Generating the Admin Key

When Cryptographic Security Platform Vault generates an Admin Key, it cryptographically divides the key into parts and sends one part to each Cryptographic Security Platform Vault user account with Security Admin privileges. In addition, if you have specified an EKS (external key server), Cryptographic Security Platform Vault stores a copy of the entire Admin Key on the EKS.

Cryptographic Security Platform Vault automatically generates new Admin Key:

During installation of the first Cryptographic Security Platform Vault node. In this case, the secroot user account gets an Admin Key with a single part.
When a Security Admin user account is added or deleted. In this case, a new Admin Key is divided into a new number of parts, "m", and sent to all current Security Admins.

Note: The value of "n" is not changed. If you add three Security Admins immediately after the initial installation, the Admin Key will be divided into four parts, but only one part will be required when restoring the system. The way you set the required number of parts is described below.
When you first configure Cryptographic Security Platform Vault to use an EKS.
When you explicitly generate new a new Admin Key, as described below. In this case, the number of Admin Key parts is not changed.

Note: Whenever the admin key is regenerated, Cryptographic Security Platform Vault forces you to download the admin key.

Note: If an external key server (EKS) is used to store Admin Keys, administrators do not define the storage location and Admin Key parts are no longer available for download. For more information, see Admin Keys .

Before You Begin

If you have configured Cryptographic Security Platform Vault to store the Admin Key in an external KMIP server or HSM (hardware security module), make sure that KMIP server or HSM is available before you generate a new Admin Key. If Cryptographic Security Platform Vault cannot store the Admin Key on the external device, the generate request will fail.

Procedure

Log into the Cryptographic Security Platform Vault Management webGUI using an account with Security Admin privileges. In the top right, click the Switch to Appliance Management link.
In the top menu bar, click Settings.
In the General Settings section, click Admin Key Parts.

Verify the following options:

Option	Description
Minimum Key Parts	The minimum number of parts needed when you want to restore Cryptographic Security Platform Vault from a back up ("n") and you are not retrieving the key from an EKS.
Email Private Key on Generate	If Enabled, when you generate a new Admin Key, Cryptographic Security Platform Vault automatically sends each Security Admin their key part as an email attachment. The attachment name is `username_kc-ip-addr.key.gen#`, where `username` is the Security Admin's Cryptographic Security Platform Vault account name, `kc-ip-addr` is the Cryptographic Security Platform Vault IP address into which you are currently logged in, and `#` is the generation count. For example, `secroot_10.238.66.235.key.gen8`. If Disabled, when you generate a new Admin Key, Cryptographic Security Platform Vault sends each Security Admin an alert stating that the admin key has been changed and prompting them to download their key part.

Option

Description

Minimum Key Parts

The minimum number of parts needed when you want to restore Cryptographic Security Platform Vault from a back up ("n") and you are not retrieving the key from an EKS.

Email Private Key on Generate

If Enabled, when you generate a new Admin Key, Cryptographic Security Platform Vault automatically sends each Security Admin their key part as an email attachment. The attachment name is username_kc-ip-addr.key.gen#, where username is the Security Admin's Cryptographic Security Platform Vault account name, kc-ip-addr is the Cryptographic Security Platform Vault IP address into which you are currently logged in, and # is the generation count.

For example, secroot_10.238.66.235.key.gen8.

If Disabled, when you generate a new Admin Key, Cryptographic Security Platform Vault sends each Security Admin an alert stating that the admin key has been changed and prompting them to download their key part.

Click Generate New Key. Cryptographic Security Platform Vault increases the generation count by one and creates a new key part for each Security Admin in the system. If you have configured an EKS, Cryptographic Security Platform Vault also saves the Admin key to the EKS.

Based on the setting of the Email Private Key on Generate option, Cryptographic Security Platform Vault also sends each Security Admin in the system an email with their key part or an alert stating that there is a new key part ready for download.

Tip: If you intend to back up Cryptographic Security Platform Vault in the immediate future, we recommend that you notify your Security Admins that the new Admin Key part they just received is going to be tied to a backup image and they should download it to a secure location immediately. You cannot restore Cryptographic Security Platform Vault from a backup image unless you have the Admin Key parts that were valid when the back up was created, and you cannot download previous Admin Key parts from Cryptographic Security Platform Vault.
Click Close.