Generating the Admin Key

When KeyControl Compliance Manager generates an Admin Key, it cryptographically divides the key into parts and sends one part to each KeyControl Compliance Manager user account with Security Admin privileges. In addition, if you have specified an EKS (external key server), KeyControl Compliance Manager stores a copy of the entire Admin Key on the EKS.

KeyControl Compliance Manager automatically generates a new Admin Key:

  • During installation of the first KeyControl Compliance Manager node. In this case, the secroot user account gets an Admin Key with a single part.

  • When a Security Admin user account is added or deleted. In this case, a new Admin Key is divided into a new number of parts, "m", and sent to all current Security Admins.

    Note: The value of "n" is not changed. If you add three Security Admins immediately after the initial installation, the Admin Key will be divided into four parts, but only one part will be required when restoring the system. The way you set the required number of parts is described below.

  • When you explicitly generate new a new Admin Key, as described below. In this case, the number of Admin Key parts is not changed.

Note: Whenever the admin key is regenerated, KeyControl Compliance Manager forces you to download the admin key.

Procedure 

  1. Log into the KeyControl Compliance Manager webGUI with with Security Admin privileges.
  2. In the top right, click the Switch to Appliance Management link.
  3. In the top menu bar, click Settings.
  4. In the General Settings section, click Admin Key Parts.

  5. Verify the following options:

    Option

    Description

    Minimum Key Parts

    The minimum number of parts needed when you want to restore KeyControl Compliance Manager from a back up ("n").

    Email Private Key on Generate

    If Enabled, when you generate a new Admin Key, KeyControl Compliance Manager automatically sends each Security Admin their key part as an email attachment. The attachment name is username_kcm-ip-addr.key.gen#, where username is the Security Admin's KeyControl Compliance Manager account name, kcm-ip-addr is the KeyControl Compliance Manager IP address into which you are currently logged in, and # is the generation count.

    For example, secroot_10.238.66.235.key.gen8.

    If Disabled, when you generate a new Admin Key, KeyControl Compliance Manager sends each Security Admin an alert stating that the admin key has been changed and prompting them to download their key part.

  6. Click Generate New Key. KeyControl Compliance Manager increases the generation count by one and creates a new key part for each Security Admin in the system. If you have configured an EKS, KeyControl Compliance Manager also saves the Admin key to the EKS.

    Based on the setting of the Email Private Key on Generate option, KeyControl Compliance Manager also sends each Security Admin in the system an email with their key part or an alert stating that there is a new key part ready for download.

    Tip: If you intend to back up KeyControl Compliance Manager in the immediate future, we recommend that you notify your Security Admins that the new Admin Key part they just received is going to be tied to a backup image and they should download it to a secure location immediately. You cannot restore KeyControl Compliance Manager from a backup image unless you have the Admin Key parts that were valid when the back up was created, and you cannot download previous Admin Key parts from KeyControl Compliance Manager.

  7. Click Close.