Recover Keys

Key recovery is necessary for two reasons:

• Users imported from another Key Management server need new keys. When Advanced Security users are exported from their original Key Management server, their certificates are revoked. Once they have been migrated to a new Key Management server, they can continue to use their old keys to read old encrypted e-mail, but those old keys are now bound to a certificate published to your organization's CRL. Therefore, new certificates and corresponding keys are necessary for users to create new encrypted messages. Key recovery is the final step of the export and import process, because imported users must have their keys recovered.
• Users can lose their existing keys, by forgetting their password, for example, or if the client computer experiences a hardware failure. Recovery prevents the user from losing their encrypted e-mail, and can recover potentially important information.

In key recovery, as in the enrollment process, the user is issued a token. The recovery token is issued the same way you choose to issue enrollment tokens, either through an administrator or by e-mail. After entering this recovery token in Outlook, a new signature key pair is created for the user. In addition, KMS returns all of the user's old keys. For imported users, a new encryption key pair is generated.

To recover keys:

1. Start System Manager
   On the Start menu, point to Programs, point to Microsoft Exchange, and then click System Manager.
2. In the console tree, click Advanced Security.
3. In the details pane, right-click Key Manager, point to All Tasks, and then click Recover Keys.
4. In the Key Management Service Login dialog box, type your password, and then click OK. The default password is password.

   Note   You will have to re-type your password each time you try to perform a task or click a tab in the Key Manager Properties dialog box.

5. To recover keys, in Recover Users Selection, you can perform one of the following tasks:
   • To recover one or more individuals' keys, choose Display an alphabetic list of user names from the global address book (the default), and then click OK. Your organization's address book will appear in Recover Users. Select one or more users, and then click Add to add them to the Selected users column. Click Recover and KMS will generate temporary keys for those users, which they can then use to get new keys through Outlook.
   • To recover keys for a group of users, choose Display mailbox stores, Exchange servers, and administrative groups of eligible users, and then click OK. Your organization's administrative groups will be displayed in Recover Users. Click to expand the appropriate administrative group, and continue expanding as necessary until you can select the desired node for recovery. All users in the node you select, and all of its sub-nodes, will receive temporary keys when you click Recover.
   When the process is finished, you will get a confirmation window telling you that all selected users were successfully recovered.

Related Topics