Generating the Admin Key

When KeyControl generates an Admin Key, it cryptographically divides the key into parts and sends one part to each KeyControl user account with Security Admin privileges. In addition, if you have specified an EKS (external key server), KeyControl stores a copy of the entire Admin Key on the EKS.

KeyControl automatically generates new Admin Key:

  • During installation of the first KeyControl node. In this case, the secroot user account gets an Admin Key with a single part.

  • When a Security Admin user account is added or deleted. In this case, a new Admin Key is divided into a new number of parts, "m", and sent to all current Security Admins.

    Note: The value of "n" is not changed. If you add three Security Admins immediately after the initial installation, the Admin Key will be divided into four parts, but only one part will be required when restoring the system. The way you set the required number of parts is described below.

  • When you first configure KeyControl to use an EKS.
  • When you explicitly generate new a new Admin Key, as described below. In this case, the number of Admin Key parts is not changed.

Note: Whenever the admin key is regenerated, KeyControl forces you to download the admin key.

Before You Begin 

If you have configured KeyControl to store the Admin Key in an external KMIP server or HSM (hardware security module), make sure that KMIP server or HSM is available before you generate a new Admin Key. If KeyControl cannot store the Admin Key on the external device, the generate request will fail.

Procedure 

  1. Log into the KeyControl webGUI using an account with Security Admin privileges.

  2. In the top menu bar, click Settings.
  3. In the General Settings section, click Admin Key Parts.

  4. Verify the following options:

    Option

    Description

    Minimum Key Parts

    The minimum number of parts needed when you want to restore KeyControl from a back up ("n") and you are not retrieving the key from an EKS.

    Email Private Key on Generate

    If Enabled, when you generate a new Admin Key, KeyControl automatically sends each Security Admin their key part as an email attachment. The attachment name is username_kc-ip-addr.key.gen#, where username is the Security Admin's KeyControl account name, kc-ip-addr is the KeyControl IP address into which you are currently logged in, and # is the generation count.

    For example, secroot_10.238.66.235.key.gen8.

    If Disabled, when you generate a new Admin Key, KeyControl send each Security Admin an alert stating that the admin key has been changed and prompting them to download their key part.

  5. Click Generate New Key. KeyControl increases the generation count by one and creates a new key part for each Security Admin in the system. If you have configured an EKS, KeyControl also saves the Admin key to the EKS.

    Based on the setting of the Email Private Key on Generate option, KeyControl also sends each Security Admin in the system an email with their key part or an alert stating that there is a new key part ready for download.

    Tip: If you intend to back up KeyControl in the immediate future, we recommend that you notify your Security Admins that the new Admin Key part they just received is going to be tied to a backup image and they should download it to a secure location immediately. You cannot restore KeyControl from a backup image unless you have the Admin Key parts that were valid when the back up was created, and you cannot download previous Admin Key parts from KeyControl.

  6. Click Close.