15.1 What is key recovery?
A certificate and private key is used to encrypt and decrypt information; for example, emails and documents.
If you lose the private key, you cannot access the encrypted information, unless you can recover the private key; to do this, the key must have been securely stored. Secure storage of the private key is called key escrow.
Key recovery is the process of retrieving the private key from escrow, along with the certificate, and providing it to the person that needs to access the encrypted information.
In most cases, the private key should only ever be accessible to the certificate owner.
15.1.1 Use cases
The following use cases apply when dealing with key recovery:
-
Automated key recovery.
You can configure your credential profiles to recover archived certificates using the Action option on the Select Certificates page of the Credential Profiles workflow; for example, if a certificate based on this policy has been issued to the user before, and the certificate is live and unexpired, it can be recovered onto the credential. If there are no available archived certificates, a new certificate is issued.
See the Selecting certificates section in the Administration Guide for more information.
-
Self-service key recovery.
A certificate owner can log onto the MyID Operator Client and choose the certificates they want to recover, either to an existing device that they own, to a new physical device, or as soft certificates.
They can then collect the new device or device updates through the MyID Operator Client or a self-service application.
-
Administrator-initiated key recovery for self-service collection.
An administrator can log onto the MyID Operator Client, select the person for whom they want to recover certificates, then choose the certificates to recover, either to an existing device belonging to the certificate owner, to a new physical device, or as soft certificates.
The certificate owner can then collect the new device or device updates through the MyID Operator Client or a self-service application.
-
Administrator-initiated key recovery for administrator collection.
An administrator can log onto the MyID Operator Client, select the person for whom they want to recover certificates, then choose the certificates to recover, either to an existing device belonging to the certificate owner, to a new physical device, or as soft certificates.
The administrator can then collect the new device or device updates through the MyID Operator Client.
Note: If the administrator is collecting updates to an existing device belonging to the certificate owner, the certificate owner must be present with their device to enter their PIN.