Key archival is the storing of a private key of a certificate such that it can be recovered at a future time if required. Key recovery does not recover encrypted data or messages, but does enable a user or administrator to recover keys that can subsequently be used for data recovery, that is, data decryption.
Keys that are archived will be associated with the DN of the user, the card template used and the card key container that the card was issued to. Therefore, it will only be possible to restore keys to the particular user DN that the original key was archived for.
Note: If the vSEC:CMS is used to archive and retrieve keys then all archived keys created by the vSEC:CMS are stored encrypted in the vSEC:CMS database with a 128-bit AES key. The AES key is created when you initialize the vSEC:CMS on first use and stored encrypted in the CMS database using a key diversified by the master key of the vSEC:CMS. The master key is stored on the operator card and the access to it is PIN protected. At runtime, the AES key is held in memory of the Windows service that the vSEC:CMS is running under.
Note: When an archived key is being recovered the vSEC:CMS will always restore the certificate that was issued originally for that key.
Important: Key archival and key recovery in the vSEC:CMS has the following implementation:
· There is no support for Microsoft Key Recovery Agent (KRA);
· It is not possible to export and/or import PKCS#12 certificate files for key archiving;
· If a card template is configured for multiple role support it will not be possible to configure key archival in this case;
· Advanced transaction log search filtering for key specific transactions is not supported;
· The implementation only supports RSA keys.
For details on how to configure actual templates in vSEC:CMS to support key archival and recovery refer to the article Configure Key Archival and Key Recovery.
Key Archive Housekeeping
From the Repository - Archived Keys page the archived keys will be listed. If it is required to delete an archived key, for example a key may no longer be used or a key may have been replaced by another key, select the key and click the Delete button. This will result in the key being removed from the vSEC:CMS database. Therefore, it will not be possible to restore the deleted key if required in the future.
It is possible to configure a key recovery role that can be configured for a particular operator, thereby controlling what operations an operator can perform around key recovery. From the Options - Roles page it is possible to configure these settings.