1
00:00:07,800 --> 00:00:14,940
Keep in the certificate and the correspondent keep bearer secure can be critical in some scenarios.

2
00:00:15,420 --> 00:00:23,280
For example, if you use a certificate to perform content encryption of emails or documents and you'll

3
00:00:23,280 --> 00:00:31,200
lose your public and private keys, you will not be able to access any data that is encrypted by using

4
00:00:31,200 --> 00:00:33,660
the certificates public key.

5
00:00:34,410 --> 00:00:42,390
This data can include, yeah, press, encrypted data and secure multipurpose internet mail extensions

6
00:00:42,690 --> 00:00:44,030
protected emails.

7
00:00:44,760 --> 00:00:51,360
Therefore, archival and recovery of public and private keys are important.

8
00:00:51,930 --> 00:01:01,050
You can archive or backup your private key by exporting a certificate with a private key and storing

9
00:01:01,050 --> 00:01:09,240
it in a secure location, such as an alternative media source or cloud based storage.

10
00:01:10,270 --> 00:01:18,880
However, this approach requires that each user backup his or her private key, which user usually is

11
00:01:18,880 --> 00:01:21,040
not a reliable backup method.

12
00:01:22,260 --> 00:01:28,630
Another method is to centralize private key archival on the sea.

13
00:01:30,690 --> 00:01:38,880
Please know that in regular operations, the CIA does not have access to a user's private key, as it

14
00:01:38,880 --> 00:01:41,070
has generated on the client side.

15
00:01:41,730 --> 00:01:49,800
Because of this, you must enable the archival of private key explicitly on each certificate template

16
00:01:50,070 --> 00:01:52,620
where you want to have this functionality.

17
00:01:54,440 --> 00:02:02,420
What are the conditions for a losing case you might lose case because of the following situations a

18
00:02:02,420 --> 00:02:12,110
user profile is deleted or corrupted, CSP encrypts a private key and stores the encrypted private key

19
00:02:12,110 --> 00:02:18,020
in the local file system and registry in the user profile folder.

20
00:02:18,530 --> 00:02:20,330
Deletion or corruption.

21
00:02:21,440 --> 00:02:26,900
Over the profile results in the loss of the private key material.

22
00:02:27,960 --> 00:02:35,430
Another situation is when an operating system is the reinstalled when you reinstall the operating system.

23
00:02:35,670 --> 00:02:43,440
The previous installations of the user profiles are lost and good and the private key material in this

24
00:02:43,440 --> 00:02:47,340
scenario, the computer certificates are also lost.

25
00:02:48,440 --> 00:02:56,630
Another situation is when a disk is corrupted, if a hard disk becomes corrupted and the user profile

26
00:02:56,630 --> 00:03:01,730
is unavailable, the private key material is lost automatically.

27
00:03:02,210 --> 00:03:05,960
In addition to the installed computer certificates.

28
00:03:07,250 --> 00:03:07,640
And.

29
00:03:09,040 --> 00:03:15,640
Another situation is when a computer is lost or stolen, if a user's computer is lost or stolen.

30
00:03:15,880 --> 00:03:17,860
The user profile is a private key.

31
00:03:17,860 --> 00:03:20,350
Material is also unavailable.

32
00:03:21,530 --> 00:03:27,590
Blues know that losing a key player or a certificate is not always critical.

33
00:03:27,950 --> 00:03:35,960
For example, if you lose a certificate used for digital sign or logging, you simply condition you

34
00:03:35,960 --> 00:03:38,810
want, which will not affect any did.

35
00:03:39,740 --> 00:03:48,140
However, lose on a certificate that was used for data encryption will result in the inability to.

36
00:03:49,530 --> 00:03:54,900
To access data for that reason required and recovery is critical.

37
00:03:55,920 --> 00:04:05,220
Also, talk about key archival and recovery agents to use private key archival, you must enable this

38
00:04:05,220 --> 00:04:14,280
functionality on both the CIA and specific certificate templates, such as if this functionality is

39
00:04:14,280 --> 00:04:23,430
not enabled by default on the C or on any certificate template to be able to archive private keys from

40
00:04:23,730 --> 00:04:24,690
certificates.

41
00:04:24,990 --> 00:04:30,870
You also must define the key recovery agent or K are a.

42
00:04:32,020 --> 00:04:40,120
Gear Recovery Gear Coral on the Sea works from the moment that you fully configure it, it does not

43
00:04:40,120 --> 00:04:47,110
apply, however, to the certificates that were issued before you enabled this functionality.

44
00:04:48,130 --> 00:04:56,560
You use key archival and Kyra for data recovery in scenarios with a lost private key.

45
00:04:57,310 --> 00:04:57,670
The.

46
00:04:58,760 --> 00:05:10,520
Kerry is a user with the Kerry Kerry certificate who can decrypt private keys stores in an ADC database.

47
00:05:11,120 --> 00:05:19,550
When you enable key archival on the C on certificate templates, each private key is encrypted with

48
00:05:19,550 --> 00:05:27,830
a K or a public key and then stored in the C database as a result.

49
00:05:28,610 --> 00:05:35,720
Correct carries private keys necessary for decrypting their private key on any user.

50
00:05:37,040 --> 00:05:38,000
Caries.

51
00:05:39,700 --> 00:05:50,080
Our users who can retrieve the original certificate, private key and public key that were used to encrypt

52
00:05:50,170 --> 00:05:50,890
the data.

53
00:05:52,850 --> 00:06:02,840
Do not confuse the KRG with a data recovery agent, the data recovery agent can decrypt your first encrypted

54
00:06:02,840 --> 00:06:10,490
data directly when the original originating user's private key is not available.

55
00:06:11,030 --> 00:06:17,690
Alternatively, the KRG does not decrypt any data directly.

56
00:06:18,170 --> 00:06:21,980
It just decrypt archived private keys.

57
00:06:22,490 --> 00:06:29,300
You will learn about data recovery agent functionality later in this section.

58
00:06:29,840 --> 00:06:38,210
Now, to become a query, you must enroll a certificate that is based on the current query term template.

59
00:06:38,750 --> 00:06:47,910
After all, this certificate is issued to the designated user a public key from the KAORU certificate

60
00:06:47,910 --> 00:06:52,760
to as important all the see, which enables key archival.

61
00:06:53,330 --> 00:07:01,430
From that moment, its certificate that is issued based on a template with enabled key archival will

62
00:07:01,430 --> 00:07:11,960
be will have its private key stored in the C database and and grouped into the IS public key.

63
00:07:13,310 --> 00:07:16,070
Here, recovery is a two phase process.

64
00:07:16,460 --> 00:07:25,160
First, the certificate manager or C administrator, retrieves the encrypted file that contains the

65
00:07:25,370 --> 00:07:29,750
certificate and private key from the CIA database.

66
00:07:30,470 --> 00:07:41,360
Next query uses a private key to decrypt the private key from the encrypted file and then returns the

67
00:07:41,360 --> 00:07:44,150
certificate and private key to the user.

68
00:07:45,660 --> 00:07:53,160
Please know that for security reasons, it is the recommended the different people perform these two

69
00:07:53,160 --> 00:08:02,910
phases by default to the KRG does not have permission to retrieve encrypted keys from a CIA database.

70
00:08:04,550 --> 00:08:13,010
Those some words about security for key archival and survivor, it's about understanding key archival

71
00:08:13,010 --> 00:08:13,940
and recovery.

72
00:08:16,120 --> 00:08:25,030
When you have configured to to issue a query certificate, any user is prudent and wrote permission

73
00:08:25,270 --> 00:08:36,850
of the KRG certificate template can and and become KRG members of the Domain Admin Center to represent

74
00:08:36,850 --> 00:08:39,880
most groups receive permissions by default.

75
00:08:40,690 --> 00:08:48,190
However, you must ensure that only trusted users are allowed to enroll for this certificate.

76
00:08:49,300 --> 00:08:57,640
Also, you have to ensure that the care is private key is stored in a secure manner and the server.

77
00:08:57,880 --> 00:09:04,360
Well, the keys are curved is is in a separate physical and secure location.

78
00:09:05,490 --> 00:09:13,560
After the gay marriage certificate was issued, the TSA recommended that you remove this template from

79
00:09:13,560 --> 00:09:14,170
the sea.

80
00:09:14,850 --> 00:09:22,980
Also, it is recommended that you import the caries certificate only when a kill recovery procedure

81
00:09:22,980 --> 00:09:23,940
is necessary.

82
00:09:26,160 --> 00:09:35,010
No cure recovery implies that you can recover and recover the private key portion of a public private

83
00:09:35,940 --> 00:09:42,960
key pair, private key recovery does not recover any data or messages.

84
00:09:43,560 --> 00:09:53,040
It merely enables the user to retrieve lost or damaged keys and an administrator to assure the role

85
00:09:53,040 --> 00:09:59,580
of a user for a data access or data recovery purposes.

86
00:10:00,870 --> 00:10:08,280
In many applications, data recovery cannot cure without first performing gear recover.

87
00:10:08,820 --> 00:10:11,940
The key to recovery procedure is as follows.

88
00:10:12,930 --> 00:10:21,630
First, a user request a certificate from a see ID and provides a copy of the private key as part of

89
00:10:21,630 --> 00:10:22,410
the request.

90
00:10:22,980 --> 00:10:33,070
The syringe processes the request archives the encrypted private key in the CIA database and issued

91
00:10:33,210 --> 00:10:36,720
a certificate to the requesting the user.

92
00:10:37,650 --> 00:10:45,240
Second, an application such as Air First can use the issued certificate to encrypt sensitive files.

93
00:10:46,480 --> 00:10:53,410
So if at some point the private key is lost or damaged, the user can contact.

94
00:10:54,510 --> 00:11:02,880
The organization certificate manager to recover the private key, the certificate manager with the help

95
00:11:02,880 --> 00:11:12,840
of the KRG, recovers the private key stored in a protected file format and then sends it back to the

96
00:11:13,030 --> 00:11:17,770
to the user and force after the user stories.

97
00:11:17,920 --> 00:11:26,340
The recovered private key and the user's local store and applications such as, you know, files can

98
00:11:26,350 --> 00:11:36,690
assign can again use the key to decrypt previously encrypted files or to encrypt new ones.

99
00:11:37,790 --> 00:11:41,840
Next up, we'll be talking about configuring automatic gear, will.