SafeGuard LAN Crypt Administration >=3.51
Windows 7, Windows Vista, Windows XP
How to create and use the SafeGuard LAN Crypt Recovery Key?
In SafeGuard LAN Crypt you can generate a recovery key. You can use this key to assign a new certificate to a Security Officer when they logon to the SafeGuard LAN Crypt Database (click on the "Assign certificate" button), if their certificate is, for example, damaged and can no longer be used. A recovery key can be split into several parts and you can specify how many parts are necessary to assign a new certificate. The individual parts of the recovery key can be distributed to different Security Officers. The owners of the individual parts must be present when the recovery key is used, and use a wizard to present the parts of the key. The (parts of the) recovery key can be entered manually or loaded from a file.
Creating the Recovery Key
To generate a recovery key, click on the Generate recovery key button on the Recovery Keys tab page.
This runs the wizard used to generate the recovery key.
Enter a hexadecimal value for the key in the input field or let SafeGuard LAN Crypt generate a value by clicking on the Random button. Using the drop-down menus, select how many parts the key is to contain and how many of them are necessary for using the recovery key. In our example the key is to have three parts, of which at least two are needed to assign a new Security Officer certificate during logon.
For each part of the key the Wizard displays a dialog in which you can specify whether the partial key is saved in a file or displayed on screen so you can write it down. Once all parts have been processed, the Wizard closes.
On the Recovery Key page, next to Default Recovery Key, you can see many parts the key contains (in our example, 3) and how many of these parts are necessary, when they are used (in our example, 2).
Note, when you generate and distribute the parts of the recovery key, remember that they involve extremely sensitive data. It is essential that you protect the Recovery Key against unauthorized access.
You can only ever use the most recently-generated recovery key.
Previously-generated recovery keys are no longer valid and cannot be used to assign a certificate.
Using the Recovery Key
If it is no longer possible to log on to the database (e.g. because a certificate has expired), click Assign certificate, in the logon dialog, to start the Recovery Key Wizard.
If a dialog informs you that the certificate cannot be used, after you have selected a Security Officer, you can start the wizard from there.
Follow the instructions on the screen.
This wizard contains a dialog in which you can reset to 0 the number of Security Officers needed to change the settings for additional authorization.
This ensures that no situation can arise in which additional authorization is no longer possible because there are no Security Officers who can perform it.
If you activate this option, a single Security Officer can change the settings for additional authorization afterwards.