Chapter 5 Recovering Encrypted Data

This chapter describes how to process key recovery requests and how to recover stored encrypted data when the encryption key has been lost. This service is available only when the Data Recovery Manager subsystem is installed. The Data Recovery Manager Agent Services page allows certified agents to accomplish these tasks.

• Finding and Recovering Keys

• Recovering Keys


• Viewing Key Service Requests

1. Go to the Data Recovery Manager Agent Services page (see Accessing Agent Services).You must submit the proper client certificate to get access to this page.
2. Click Search for Keys or Recover Keys to display the form in which you specify search criteria.

If you choose Recover Keys, you will have the option of initiating recovery for any key that you find.

3. To search by particular criteria, use one or more of the different sections of the Search for Keys or Recover Keys form. To use a section, select the appropriate checkbox in that section, then fill in any necessary information.

Owner Name. Use this section to find an archived key with a specific owner name. The owner name for a key is much like the subject name for a certificate. It consists of a string that can be used in searches. Select the checkbox and enter the owner name for the key you want to find.

Key identifiers. Use this section to find an archived key with a specific key identifier or to list all keys within a range of key identifiers.

• To find a key with a specific key identifier, enter the key identifier in both the upper limit and lower limit fields. Use decimal or hexadecimal form. Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A. (Key identifiers are displayed in hexadecimal form in the Search Results and Details pages.)
• To find all keys within a range of key identifiers, enter the upper and lower limits of the key identifier range (in decimal or hexadecimal form).

If you leave either the lower limit or upper limit field blank, all keys before or after the one you specify are displayed.

Certificate. Use this section to find the archived key that corresponds to a specific public key. Select the checkbox and paste the certificate containing the corresponding public key (in base-64 encoded form) into the text area. (You must first find and copy the encoded form of the encryption certificate associated with the key pair. Use the Certificate Manager or Registration Manager Agent Services pages to find the certificate; for instructions, see "Examining Certificates," in Chapter 3.)

Archiver. Use this section to find keys that were archived by a specific server. Select the checkbox and enter the user ID of the Certificate or Registration Manager that submitted the key archival request. Note that this information is available only for archival requests from servers that are remote from the Data Recovery Manager (that is, not installed in the same server root directory).

4. After entering your search criteria, click Show Key.

The Data Recovery Manager displays a list of the keys that match your search criteria. You can select a key in the list and examine it in more detail (described in "Selecting a Key" If you initiated the search with the Recover Keys button, you have the option of recovering any key returned by the search (described in "Recovering Keys.").

1. On the Data Recovery Manager's Agent Services page, click Search for Keys, specify search criteria, and click Show Key to display a list of archived keys.

For details, see "Finding Archived Keys".

2. On the Search Results form, find a particular key.

If the key you want to see is not shown, scroll to the bottom of the list and select the Next or Previous group of keys.

3. Click Details next to the key you want to examine.

The details of the selected key are shown in the Key details page. You cannot manipulate the key in any way.

1. On the Data Recovery Manager's Agent Services page, click Recover Keys, specify search criteria, and click Show Key to display a list of archived keys.

For details, see "Finding Archived Keys".

2. On the Search Results form, find a particular key.

If the key you want to see is not shown, scroll to the bottom of the list and select the Next or Previous group of keys.

3. Click Recover next to the key you want to examine.

The details of the selected key are displayed in the Authorize Key Recovery form, which allows you to specify authorization information.

4. In the Key Recovery form, scroll to the bottom of the key information.

The number of key recovery agent authorizations required to recover a key is configured by the system administrator using the CMS window in Netscape Console. The Key Recovery form has space for the required number of authorizations.

5. Specify the password that the requester will use in importing the recovered certificate/key pair package.
6. Paste the base-64 encoded certificate that corresponds to the archived key into the text area.

Use the Certificate or Registration Manager Agent Services pages to find and copy the certificate; see "Examining Certificates," in Chapter 3.

If you searched for the archived key by using the corresponding public key, the certificate information is automatically transferred here.

7. Choose whether to authorize recovery locally.

• If you select this option, assemble the required number of key recovery agents and have each agent fill in his or her user name and password.
• If you deselect this option, notify the key recovery agents that a recovery has been initiated, giving them the recovery authorization reference number indicated on this form. (For information on how to provide a remote authorization, see "Remote Recovery Authorization.")
8. Click Recover Now.

• If you chose local authorization, the recovery is completed immediately, and the recovered certificate and key pair are sent to your browser in the form of a PKCS #12 package.
• If you chose remote authorization, you must wait for the recovery agents to enter their authorizations. As they do so, a status page informs you of the progress. When the required number of recovery agents have completed their authorizations, the recovery is completed and the recovered certificate/key pair package is sent to your browser.
9. In the dialog box that appears, specify the path and filename for saving the encrypted file that contains the recovered certificate and key pair.
10. Send the encrypted file to the requesting party.
11. Inform the requesting party of the recovery password in a secure manner.

The recovering party must use this password to import the recovered certificate/key pair package into his or her client software.

1. Go to the Data Recovery Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
2. Click Authorize Recovery.
3. Enter the recovery authorization reference number that was part of the notification.

This number identifies the particular key recovery request that you are to authorize.

4. Click Examine.
5. Enter your key recovery agent ID and password.
6. Click OK.

• Key archival requests, made by remote or local Certificate or Registration Managers
• Key recovery requests, made by Data Recovery Manager agents

1. Go to the Data Recovery Manager Agent Services page (see Accessing Agent Services). You must submit the proper client certificate to get access to this page.
2. Click List Requests to display the List Requests form.

Use the List Requests form to specify which key service requests to list.

3. Choose the type of requests you want to see from the "Request type" pull-down menu. You can choose to see requests to archive keys, to recover keys, or both.
4. Choose the statsu of requests you want to see by selecting one of the following choices from the "Request status" pull-down menu:

• Show canceled requests

Unless your system is specially configured for it, there will be no cancelled requests.

• Show rejected requests

Rejected requests do not comply with your company's archival or recovery policies. Unless your system is specially configured for it, there will be no rejected requests.

• Show completed requests

Completed requests include archival requests for which proof of archival has been sent and completed recovery requests.

• Show all requests

All requests stored in the system.

5. To start the list at a specific place in the queue, enter the starting request identifier in decimal or hexadecimal form.

Use 0x to indicate the beginning of a hexadecimal number; for example, 0x2A. (Key identifiers are displayed in hexadecimal form in the Search Results and Details pages.)

6. Choose the number of matching requests you want to see.

When you specify a number n, the system displays the first n requests after the starting request identifier that match your specified criteria.

7. Click Find.

The Data Recovery Manager displays a list of the key service requests that match your search criteria. You can select a request in the list and examine it in more detail. For instructions, see "Selecting a Request."

1. On the Data Recovery Manager's Agent Services page, click List Requests, specify search criteria, and click Find to display a list of key service requests.

For details, see "Listing Key Service Requests".

2. On the Key Service Request Queue form, find a particular request.

If the request you want to see is not shown, scroll to the bottom of the list and select the Next or Previous group of requests.

3. Click Details next to the selected request.

The details of the selected key service request appear in the Request details form. You cannot manipulate the request in any way.

If the system changes the state of the displayed request, and if you use your browser's Back or Forward buttons or the Go (history) menu to move to another page, the data shown can become out of date. To refresh the data, click the highlighted key identifier at the top of the page.