRM agents are required to authorize the recovery.

NOTE

This section describes how to recover keys that are not stored on a smart card. For smart card key recovery, see chapter 7, "Token Processing System," in the Certificate System Administration Guide and Section 8.6, “Administrator Operations”.

6.2.1. Finding Archived Keys

Archived keys can be searched to examine the key details or to initiate recovery. Selecting search criteria and selecting a key from the search results is the same for both operations.

To search for and list archived keys, do the following:

  1. Open the DRM agent services page.

  2. Click Search for Keys or Recover Keys to display the search criteria form.

    When selecting the Recover Keys operation, there is an additional option to initiate recovery for any key that is found.

    Search for Keys Page

    Figure 6.1. Search for Keys Page

  3. To search by particular criteria, use the different sections of the Search for Keys or Recover Keys form. To use a section, select the check box for that section, then fill in any necessary information.

    • Owner name. Finds an archived key with a specific owner name. The owner name for a key, like the subject name for a certificate, consists of a string that can be used in searches.

    • Key identifiers. Finds an archived key with a specific key identifier or to list all keys within a range of key identifiers.

      • To find a key with a specific key identifier, enter the key identifier in both the upper limit and lower limit fields in decimal or hexadecimal form. Use 0xto indicate the beginning of a hexadecimal number; for example, 0x2A. Key identifiers are displayed in hexadecimal form in the Search Results and Details pages.

      • To find all keys within a range of key identifiers, enter the upper and lower limits of the key identifier range in decimal or hexadecimal form.

      Leaving either the lower limit or upper limit field blank displays all keys before or after the number specified.

    • Certificate. Finds the archived key that corresponds to a specific public key. Select the check box and paste the certificate containing the base-64 encoded public key into the text area.

      NOTE

      The encryption certificate associated with the key pair must be found first. Use the Certificate Manager agent services page to find the certificate; for instructions, see Section 4.3, “Examining Certificates”.

    • Archiver. Finds keys that were archived by a specific server. Select the check box and enter the user ID of the Certificate Manager that submitted the key archival request. This information is available only for archival requests from servers that are remote from the DRM. To put a limit on the number of results returned, fill in a value for maximum results. To limit the time allowed for the search, enter a value for time limit in seconds.

  4. After entering the search criteria, click Show Key.

    The DRM displays a list of the keys that match the search criteria. Select a key from the list to examine its details. If the search was initiated with the Recover Keys button, there is the additional option of recovering any key returned by the search.

    Search Results Page

    Figure 6.2. Search Results Page

  5. In the Search Results form, select a key.

    If a desired key is not shown, scroll to the bottom of the list and use the arrows to move to another page of search results.

  6. Click the ID number next to the selected key. The details of the selected key are shown in the Key details page. It is not possible to modify the key through this page.

Key Details Page

Figure 6.3. Key Details Page

6.2.2. Recovering Keys

If the search was initiated through the Recover Keys button, the Search Results page also allows the agent to initiate the recovery of any key found.

To initiate key recovery, do the following:

  1. On the DRM agent services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys.

  2. In the Search Results form, select a key.

    If a desired key is not shown, scroll to the bottom of the list and select Next or Previous for another page of search results.

  3. Click Recover next to the selected key.

    The key details are displayed in the Authorize Key Recovery form, where the agent submits authorization information.

    Key Detail Page for Recovering Keys

    Figure 6.4. Key Detail Page for Recovering Keys

    The number of key recovery agent authorizations required to recover a key is configured by the DRM administrator by setting the following parameters in the CS.cfg file. 

    kra.noOfRequiredRecoveryAgents=1
kra.recoveryAgentGroup=Data Recovery Manager Agents

  4. Set the PKCS #12 token password that the requester uses to import the recovered certificate/key pair package.

  5. Optionally, set a certificate nickname for the archived key.

  6. Paste the base-64 encoded certificate corresponding to the archived key into the text area.

    The certificate can be searched and viewed through the Certificate Manager agent services pages.

    If the archived key was found through the corresponding public key, the certificate information is automatically transferred to the form.

  7. Click Recover to initiate the key recovery request.

    Selecting this option notifies the key recovery agents that a recovery has been initiated and gives them the recovery authorization reference number.

    NOTE

    Do not close the browser after initiating the key recovery. The agent must wait for all other agents to authorize the key recovery request before the system returns the hyperlink to download the PKCS #12 file containing the private key. This page keeps refreshing to check if all other agents have authorized.

  8. Every DRM agent must approve the key recovery once the agent receives the recovery authorization number.

    1. Open the DRM agent services page.

    2. Select Authorize Recovery.

    3. Enter the recovery authorization request number.

    4. Select Examine to examine the key being recovered.

    5. Select Grant to complete the key recovery.

  9. Once all agents have authorized the recovery, then the agent who initiated the key recovery request is given a link download (import) the PKCS #12 file.

  10. When selecting the PKCS #12 file, a dialog box appears. Specify the path and filename to save the encrypted file containing the recovered certificate and key pair.

  11. Send the encrypted file to the requester.

  12. Give the recovery password to the requester in a secure manner.

    The requester must use this password to import the recovered certificate/key pair.