In Best Practices, Blog, Identity and Access Management (IAM)

Key Escrow

Key escrow is a method of storing important cryptographic keys. Each key stored in an escrow system is tied to the original user and subsequently encrypted for security purposes. Much like a valet or coat check, each key is stored in relation to the user that leverages it, and then returned once queried. By using key escrow, organizations can ensure that in the case of catastrophe, be it a security breach, lost or forgotten keys, natural disaster, or otherwise, their critical keys are safe.

Why is Key Escrow Important?

Compromised security keys are a certain death knell for IT organizations, regardless of their size or industry. Unfortunately, manually managing cryptographic keys is not an ideal way to keep such a critical resource secure. Oftentimes, an end user may keep security keys in easily accessible files on their machine, or inadvertently in an unsecured document on the public network. In the event of a breach, the resources tied to these keys will certainly be the first to be compromised.

With key escrow, these vital security keys are kept secure via additional encryption, and can only be accessed by the user that needs them, limiting the amount of contact from non-trusted users. Additionally, some compliance and law enforcement regulations require some sort of key escrowing so that, if necessary, escrowed keys can be accessed for official purposes.

While it may not be used very widely across a given organization, the occasions for key escrow are certainly significant.

When Do You Use Key Escrow?

Public SSH Keys

IT organizations can use key escrow in several scenarios. One might consider public SSH key management a form of key escrow. When a user needs an SSH key pair to access their cloud infrastructure (i.e. AWS®), a public and private key are generated. The private key is kept by the service the user authenticates to using their public key.

Since SSH keys are generally longer and more complex than traditional passwords, they are often harder to remember as a result. So, by using a key escrow system for the system-stored public keys, IT organizations can worry less about their users losing their SSH key pairs, and subsequently, their access to critical, protected resources.

Full Disk Encryption

Another important time to use key escrow is when using full disk encryption (FDE). When a system’s hard drive is encrypted using FDE, it is locked down at rest, and can only be unlocked in one of two ways. The first way, of course, is directly logging into the system with an authorized user’s credentials. The other method is by using the recovery key: a unique, complex password that is tied directly to the encrypted disk.

Much like with public SSH keys, key escrow alleviates the burden of securely managing FDE recovery keys from both end users and IT admins. Unlike manually managing keys, however, key escrow is usually carried out by a third party service. So, how can you enable key escrow for your organization?

How to Leverage Key Escrow

Several vendors focus solely on delivering key escrowing services. These solutions provide standard key escrowing, although the keys are not directly tied to their source (i.e. cloud infrastructure for SSH keys, systems for FDE). Some (although certainly not all) solutions (i.e. FDE tools for Bitlocker or FileVault) include key escrowing in their core delivery, escrowing solely the security keys the solution itself creates. Savvy IT admins, however, are looking at the problem of key escrow more holistically.

At its core, the concept behind key escrow is identity and access management (IAM). Said differently, securely managing user identities and resource access is the main reason organizations need key escrow. Historically, the main driver of IAM in any IT organization is the directory service. Since key escrow and IAM are so closely intertwined, wouldn’t it seem right to have a directory service with key escrow built right in?

Key Escrow and IAM from the Cloud

JumpCloud® Directory-as-a-Service® is the world’s first cloud directory service and has reimagined IAM for the modern era. As a part of its centralized, all-in-one IAM offering, Directory-as-a-Service (DaaS) gives admins the ability to securely escrow their org’s public SSH keys and FDE recovery keys in tandem and relation to the identities of the users that leverage them. This means that, using JumpCloud Policies, DaaS admins can also enforce FDE across entire system fleets, as well as manage SSH keys for AWS or other cloud infrastructure solutions.

These key escrowing features are only a small part of the big picture of the IAM capabilities of DaaS. JumpCloud grants user access to virtually all IT resources they leverage, starting at the system level and federating out to applications, file servers, networks, and more. What’s more, the DaaS platform does so regardless of those users’ choice of platform, protocol, or provider, no matter where they choose to work (on-prem or remote).

If such a directory service seems interesting to you, why not try JumpCloud for yourself? We realize that no two organizations are the same, so we give you the option to see how Directory-as-a-Service will work for yours with ten free users in the platform, forever. After you give it a try, you can scale JumpCloud to your organization with our affordable pricing. If you have any questions, or would like to learn more about key escrow and DaaS, write us a note or give us a call today.

Recent Posts