Planning for Data Recovery and Key Recovery

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If public key pairs and certificates are lost due to system failure, it can be time consuming and expensive to replace them and the data that they protect. For this reason, as part of your certificate management plan, you need to evaluate the potential consequences of loss of public keys and the data that they secure, and create a strategy for data and key recovery.

Data recovery is a process by which data is encrypted in such a way that more than one person can retrieve the data in plaintext form. Data recovery does not always imply that private key recovery has occurred; however, key recovery is one method for data recovery.

Use data recovery if you need to be able to recover data in your organization, but do not need to have access to individual private keys of users.

The advantages of data recovery include:

  • It does not require a certification authority or PKI infrastructure.

  • Data recovery policies can be managed centrally by means of Active Directory.

  • Users do not have to manage certificates or private keys for data recovery.

  • Decryption can be limited to the user alone.

The disadvantages of data recovery include:

  • An administrative process must recover user data. Users cannot recover their own data.

  • You cannot define the scope of what data can be recovered by a data recovery agent and what data cannot be recovered by a data recovery agent.

  • Data recovery occurs manually on a file-by-file basis.

  • Only data is recovered, and not the user keys. Therefore, after data recovery is completed, the user must re-enroll for new certificates.

  • It is assumed that, when a key is lost, the certificate is compromised. Therefore, administrators must revoke old certificates.

  • Stand-alone workstations or workstations in non-Active Directory environments cannot be centrally managed.

Key recovery allows a trusted agent to gain access to user private keys. For this reason, it is best to use key recovery only if your organization permits a person other than the original requester to have access to the private key of another user.

Use key recovery if organization policy permits the retrieval of user private keys and certificates. Key archiving and recovery implies that a person such as an administrator can gain access to the private keys of another user. Even when policies and procedures are in place to protect against unauthorized key recovery, issues with non-repudiation might still exist. If your organization does not permit a person other than the original requester to have access to the private keys of another user, do not implement key archival and recovery.

The advantages of key recovery include:

  • Users do not have to re-enroll for certificates, change security settings, and so on.

  • Existing certificates do not have to be revoked.

  • Users do not have to recover any data or e-mail due to lost private keys.

  • All data encrypted by means of a public key in a certificate can be recovered after a private key has been recovered.

  • Windows Server 2003 does not accept signing keys for archival and recovery.

The disadvantages of key recovery include:

  • User key recovery is a manual process that must be performed by administrators and users.

  • Key recovery allows administrative access to the private keys of users.

  • Non-repudiation assurance might not be available with key archival and recovery.

  • Key recovery does not work with hardware security tokens such as smart cards.

Note

  • Only a Windows Server 2003 Enterprise Edition CA can implement Windows Server 2003 key recovery.

Windows Server 2003 includes a new certificate template to support the key recovery agent role. A Windows Server 2003 CA can use only key recovery agent certificates that have been properly formatted and that have not expired. To enable key recovery, you need to complete the following tasks:

  • Configure the key recovery agent template.

  • Configure the CA to allow key archiving.

  • Enroll and archive users.

Do not use either data recovery or key recovery if your organization wants to protect data from all parties except for the original user.