Default Certificate Templates (Continued)
409 Chapter 12: Enterprise Public Key Infrastructure
RECOVERY KEYS
Many organizations are concerned about what would happen if the key required to decrypt
the data is lost. For example, if the head of HR encrypts all her files using EFS and
then loses her key, how would the organization regain access to that data? The solution
is to use recovery keys. Recovery keys are implemented as special-purpose certificates that
can be used by recovery agents to decrypt data. Recovery agents are users who can recover
data using recovery keys. Although recovery keys do allow decryption of data, they
typically cannot be used to regenerate the original keys for encrypting that data. This is
important, because it means that although a recovery key can be used to recover data,
it can??™t be used to recover signing keys, nor can it be used to impersonate someone else
for the purpose of encrypting data. This satisfies the need to secure the integrity of the
user??™s identity. By default, the Administrator account is designated as the recovery agent
for the CA. You can also delegate this authority to other accounts as desired.
Hands-On Exercise: Installing AD Certificate Services
Enterprise PKI for Windows 2008 refers to Active Directory Certificate Services, the role
service you can install on your Windows Server 2008 server that allows your server to
function as a CA.
Pages:
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446