Decrypting a user's data with a recovery certificate
The recovery certificate secures the use of a strong encryption solution. If a user loses access to their account and has not saved the encryption key, a recovery certificate ensures that the user can still decrypt the data. For example, if coworkers leave the company without decrypting all their data, this data can be recovered in plaintext.
The recovery certificate may come from another SDS Enterprise account from which the public encryption certificate will have been exported. Due to the fact that this recovery key is highly sensitive and because of the use of this key, it is essential that this recovery account be protected.
To look up the recovery certificates used for any encryption operation on the SDS Enterprise agent:
- From the Windows task bar on the user workstation, right-click on the SDS Enterprise icon .
- Select Properties.
- Select the Configuration tab.
- Double-click on the Key ring icon.
- Select the Recovery tab. The certificates shown in the list are from the security policy. For more information, see the section Enabling data recovery.
Recovery certificates from an SDS Enterprise account or other external source can be used.
- If the recovery certificate was generated from an SDS Enterprise account, use this account to decrypt data.
- If the recovery certificate came from another source, export the private key and its certificate from this source in PKCS#12 (.P12) format.
Next, create an SDS Enterprise account using this .P12 file and its associated password, then use this SDS Enterprise account to decrypt data. For more information on creating accounts, refer to the section Importing keys.
You can create an account with only the decryption function.
You can use the recovery certificate to decrypt all information encrypted by the original owner of the certificate, or encrypted for the original user by a co-worker using the same certificate. However, you cannot decrypt information received from an external source (for example received e-mails) as they were not encrypted with the recovery certificate.