Key Recovery – CompTIA Security+ SY0-401: 6.3


If you lose your encryption key, you’ll lose access to all of your data. In this video, you’ll learn about key recovery techniques and how some certificate authorities can manage your encryption keys.

<< Previous Video: Public Key InfrastructureNext: Public and Private Keys >>


When we’re encrypting information we sometimes forget just how important that private key is. If we were to lose that key, we would no longer have access to any of that data. So that key becomes extremely valuable to us. And the idea of key recovery means that we’ve already put some processes in place to make sure that should something happen to that key, we still have a way to recover that data that might be encrypted.

One of the ways to do it is to back it up, but of course one of the challenges you have is you don’t want to make too many backups of your private key. You don’t want too many versions of that private key getting into other people’s hands, so therefore you want to be sure that it’s backed up or, perhaps, not backed up too much, but don’t wait. You still need to have at least 1 backup of that key. So don’t think that not backing it up is even more secure. You need a happy medium there so that the key is protected– maybe it’s stored away, could be in a safe somewhere– but it’s not in a place where someone may be able to run across it or at least get access to that private key.

In many organizations there is already a key recovery process that was thought from the very beginning. May everybody realize that if you lose a hard drive or you lose that private key, we still want the organization to have access to that data. So the entire process of recovering that is probably built into your PKI. It may be something that’s just done automatically every time a set of keys is created.

This is something that would need to be planned for though. You need to already have it in place prior to rolling out these keys so that you can then recover them. There are a couple of different approaches to doing this. One is to take every key you create and just back them up. That way if you lose them somewhere you can always go back and recover them with the backups that you have maybe stored in a safe somewhere.

Another way to do this is through the process of this public key encryption– have an “M of N” control, which means that you would have to have at least a certain number of people all contributing together to be able to recover certain amount of information. So that adds a little more confidentiality to it. And it ensures that no 1 person might be able to get this secret key and get into other people’s information without everyone else the organization know that that was going on.

If you’re already using a certificate authority, some of this recovery process is already built into it. So although it sounds very difficult to implement, it may just be if you check marks on a screen to make that happen. This may be a little more difficult to do with private certificate authorities because very often you’re building a certificate, or having them build you a set of certificates. They’re sending you the private key and the public key.

And they tell you right away, if you lose this, it’s gone forever. We’re not keeping a copy of it. You can’t recover it from us. There’s no way to do that. So we’re handing it to you and it’s now completely up to you. You best put that in a very safe place because if you lose it, you’re going to have to come back and create brand new keys all over again. This entire key recovery process is an extremely important one. And if you’re building out a certificate authority, you’re creating entire PKI for your organization, it’s certainly going to be something you want to look at.