Key Escrow
The Key Escrow mechanism in the PKI-as-a-Service Portal ensures mobility of keys. It uses XKEK Key Domains to manage groups and secure key storage.
Key wrapping and unwrapping in XKEK Key Domains uses a symmetric Key Encryption Key (KEK) that is the result of performing an ECDH operation at the sender and receiver of key material. Key Escrow uses a permanent receiver key pair (static and ephemeral ECDH). The ECDH key at the sender is newly generated for each transmission of key material to ensure freshness of the KEK.
The static ECDH is called the Escrow Key. It must be generated inside the XKEK Key Domain and is bound to a single token. For business continuity you can use multiple token with an Escrow Key and send key material to all of them.
The KEK encrypted key material is stored in the database and can only the accessed and distributed using the token with the Escrow Key. For secure backup, you could create an Escrow Key on a token, take the token offline and place it in a vault. You can then still send key material to escrow, but can only retrieve key material using the token with the escrow key.
Sending key material to escrow and receiving key material from escrow are inverse processes. To receive key material it must first be received from escrow using the Escrow Key and then encrypted for the receiver. This of course happens internally in the token containing the Escrow Key (called Re-Wrapping).
In order to use Key Escrow, a token must be part of the XKEK Key Domain. Managing the XKEK Key Domain involves the Group Signer that issues Key Domain Memberships for tokens. The generation and use of Group Signers is part of the Key Escrow functionality.
User that shall be able to use Key Escrow must be enrolled by a Trust Center, as the portal needs to know what association between the user and Trust Center exist.
You need to create a Trust Center before you can use Key Escrow and have a Trust Center token connected to the /core-rt/hsm endpoint.
Create Group Signer
To use Key Escrow you must first create a Group Signer. A Group Signer signs Key Domain Memberships that entitle a SmartCard-HSM card or token to join a XKEK Key Domain.
Make sure the token for Key Escrow is online.
From the CA menu select Create Group.
Next select from the list the Trust Center Token on which you would like to create the Group Signer key pair and press Save.
You can select the Key Domain in which you would like to generate the Group Signer. If the Key Domain List is not immediately visible (e.g. because the token is connect to a different backend-service), press Enumerate Key Domains.
The Default Key Domain is the token itself, i.e. without association with a Key Domain.
The Group Name is a short unique identifier used as Key Reference.
The Group Label is a human readable name of the group.
If entered data is valid and the Trust Center token is online and ready, you can create the Group Signer by pressing the Create Signer button.
Now that the Group Signer is created, you can switch to the Trust Center view.
The Group Signer shows up in the list of Trust Center holder elements.
You can see the full path of the Group Signer, which includes the device on which the signer was created. The view also shows the CHR with the link to the certificate and the Key Domain UID identifying the Key Domain maintained by this signer. The last column shows in which Key Domain the Group Signer was created.
The └0 link shows that the Group has not yet any members. You can click on the link to see a complete list.
Join Group
Now that you have founded the group, you can add tokens to the group. This has two layers: As a subject you are with your token member of the group, while the token is part of the Key Domain that forms the group. You are first added to the group with your token and then this token becomes member of the Key Domain. A group always has one active Group Signer, but over time new Group Signers can be created to reaffirm membership of tokens in a Key Domain.
Consider membership in the group the organizational part, while processing of the Key Domain Membership is the technical part.
First select the group you want to join. If there are more that one token, you also need to select the token with which you want to join.
After submitting the request, the organizational part of joining the group is complete. Now you need to issue the Key Domain Membership to allow the token to join the Key Domain. Click on the related service request.
This service request is assigned to the CA-Officer role of the Trust Center, as this involves issuing the Key Domain Membership, which is similar to issuing a certificate.
Now that the Key Domain Membership is issued, you can present it to the token and let the token join the Key Domain.
If you later want to remove the Key Domain from the token, you need to remove all keys from the Key Domain and can use Delete Key Domain.
In the Trust Center view you can now see that you are member of the UTMYGRP1 group. You can also see in the token list, that the token now has the Key Domain UTMYGRP100001. The 00001 denotes the first Group Signer for this group.
Create Escrow Key
Now that the Trust Center token is part of the group and the token has the Key Domain, you can create the Escrow Key in that Key Domain. Select Create Escrow Key from the context menu on the Group Member element.
First select the token on which you would like to create the Escrow Key and press Save.
You need to defined an unique name for the Key Escrow, that is used as Key Reference on the SmartCard-HSM.
After creating the Escrow Key, you can see a new entry in the Trust Center view.
The Key Escrow is still empty, as we have not yet send any keys to it.
Send Key(s) To Escrow
To send a key to escrow, we first need an example key we can send. A pre-condition is, that the key is in the same Key Domain. So we first add an additional Trust Center token and add that to the UTMYGRP1 group.
In that Key Domain we create an AES Test Key using the Smart Card Shell.
From the context menu of the Group Member select Send Key to Escrow.
If multiple Escrow Keys have been generated for this Key Domain, then you can select the one to which you would like to send keys.
Select the token from which you would like to send keys to escrow and press Enumerate Keys to see a list of keys that can be send.
You can see, that the AES-Test-Key is already selected. Press Send to Escrow to start the transfer.
Performing ECDH, establishing the KEK and wrapping one or more keys takes a little while, but eventually the process is completed. Now follow the My TrustCenter link to the Trust Center view.
The Key Escrow now contains the test key, including meta-data and certificates for asymmetric keys.
At this point the AES-Test-Key is stored in the database, encrypted with the Key Encryption Key that was the result of performing an ECDH key agreement with the public Escrow Key and the private ephemeral ECDH key on the sending token. The later key is already deleted at this time, so the only way to recover the key is by using the Escrow Key.
Receive Key(s) From Escrow
To demonstrate how a key can be retrieved from escrow we delete the AES-Test-Key on the second Trust Center token.
Select Receive Key From Escrow from the context menu of the Group Member element.
If multiple Escrow Keys have been generated for this Key Domain, then you can select the one from which you would like to receive keys.
Select the token for which you would like to receive keys.
To receive keys from escrow an ECDH key needs to be generated on the receiving token.
The request is then passed to the CA-Officer role of the Trust Center. A person with that role must select the key(s) that should be made available.
The selected key(s) now need to be retrieved from Escrow and rewrapped for the exchange ECDH key of the receiver.
In the last step, the keys are received from the portal and imported into the token.
