Downloading your Admin Key

All KeyControl Compliance Manager data are held in an encrypted object store that is shared across all KeyControl Compliance Manager nodes in the cluster.

The object store is ultimately protected (through multiple layers of key wrappings) by an Admin Key that KeyControl Compliance Manager generates and maintains. This key is required if you ever need to restore KeyControl Compliance Manager from a backup or you need to change the hardware configuration of a KeyControl Compliance Manager node. The Admin Key is a 4096 bit RSA asymmetric key pair.

When you install the first KeyControl Compliance Manager node in your system, the system generates an Admin Key as soon as you log into the KeyControl Appliance Management webGUI for the first time. The initial key has a single part and is assigned to the default secroot user account. As you add additional Security Administrator accounts to the system, KeyControl Compliance Manager shifts to an "n of m" Admin Key backup model, where "m" is the number of user accounts with Security Admin privileges and "n" is a user-defined value that states how many key parts must be uploaded before KeyControl considers the Admin Key to be valid.

Procedure 

  1. Log into the KeyControl Compliance Manager webGUI with your standard account credentials.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.

  4. In the Account Settings section, click Download Key. The KeyControl Appliance Management webGUI downloads a file to your browser's default download location called username_ip-addr.key.gen#, where username is the currently logged in account name, ip-addr is the IP address into which you are currently logged in, and # is the generation count. For example, secroot_10.238.66.235.key.gen8.

  5. If you want to remove the Admin Key part from the KeyControl Compliance Manager encrypted object store, click Clear Key. If you later attempt to download the key part after clearing it, you will get an error stating that the key part does not exist. You will need to regenerate the key as described in Generating the Admin Key.