Transmitting encryption keys between Administration Servers

If the data encryption feature is enabled on a managed device, the encryption key is stored on the Administration Server. The encryption key is used to access encrypted data and to manage the encryption policy.

The encryption key must be transmitted to another Administration Server in the following cases:

• Reconfiguring Network Agent on a managed device to assign the device to another Administration Server. If this device contains encrypted data, the encryption key must be transmitted to the target Administration Server. Otherwise, the data cannot be decrypted.
• Encrypting a removable drive connected to a device D1 that is managed by the Administration Server S1, and then you connect this removable drive to a device D2 managed by the Administration Server S2. To access to the data on the removable drive, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.
• Encrypting a file on a device D1 managed by the Administration Server S1, and then you try to access the file on a device D2 managed by the Administration Server S2. To access the file, the encryption key must be transmitted from the Administration Server S1 to the Administration Server S2.

You can transmit encryption keys the following ways:

• Automatically, by enabling the Use hierarchy of Administration Servers to obtain encryption keys option in the properties of two Administration Servers between which an encryption key must be transmitted. If this option is disabled for one of the Administration Servers, the automatic transmission of encryption keys is not possible.

  When you enable the Use hierarchy of Administration Servers to obtain encryption keys option in an Administration Server properties, the Administration Server sends all of the encryption keys stored in its repository to the primary Administration Server (if any) one level up in the hierarchy.

  When you try to access encrypted data, the Administration Server first searches the encryption key in its own repository. If the Use hierarchy of Administration Servers to obtain encryption keys option is enabled and the required encryption key has not been found in the repository, the Administration Server additionally sends a request to the primary Administration Servers (if any) to provide the required encryption key. The request will be sent to all of the primary Administration Servers up to the server on the highest level of the hierarchy.

• Manually from one Administration Server to another by exporting and importing the file containing the encryption keys.

  The export and import of encryption keys are actions that are included in the Encryption key management feature. To perform these actions, configure the access rights to the feature for users of Kaspersky Security Center Cloud Console as follows:

  • Grant the Read access right to the Encryption key management feature for a user that exports encryption keys from the secondary Administration Server.
  • Grant the Write access right to the Encryption key management feature for a user that imports encryption keys to the target Administration Server.

To enable automatic transmission of encryption keys between Administration Servers within the hierarchy:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. In the properties window, select the Encryption algorithm section.
3. Enable the Use hierarchy of Administration Servers to obtain encryption keys option.
4. Click OK to apply the changes.

The encryption keys will be transmitted to primary Administration Servers (if any) at the next synchronization (the heartbeat). This Administration Server will also provide, upon request, an encryption key from its repository to a secondary Administration Server.

To transmit encryption keys between Administration Servers manually:

1. In the main menu, click the settings icon () next to the name of the Administration Server from which you want to export encryption keys.

   The Administration Server properties window opens.

2. In the properties window, select the Encryption algorithm section.
3. Click the Export encryption keys from Administration Server.

   Make sure that a user that exports encryption keys from the Server is granted the Read access right to the Encryption key management feature.

4. In the Export encryption keys window:
   • Click the Browse button, and then specify where to save the file.
   • Specify a password to protect the file from unauthorized access.

     Remember the password. A lost password cannot be retrieved. If the password is lost, you have to repeat the export procedure. Therefore, make a note of the password and keep it handy.

5. Transmit the file to another Administration Server, for example, through a shared folder or removable drive.
6. Click the settings icon () next to the name of the Administration Server to which you want to import the encryption keys.

   The Administration Server properties window opens.

7. In the properties window, select the Encryption algorithm section.
8. Click Import encryption keys to Administration Server.

   Make sure that a user that imports encryption keys to the Server is granted the Write access right to the Encryption key management feature.

9. In the Import encryption keys window:
   • Click the Browse button, and then select the file containing encryption keys.
   • Specify the password.
10. Click OK.

The encryption keys are transmitted to the target Administration Server.

Automatic transmission of encryption keys between Administration Servers does not work when the secondary Administration Server is in the demilitarized zone (DMZ). Use the manual method instead.

Page top