Escrow Groups
How does the Escrow Recovery Process Work Within Escrow Groups?
Your private key is split into 3 parts if your institution has 3 escrow groups. In order to recover the private key, all parts must be put together (1/3 or 2/3 parts will not work). Each escrow group selects one escrow user to designate the part of the key.
Scenario
- Key spread: k1, k2 and k3 to each escrow group.
- Escrow groups: A, B, C with minimum two members each: A1, A2; B1, B2, and C1, C2.
- Recovery happens in a zoom meeting where all escrow users are present.
- To perform the key recovery, all escrow groups decided to designate B2 this time.
- Next, C1 or C2 and A1 or A2 have to share their part with B2.
- B2 gets all parts from the other escrow groups k1, k2 and k3.
- Then it recovers the key that recovers the private key in the back-end.
The escrowing process leaves a long audit trail, it is very slow and it involves a lot of people. Each escrow user is asked for picture, ID, and physical identification.
If a user loses their private key the entire leadership will know that they lost their private key.
As a user who lost the key, once the escrow has been finalized, you will be given the private recovered key and a temporary password to login and change it with a new password.
You must add escrow users into a group before registering any user accounts into the system.
We recommend at least two escrow users in each escrow group.