Escrow Key Management¶
Overview¶
Escrow key management provides a secure mechanism for key recovery in the LAAVAT Platform. When escrow is configured for a product, cryptographic keys generated by the platform are additionally encrypted with an escrow public key. This ensures that if the original key holder loses access, the keys can be recovered by the escrow key holder without compromising the security of the overall system.
The Escrow Key Management page in the GUI allows administrators to upload, view, and manage escrow public keys associated with products.
When to use escrow
Escrow is recommended for production environments where key loss could result in significant operational impact, such as inability to sign firmware updates or decrypt protected data. Escrow provides a controlled recovery path without weakening day-to-day key security.
Key Format¶
The LAAVAT Platform supports GPG public keys for escrow purposes. Keys must be provided in ASCII-armored PEM format.
GPG Public Key Format¶
The escrow public key must be exported from GPG in ASCII-armored format. A valid key looks like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGR1234BEACz...
...
=abCD
-----END PGP PUBLIC KEY BLOCK-----
Key Requirements¶
| Requirement | Description |
|---|---|
| Format | ASCII-armored GPG public key (PEM format) |
| Algorithm | RSA, DSA, or ECC keys supported via GPG |
| Key Size | Minimum 2048 bits for RSA; 256 bits for ECC |
| Expiration | Keys with expiration dates are accepted; ensure the key will not expire during the expected escrow retention period |
Key security
The escrow private key corresponding to the uploaded public key must be stored securely offline. If the escrow private key is compromised, an attacker could decrypt all escrowed material. Consider storing the private key in a hardware security module (HSM) or on air-gapped media with physical access controls.
Generating a GPG Key Pair¶
If you do not already have a GPG key pair for escrow, you can generate one using the following commands:
# Generate a new GPG key pair
gpg --full-generate-key
# Export the public key in ASCII-armored format
gpg --armor --export your-email@example.com > escrow-public-key.asc
Dedicated escrow key
Create a dedicated GPG key pair specifically for escrow purposes. Do not reuse personal or organizational signing keys. This simplifies key management and limits the blast radius if the key is compromised.
Product Association¶
Each escrow key is associated with a specific product and a user name identifying the escrow key holder.
Association Fields¶
| Field | Format | Description |
|---|---|---|
| Product ID | UUID (e.g., 550e8400-e29b-41d4-a716-446655440000) |
The unique identifier of the product this escrow key protects. |
| User Name | String | The name or identifier of the person or role responsible for the escrow key. |
| Public Key | ASCII-armored GPG public key | The escrow public key used to encrypt recoverable key material. |
One escrow key per product
Each product can have at most one active escrow key. Uploading a new escrow key for a product that already has one will replace the existing key. Ensure that the previous escrow private key is retained if any material was encrypted with it.
Uploading an Escrow Key¶
- Navigate to Escrow > Key Management.
- Click Add Escrow Key (or the equivalent action button).
- Fill in the required fields:
- Product -- Select or enter the product UUID.
- User Name -- Enter the name of the escrow key holder.
- Public Key -- Paste the ASCII-armored GPG public key.
- Click Save to upload the key.
Viewing Escrow Keys¶
The escrow key list displays all currently configured escrow keys:
| Column | Description |
|---|---|
| Product | The product associated with the escrow key. |
| User Name | The escrow key holder's name. |
| Key Fingerprint | The GPG fingerprint of the uploaded public key for verification. |
| Created | The date and time the escrow key was uploaded. |
Removing an Escrow Key¶
To remove an escrow key:
- Locate the key in the escrow key list.
- Click the Delete action.
- Confirm the deletion in the dialog.
Removing an escrow key
Removing an escrow key does not decrypt or destroy previously escrowed material. The corresponding private key is still needed to recover any material that was encrypted with the removed public key. Retain the private key for as long as escrowed material may need to be recovered.
Key Recovery Process¶
When key recovery is needed, the process typically involves:
- Retrieve the escrowed material from the LAAVAT Platform (via API or support request).
-
Decrypt the material using the escrow private key:
gpg --decrypt escrowed-material.gpg > recovered-key.pem -
Verify the recovered key matches the expected key by comparing fingerprints or performing a test operation.
Recovery testing
Periodically test the escrow recovery process to ensure that the escrow private key is accessible and that the recovery workflow functions correctly. Discovering a problem during an actual key loss event is far more costly than during a routine drill.
Troubleshooting¶
| Issue | Possible Cause | Resolution |
|---|---|---|
| Key upload fails with format error | The key is not in ASCII-armored format or contains extra whitespace | Re-export the key with gpg --armor --export and try again |
| Cannot find a product to associate | The product does not exist yet | Create the product first in the Products section |
| Decryption of escrowed material fails | Wrong private key or corrupted escrow material | Verify the private key fingerprint matches the public key that was configured at the time of escrow |