Key custodians can use key recovery if the base key password is lost. Key recovery is vital because, without the password, the key custodian cannot change the key’s password or add key copies.
If all users share access to data through the base key and a user forgets the password, he or she can get the password from another user or the key custodian. If no one remembers the password, all access to the data is lost. Because of this, Adaptive Server recommends that keys be backed up by a recovery key copy.
The key custodian should:
Appoint one user as the key recoverer. The key recoverer’s responsibility is to remember the password to the key recovery copy.
Make a copy of the base key for the key recoverer. Every key that requires recovery after a disaster must have a key recovery copy.
After an unforeseen circumstance, the key custodian may not be available. The steps for recovery of key1 are:
Change the key ownership to a new key custodian. See “Changing ownership of encryption keys” for more information.
The key recoverer gives the password of the key copy to the new key owner, who recovers the CEK and assigns a new password to it.
