Generating the Admin Key

When KeyControl generates an Admin Key, it cryptographically divides the key into parts and sends one part to each KeyControl user account with Security Admin privileges. In addition, if you have specified an EKS (external key server), KeyControl stores a copy of the entire Admin Key on the EKS.

KeyControl automatically generates new Admin Key:

• During installation of the first KeyControl node. In this case, the secroot user account gets an Admin Key with a single part.

• When a Security Admin user account is added or deleted. In this case, a new Admin Key is divided into a new number of parts, "m", and sent to all current Security Admins.

  Note:

  The value of "n" is not changed. If you add three Security Admins immediately after the initial installation, the Admin Key will be divided into four parts, but only one part will be required when restoring the system. The way you set the required number of parts is described below.

• When you first configure KeyControl to use an EKS.
• When you explicitly generate new a new Admin Key, as described below. In this case, the number of Admin Key parts is not changed.

Procedure 

1. Log into the KeyControl webGUI on any node in the cluster using an account with Security Admin privileges.

2. In the top menu bar, click Settings.
3. In the Default Settings section, click Admin Key Parts.

4. Verify the setting for Minimum Key Parts. This is the minimum number of parts needed when you want to restore KeyControl from a back up ("n") and you are not retrieving the key from an EKS.

5. Click Generate New Key. KeyControl creates a new key part for each Security Admin in the system and sends each user an email or an alert based on the setting for Disable Email Notifications. For details, see Setting Email Server Preferences. If you have configured an EKS, KeyControl also saves the Admin key to the EKS.

   Tip:

   If you intend to back up KeyControl in the immediate future, we recommend that you notify your Security Admins that the new Admin Key part they just received is going to be tied to a backup image and they should download it to a secure location immediately. You cannot restore KeyControl from a backup image unless you have the Admin Key parts that were valid when the back up was created, and you cannot download previous Admin Key parts from KeyControl.

6. Click Close.