Transmitting encryption keys between Administration Servers

If the data encryption feature is enabled on a managed device, the encryption key is stored on the Administration Server. The encryption key is used to access encrypted data and to manage the encryption policy.

The encryption key must be transmitted to another Administration Server in the following cases:

You reconfigure Network Agent on a managed device to assign the device to another Administration Server. If this device contains encrypted data, the encryption key must be transmitted to the target Administration Server. Otherwise, the data cannot be decrypted.
You encrypt a removable drive connected to a device D1 that is managed by the Administration Server S1, and then you connect this removable drive to a device D2 managed by the Administration Server S2. To access to the data on the removable drive, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.
You encrypt a file on a device D1 managed by the Administration Server S1, and then you try to access the file on a device D2 managed by the Administration Server S2. To access the file, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.

You can transmit encryption keys the following ways:

Automatically, by enabling the Use hierarchy of Administration Servers to obtain encryption keys option in the properties of two Administration Servers between which an encryption key must be transmitted. If this option is disabled for one of the Administration Servers, the automatic transmission of encryption keys is not possible.
When you enable the Use hierarchy of Administration Servers to obtain encryption keys option in an Administration Server properties, the Administration Server sends all of the encryption keys stored in its repository to the primary Administration Server (if any) one level up in the hierarchy.

When you try to access encrypted data, the Administration Server first searches the encryption key in its own repository. If the Use hierarchy of Administration Servers to obtain encryption keys option is enabled and the required encryption key has not been found in the repository, the Administration Server additionally sends a request to the primary Administration Servers (if any) to provide the required encryption key. The request will be sent to all of the primary Administration Servers up to the server on the highest level of the hierarchy.

The Use hierarchy of Administration Servers to obtain encryption keys option is currently not available in the Web Console interface. If you don't have access to the MMC-based Administration Console, use the primary Administration Server to manage encrypted devices.

Manually from one Administration Server to another by exporting and importing the file containing the encryption keys.
The export and import of encryption keys are actions that are included in the Encryption key management feature. To perform these actions, configure the access rights to the feature for users of Kaspersky Security Center as follows:
- Grant the Read access right to the Encryption key management feature for a user that exports encryption keys from the secondary Administration Server.
- Grant the Write access right to the Encryption key management feature for a user that imports encryption keys to the target Administration Server.

To enable automatic transmission of encryption keys between Administration Servers within the hierarchy:

In the console tree, select the Administration Server for which you want to enable automatic transmission of encryption keys.
In the context menu of the Administration Server, select Properties.
In the properties window, select the Encryption algorithm section.
Enable the Use hierarchy of Administration Servers to obtain encryption keys option.
Click OK to apply the changes.

The encryption keys will be transmitted to primary Administration Servers (if any) at the next synchronization (the heartbeat). This Administration Server will also provide, upon request, an encryption key from its repository to a secondary Administration Server.

To transmit encryption keys between Administration Servers manually:

In the console tree of Administration Server, select the secondary Administration Server from which you want to transmit encryption keys.
In the context menu of the Administration Server, select Properties.
In the properties window, select the Encryption algorithm section.
Click the Export encryption keys from Administration Server.
Make sure that a user that exports encryption keys from the Server is granted the Read access right to the Encryption key management feature.
In the Export encryption keys window:
- Click the Browse button, and then specify where to save the file.
- Specify a password to protect the file from unauthorized access.
  Remember the password. A lost password cannot be retrieved. If the password is lost, you have to repeat the export procedure. Therefore, make a note of the password and keep it handy.
Transmit the file to another Administration Server, for example, through a shared folder or removable drive.
On the target Administration Server, make sure that Kaspersky Security Center Administration Console is running.
In the console tree of Administration Server, select the target Administration Server where you want to transmit encryption keys.
In the context menu of the Administration Server, select Properties.
In the properties window, select the Encryption algorithm section.
Click Import encryption keys to Administration Server.
Make sure that a user that imports encryption keys to the Server is granted the Write access right to the Encryption key management feature.
In the Import encryption keys window:
- Click the Browse button, and then select the file containing encryption keys.
- Specify the password.
Click OK.

The encryption keys are transmitted to the target Administration Server.