Key Recovery

Key Recovery (Escrow)

UCM stores server-generated private keys encrypted at rest (the database is encrypted with master.key). Key recovery lets an authorised operator retrieve an archived private key — for example when an employee leaves and their encrypted data must be recovered — through a dual-control, fully-audited workflow. Recovering a private key is the most sensitive operation in UCM, so it never happens with a single click.

Workflow

request  ──►  approve / reject  ──►  recover (download PKCS#12)
(reason)      (admin, four-eyes)      (once, after approval)

Request — anyone with write:key_recovery opens a request for a certificate that has an archived private key, with a mandatory reason. From a certificate's detail window, use Recover key.
Approve / reject — an admin (admin:key_recovery) decides on Governance → Key Recovery. By default dual control is on: the approver must be a different user than the requester (four-eyes).
Recover — once approved, the requester (or an admin) downloads the key as a password-protected PKCS#12 (.p12). This can be done once; the request is then marked recovered.

Every step (requested, approved, rejected, recovered, and denied attempts) is written to the audit log with the actor, certificate and reason.

Permissions

Permission	Grants
`read:key_recovery`	View the Key Recovery page and requests
`write:key_recovery`	Open a request, and download an approved key
`admin:key_recovery`	Approve / reject requests

Built-in roles: operator gets read/write, admin gets everything (*). So an operator can request and collect, while an admin must approve — separation of duty by role.

Dual control

Four-eyes approval is enabled by default. To allow an admin to self-approve (small / single-admin deployments), set the system config key key_recovery_dual_control to false. Leave it on for production.

What can be recovered

End-entity certificate private keys that UCM generated server-side and archived (the certificate shows Has key). Keys provided by an external CSR (where UCM never held the private key) cannot be recovered — there is nothing archived.

The recovered .p12 contains the leaf certificate, its chain and the private key, protected by the password you provide at download time. Handle it like any other key material.

Key Recovery

Key Recovery (Escrow)

Workflow

Permissions

Dual control

What can be recovered

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!