Key Recovery ProcessChapter 6 Data Recovery Manager 211Key Recovery Agent SchemeThe key recovery agent scheme consists of configuring the Data Recovery Manager torecognize a fixed number of key recovery agents (a minimum of one) andspecifying how many of these agents are required to authorize a key recoveryrequest before the archived key is restored. Each recovery agent provides the DataRecovery Manager with a password, which it uses to generate a unique PIN; theData Recovery Manager uses the PIN to protect its storage key pair, which in turnprotects end-entity’s keys.The Data Recovery Manager tracks the key recovery agent password for each agentand allows you to facilitate changing agents’ passwords; you do not have directaccess to these passwords or the actual storage key password. Each passwordretrieves only a part of the private storage key.You first specified the key recovery agent scheme when you installed the DataRecovery Manager.Changing the Key Recovery Agent SchemeYou can change the total number of key recovery agents for a Data RecoveryManager and the number of key recovery agents required to retrieve anend-entity’s encryption private key from the Data Recovery Manager’s keyrepository.To change the key recovery agent scheme:1. Access the CMS window (see “Logging Into the CMS Console” on page 247).2. Click the Configuration tab.CAUTION The PKCS #12 package contains the private key. To minimize therisk of key compromise, the recovery agent must use any secure,out-of-band means to deliver the PKCS #12 package and passwordto the key recipient. As an administrator, you should recommendthe recovery agent to use a good password for encrypting the PKCS#12 package, and also consider setting up an appropriate deliverymechanism.
