Key Escrow – CompTIA Security+ SY0-401: 6.3

The escrow of encryption keys can be a necessary process, but it isn’t without controversy. In this video, you’ll learn the advantages and disadvantages of escrowing your encryption keys.

<< Previous Video: Key RegistrationNext: Trust Models >>

With key escrow we’re taking our decryption keys and putting them in the hands of a third party. That means all of our private keys will be held by someone else. And that means that we’re planning in a case where we might need to decrypt some of that information that you might have. This could be an absolutely legitimate process that you have in place to ensure that you always have access to your data.

For instance, a business may need to access information that an employee had encrypted on their hard drive of their laptop, and that employee may no longer be with the organization. So you need some way to get back in to that laptop. If you’re a government agency, you may need to decrypt data that might be coming from partners. And so you might have a third party hold the description keys so that there’s somebody who is an independent agency that would control and make sure that was not abused.

And it could be conceived as controversial. If you’re storing your private information and it’s your data that’s being encrypted and stored on a laptop or on a computer, you may not feel very happy about third parties having access to that. But in the United States, at least, organizations who have distributed laptops to their employees own all of the data on those laptops. So it may be just a normal part of doing business and certainly an absolutely legal part of doing business, so that you can have access to the data on that laptop regardless of what might happen to the private keys or to the employee that happen to be using that laptop.

The process of having a key decrypt information is relatively straightforward. With key escrow a lot of the work is done on the process itself. You want to be sure that it’s very clear that you have a– already in place– a set of procedures so that there’s no questions about what the process is if you ever need to take advantage of that key escrow. These keys are very, very valuable. They’re very important and you should absolutely have this in place before you start that escrow process.

You also have to be able to trust the people you’re giving these keys to. You want to be sure that if those keys are stored in a certain place that they’re going to be protected. You want to be sure that nobody can have access to those keys who should not have that access. So obviously this is not something you do on a whim. It’s not something you do without a lot of process and a lot of procedures in place.

And just to make sure that all of these particular conditions are controlled. If you need access to certain data on someone’s laptop, there should be a series of documentation and communication in place so that you’re able to show that. In some cases it may take legal proceedings to get the data and provide access to that encrypted information. So it’s going to be very important that you plan ahead so that all of those different contingencies are taken into account.