5.1.10 Key Archival Security Considerations
Key archival is for decryption keys only. The purpose of key archival is the prevention of loss of data. Just as backup preserves the bits of a file, key archival permits recovery of decryption keys. Because a decryption key inherits the security value of everything it can decrypt, this key must be protected from disclosure strongly enough to withstand an attack by an attacker motivated by that accumulated value.
In the protocol specified here, a private decryption key is protected in transit by being encrypted with a key (the exchange key) belonging to the CA. The CA must then (through any manner deemed appropriate by the vendor and/or customer of that CA) do the following:
Protect its own decryption key from disclosure (because the exchange key acquires the sum of value of all of the keys transmitted by using it).
Protect any archived private keys from disclosure.
Protect any archived private keys from loss or destruction.
Make some process available by which a private key can be restored to its owner (including some human-to-human process by which the proper owner of the private key is authenticated).
How the CA chooses to meet these requirements is not addressed in this document. In the Microsoft CA implementation, a private key offered for archival, is decrypted on receipt and then re-encrypted in multiple KRA keys. The resulting encrypted key BLOBs are then stored in multiple backup copies. This redundancy meets the third requirement listed above. The recovery process is entirely manual and is a function of the enterprise within which the CA is deployed.