Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Setting up Key Archival and Recovery
For more information, see Archiving, Recovering, and Rotating Keys.
This chapter explains how to setup the Key Recovery Authority (KRA), previously known as Data Recovery Manager (DRM), to archive private keys and to recover archived keys for restoring encrypted data.
Note
This chapter only discusses archiving keys through client-side key generation. Server-side key generation and archivals, whether it's initiated through TPS, or through CA's End Entity portal, are not discussed here.
For information on smart card key recovery, see Section 6.11, “Setting Up Server-side Key Generation”.
For information on server-side key generation provided at the CA’s EE portal, see Section 5.2.2, “Generating CSRs Using Server-Side Key Generation”.
Note
Gemalto SafeNet LunaSA only supports PKI private key extraction in its CKE - Key Export model, and only in non-FIPS mode. The LunaSA Cloning model and the CKE model in FIPS mode do not support PKI private key extraction.
When KRA is installed, it joins a security domain, and is paired up with the CA. At such time, it is configured to archive and recover private encryption keys. However, if the KRA certificates are issued by an external CA rather than one of the CAs within the security domain, then the key archival and recovery process must be set up manually.
For more information, see Manually Setting up Key Archival.
Note
In a cloned environment, it is necessary to set up key archival and recovery manually. For more information, see the Updating CA-KRA Connector Information After Cloning section in the Red Hat Certificate System Planning, Installation, and Deployment Guide.
4.1. Configuring Agent-Approved Key Recovery in the Console
Copier lienLien copié sur presse-papiers!
Note
While the number of key recovery agents can be configured in the Console, the group to use can only be set directly in the
CS.cfg file. The Console uses the Key Recovery Authority Agents Group by default.
- Open the KRA's console. For example:
pkiconsole https://server.example.com:8443/kra
pkiconsole https://server.example.com:8443/kraCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Click the Key Recovery Authority link in the left navigation tree.
- Enter the number of agents to use to approve key recover in the Required Number of Agents field.
Note
For more information on how to configure agent-approved key recovery in the
CS.cfg file, see Configuring Agent-Approved Key Recovery in the Command Line.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}