Procedure for Storing Session Keys Using a Backup Authority
An application using a backup authority to store session keys typically follows these steps.
To use a backup authority
- Encrypt the file as usual.
- Export the session key used to encrypt the file into a simple key BLOB, specifying that your own key exchange public key be used to encrypt the key BLOB. Store this key BLOB with the encrypted file.
- Export the session key again, this time specifying that the backup authority's public key be used to encrypt the key BLOB. Send this key BLOB to the backup authority, along with the key's description, serial number, and so on.
If a key pair is lost, the keys can be retrieved from the backup authority if the identity of the keys' owner can be established. The procedure for establishing identity is determined by the policy of the particular backup authority and does not involve CryptoAPI.