Key Recovery

Key Recovery (Escrow)

UCM stores server-generated private keys encrypted at rest (the database is encrypted with master.key). Key recovery lets an authorised operator retrieve an archived private key — for example when an employee leaves and their encrypted data must be recovered — through a dual-control, fully-audited workflow. Recovering a private key is the most sensitive operation in UCM, so it never happens with a single click.

Workflow

request  ──►  approve / reject  ──►  recover (download PKCS#12)
(reason)      (admin, four-eyes)      (once, after approval)

Request — anyone with write:key_recovery opens a request for a certificate that has an archived private key, with a mandatory reason. From a certificate's detail window, use Recover key.
Approve / reject — an admin (admin:key_recovery) decides on Governance → Key Recovery. By default dual control is on: the approver must be a different user than the requester (four-eyes).
Recover — once approved, the requester (or an admin) downloads the key as a password-protected PKCS#12 (.p12). This can be done once; the request is then marked recovered.

Every step (requested, approved, rejected, recovered, and denied attempts) is written to the audit log with the actor, certificate and reason.

Permissions

Permission	Grants
`read:key_recovery`	View the Key Recovery page and requests
`write:key_recovery`	Open a request, and download an approved key
`admin:key_recovery`	Approve / reject requests

Built-in roles: operator gets read/write, admin gets everything (*). So an operator can request and collect, while an admin must approve — separation of duty by role.

Dual control

Four-eyes approval is enabled by default — the approver must differ from the requester. To allow an admin to self-approve (small / single-admin deployments), you can disable it. Leave it on for production.

Since v2.172 there are two ways to control it:

Settings → Security → Key Recovery — a Dual control (four-eyes) toggle (admin only). This is the normal way to manage it from the UI.
KEY_RECOVERY_DUAL_CONTROL environment variable — an operator escape hatch. When set, it overrides the stored setting: an explicit false / 0 / no disables dual control, anything else enables it. While the variable is set, the Settings toggle is shown read-only so it is clear the value comes from the environment.

Resolution order: environment variable → Settings toggle → default (on).

What can be recovered

End-entity certificate private keys that UCM generated server-side and archived (the certificate shows Has key). Keys provided by an external CSR (where UCM never held the private key) cannot be recovered — there is nothing archived.

The recovered .p12 contains the leaf certificate, its chain and the private key, protected by the password you provide at download time. Handle it like any other key material.

Key Recovery

Key Recovery (Escrow)

Workflow

Permissions

Dual control

What can be recovered

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!