All Cryptographic Security Platform Compliance Manager data (policy information, encryption keys, user account information, and so on) are held in an encrypted object store that is shared across all Cryptographic Security Platform Compliance Manager nodes in the cluster.
The object store is ultimately protected (through multiple layers of key wrappings) by an Admin Key that Cryptographic Security Platform Compliance Manager generates and maintains. This key is required if you ever need to restore Cryptographic Security Platform Compliance Manager from a backup or you need to change the hardware configuration of a Cryptographic Security Platform Compliance Manager node. The Admin Key is a 4096 bit RSA asymmetric key pair.
When you install the first Cryptographic Security Platform Compliance Manager node in your system, Cryptographic Security Platform Compliance Manager generates an Admin Key as soon as you log into the Cryptographic Security Platform Compliance Manager webGUI for the first time. The initial key has a single part and is assigned to the default secroot user account. As you add additional Security Administrator accounts to the system, Cryptographic Security Platform Compliance Manager shifts to an "n of m" Admin Key backup model, where "m" is the number of user accounts with Security Admin privileges and "n" is a user-defined value that states how many key parts must be uploaded before Cryptographic Security Platform Compliance Manager considers the Admin Key to be valid.
For example, if you have five Security Admins and you set n to 3, then at least three of the Security Admins will need to upload their Admin Key parts in order to restore Cryptographic Security Platform Compliance Manager from a backup. If you set n to 1, then any one of the five Security Admins can restore Cryptographic Security Platform Compliance Manager without consulting with any of the other Security Admins.
While you can regenerate Admin Key parts at any time, in order to restore Cryptographic Security Platform Compliance Manager from a backup image you must have the required number of Admin Key parts that were valid when the backup was created. You cannot regenerate the Admin Key parts and then immediately use those new key parts to restore Cryptographic Security Platform Compliance Manager from a previously-created back up.
The Admin Key is assigned a generation count that is incremented each time a new Admin Key is generated. This generation count allows you to identify which Admin Key parts go together. The email that each Security Admin receives when a new Admin Key is generated contains the generation count. For example:
This current Key Part supersedes any you may have previously received from this cluster. The Key Part is associated by a "generation count" with its relevant backups. The generation count for this key is:8The generation count is also included in the Admin Key Part filename, which is attached to the email. The attachment name is username_kc-ip-addr.key.gen#, where username is the Security Admin's Cryptographic Security Platform Compliance Manager account name, kc-ip-addr is the Cryptographic Security Platform Compliance Manager IP address from which the Admin Key was generated, and # is the generation count. For example, secroot_10.238.66.235.key.gen8. This same naming convention is used if a Security Admin downloads their Admin Key Part from the Cryptographic Security Platform Compliance Manager webGUI.
If you want to restore Cryptographic Security Platform Compliance Manager from a backup created when the Admin Key shown above was valid, you must make sure that all the Admin Key Parts you upload have generation count = 8.