Best Practices for Key Archival and Recovery

Applies To: Windows Server 2008

Because key archival and recovery create circumstances under which an individual's private key is accessible to others, risks to confidentiality and data integrity are a concern and should be mitigated by following industry best practices. The following is a list of important considerations when implementing key archival and recovery.

  • Defining key recovery policies and procedures.

  • Using role-based administration.

  • Protecting key recovery agent keys.

  • Auditing key recovery operations.

Defining key recovery policies and procedures

Define or adopt data asset classification standards that can be used to assign a qualitative value to data assets in your organization. Restrict the use of key recovery procedures to specific circumstances, and specify increased restrictions for key recovery operations involving high-value data assets. For example, keys used for digital signatures should be considered high-value data assets, and recovery of keys used for digital signatures should be restricted or prohibited to mitigate risks to data integrity and nonrepudiation.

Key recovery procedures should be documented, and personnel should receive training according to their role. In some organizations, testing and certification of personnel may be appropriate. All procedures should be tested and refined, as necessary, and periodically reviewed and adapted to current business requirements. This guide includes examples of procedures for the following:

Protecting key recovery agent keys

Key recovery agent keys should be considered high value data assets and appropriately protected against compromise and loss in order to mitigate risks to data confidentiality and availability. Determining appropriate protections depends on an organization's size and security requirements. Larger organizations should use role-based administration, keep records of individuals that have been issued key recovery agent certificates, and document key recovery operations. Smaller organizations might instead issue a small number of key recovery agent certificates, store them on smart cards or removable media, and make them temporarily available to IT administrators for key recovery operations.

Key length and lifetime and certificate renewal are important considerations when implementing key archival and recovery. In general, a private key must be available for as long as data encrypted with that key is needed. In the case of key recovery agent certificates, the private key must be available for as long as data encrypted by archived keys is needed. So, the required lifetime of the archived keys is an important factor when determining the validity period of key recovery agent certificates. The default validity period of key recovery agent certificates is two years. Near the end of its validity period, a key recovery agent certificate can be renewed with the same key as long as the key is not suspected of being compromised. In general, the risk of a key being compromised increases the longer a key is in use. For a longer key lifetime, an increased key length mitigates some risks of a key being compromised.

Using role-based administration

Role-based administration can be used to implement the principle of separation of duties, which is implemented by defining at least two roles, specifying duties or tasks of each role, assigning individuals to exactly one role, and restricting the privileges of each individual to only what is required to complete the tasks assigned to their role. It is essential that each individual is assigned to only one role and that technical or administrative controls are implemented to prevent an individual from performing tasks assigned to other roles.

Partitioning a procedure into tasks and assigning tasks to different roles ensures that the procedure can be completed only if individuals from each role complete their assigned tasks. Key recovery procedures using AD CS are completed by individuals in two roles. Certificate Managers have permission to the certification authority (CA) that enables them to retrieve archived encrypted private keys from the CA database. Key recovery agents, by possessing a private key associated with a key recovery agent certificate, are able to decrypt archived keys. To complete the entire key recovery process requires the participation of individuals from both roles. For more information, see Implement Role-based Administration (

Auditing key recovery events

Because of the risks associated with key recovery, auditing of key recovery events should be considered. Auditing can be enabled from the Certification Authority snap-in by right-clicking the CA node, clicking Properties, clicking the Auditing tab, and clicking Store and retrieve archived keys. When auditing of key recovery events is enabled, an event for each key archival and recovery operation is recorded in the Security log. Procedures for monitoring or periodically reviewing Security logs for key recovery events should be defined. Organizations that document key recovery operations should periodically reconcile documented key recovery operations and key recovery events recorded in the Security logs.