Recovering Access to KeyControl

There are times when you will need to recover your KeyControl system, such as when you increase the number of CPUs allotted to a KeyControl server, change the network hardware address, migrate KeyControl to a different host, or restore from a backup to a newly-created VM. The system recovery process prevents rogue administrators from making unauthorized changes to, or copies of, KeyControl disks.

When this happens, the KeyControl webGUI displays the System Recovery Options dialog box.

  1. Select the method you want to use to recover your system. The options are:

    Option

    Description

    Recovery using Keypart Upload

    Allows you to upload the minimum number of required Admin Key parts that were sent to the Security Admins in the system. If you select this option, the webGUI displays the Recover Admin Key page.

    To upload a part, click Browse and select the appropriate recovery_key file. The Browse button should change to show the name of the selected file. When the correct file is displayed, click Upload file.

    Make sure that all Admin Key parts you upload have the same generation count. This information can be found in the email accompanying the Admin Key part. For details, see Admin Keys.

    When the required number of parts have been uploaded, KeyControl recovers the system and displays the Recovery Success message. Click Proceed to return to the KeyControl login page.

    Recovery using Passphrase

    Allows you to recover your system when you are using passphrase-based authentication. If you select this option, the webGUI displays the Recovery Passphrase page. Enter your passphrase and click Recover. For more information, see Startup Authentication.

    Recovery from KMIP Server

    Allows you to get an Admin Key stored on a KMIP server. The Admin Key must already be stored on this server for this option to work.

    Recovery from HSM Server

    Allows you to get the Admin Key from an HSM server. The Admin Key must already be stored on the HSM server for this option to work. If you select this option, the webGUI displays the HSM Recovery page where you can specify the following: 

    • Partition Label or HA Group Name
    • Partition or Crypto Officer (CO) password

    Decommission

    If you want to decommission your KeyControl system, see Decommissioning a KeyControl Node.
  2. If there are multiple KeyControl nodes in the cluster, re-join those nodes with the node you just recovered. For details, see Joining or Re-joining a KeyControl Cluster.