Recovery Key Escrow Configuration
Key escrow is a method of storing important cryptographic keys. By using key escrow, organizations can ensure that in the case of crisis, such as security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe and can be recovered.
Recovery Key Escrow Configuration involves the following steps:
- Certificate creation – You must create a certificate and key pair for encrypting the recovery key through WebUI MDM app. This certificate is used in Windows actions and in macOS escrow payload. The key is placed in BES Server Plugin folder for decrypting.
- Set up Vault – You must specify an existing Vault server (URL, access keys), or you can also deploy Vault with self-signed certificates. You can access the Vault directory to get the unseal keys and access keys that were generated, and configure Vault settings in WebUI.
- Escrow server plugin setup – Set up the Escrow server plugin through WebUI by configuring with details of the key and Vault details, so that the private key is stored in the 'Applications' directory of the BES server.
- Troubleshooting
- Manual device task to escrow recovery key – If recovery key is missing or out of date, you can retrieve it through Regenerate Encryption Recovery Key.