When Cryptographic Security Platform Compliance Manager generates an Admin Key, it cryptographically divides the key into parts and sends one part to each Cryptographic Security Platform Compliance Manager user account with Security Admin privileges. In addition, if you have specified an EKS (external key server), Cryptographic Security Platform Compliance Manager stores a copy of the entire Admin Key on the EKS.
Cryptographic Security Platform Compliance Manager automatically generates a new Admin Key:
- During installation of the first Cryptographic Security Platform Compliance Manager node. In this case, the secroot user account gets an Admin Key with a single part.
When a Security Admin user account is added or deleted. In this case, a new Admin Key is divided into a new number of parts, "m", and sent to all current Security Admins.
Note: The value of "n" is not changed. If you add three Security Admins immediately after the initial installation, the Admin Key will be divided into four parts, but only one part will be required when restoring the system. The way you set the required number of parts is described below.
- When you explicitly generate new a new Admin Key, as described below. In this case, the number of Admin Key parts is not changed.
Note: Whenever the admin key is regenerated, Cryptographic Security Platform Compliance Manager forces you to download the admin key.
Procedure
- Log into the Cryptographic Security Platform Compliance Manager webGUI with with Security Admin privileges.
- In the top right, click the Switch to Appliance Management link.
- In the top menu bar, click Settings.
- In the General Settings section, click Admin Key Parts.
Verify the following options:
Option
Description
Minimum Key Parts
The minimum number of parts needed when you want to restore Cryptographic Security Platform Compliance Manager from a back up ("n").
Email Private Key on Generate
If Enabled, when you generate a new Admin Key, Cryptographic Security Platform Compliance Manager automatically sends each Security Admin their key part as an email attachment. The attachment name is
username_kcm-ip-addr.key.gen#, whereusernameis the Security Admin's Cryptographic Security Platform Compliance Manager account name,kcm-ip-addris the Cryptographic Security Platform Compliance Manager IP address into which you are currently logged in, and#is the generation count.For example,
secroot_10.238.66.235.key.gen8.If Disabled, when you generate a new Admin Key, Cryptographic Security Platform Compliance Manager sends each Security Admin an alert stating that the admin key has been changed and prompting them to download their key part.
Click Generate New Key. Cryptographic Security Platform Compliance Manager increases the generation count by one and creates a new key part for each Security Admin in the system. If you have configured an EKS, Cryptographic Security Platform Compliance Manager also saves the Admin key to the EKS.
Based on the setting of the Email Private Key on Generate option, Cryptographic Security Platform Compliance Manager also sends each Security Admin in the system an email with their key part or an alert stating that there is a new key part ready for download.
Tip: If you intend to back up Cryptographic Security Platform Compliance Manager in the immediate future, we recommend that you notify your Security Admins that the new Admin Key part they just received is going to be tied to a backup image and they should download it to a secure location immediately. You cannot restore Cryptographic Security Platform Compliance Manager from a backup image unless you have the Admin Key parts that were valid when the back up was created, and you cannot download previous Admin Key parts from Cryptographic Security Platform Compliance Manager.
- Click Close.