Data Recovery Manager

This section describes the role of the Data Recovery Manager in CMS4.

Describe the role of the Data Recovery Manager in CMS4.

What Is A Data Recovery Manager?

A Data Recovery Manager provides facilities for archiving and recovering private RSA encryption keys. This crucial element of a PKI allows an authorized Data Recovery Manager agent to recover an encryption key that has been lost or corrupted. It also allows administrators to recover encryption keys for employees who have left the company or who are unavailable for some other reason. In either case, once the encryption key has been recovered, the user or administrator can use it to decrypt any data (such as saved email messages) that was encrypted with that key.

A Data Recovery Manager can be used with dual key pairs only--that is, with end entities that support a signing key pair and signing certificate and an encryption key pair and encryption certificate for each identity, and that also support archival of encryption keys. Dual key pairs allow an end entity to get a new signing certificate and signing key pair without changing the encryption certificate or encryption key pair. Similarly, an end entity or an administrator can recover a lost encryption key without changing the signing certificate or signing key pair.

The Data Recovery Manager uses two special key pairs in the process of archiving an end entity's encryption key: a transport key pair (and certificate) and a storage key pair. The end entity must also have two key pairs: a signing key pair and an encryption key pair.


Figure 3.6

Top of Page
Copyright © 1999 Sun-Netscape Alliance.
All Rights Reserved.