Key Recovery ProcessChapter 22 Setting Up Key Archival and Recovery 723Local Versus Remote Key Recovery AuthorizationKey recovery agents can authorize the recovery of a key locally or remotely. Theoverview of local and remote authorization provided in this section is intended tohelp you determine which to use for your organization. You may find it useful totake a look at the Data Recovery Manager agent-specific information in the CMSAgent’s Guide.Local Key Recovery AuthorizationTo initiate key recovery locally, the required number of recovery agents assemblein front of the host system that allows them to access the Data Recovery ManagerAgent Services interface. Either a Data Recovery Manager agent or a key recoveryagent with a Data Recovery Manager agent certificate accesses the Key Recoveryform hosted by the Data Recovery Manager and initiates the key recovery process.All key recovery agents enter their IDs and passwords on the same RecoveryAuthorization form presented by the Data Recovery Manager. If the informationpresented is correct, the Data Recovery Manager retrieves the requested key andreturns it along with the corresponding certificate in the form of a PKCS #12package.By default, key recovery authorization is local.Remote Key Recovery AuthorizationTo authorize key recovery remotely, the required number of recovery agents accessthe Data Recovery Manager Agent Services interface at their own locations and usethe Authorize Recovery button to enter each authorization separately.Before key recovery agents can authorize key recovery remotely, they must be setup to function as Data Recovery Manager agents. This role gives them the privilegeto access the Data Recovery Manager’s Agent Services interface directly.In remote key recovery authorization, one of the key recovery agents informs allrequired recovery agents about an impending remote key recovery process. Allrecovery agents access the Key Recovery page hosted by the Data RecoveryManager. One of the agents initiates the key recovery process. The Data RecoveryManager returns a notification to each agent. The notification includes a recoveryauthorization reference number identifying the particular key recovery request thatthe agent is required to authorize. Each agent uses the reference number andauthorizes key recovery separately.