Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1330911.1
Update Date:2011-06-20
Keywords:

Solution Type  Technical Instruction Sure

Solution  1330911.1 :   KMS - Quorum Question, Using KMS and has set up a Key Split Quorum  


Related Items
  • Oracle Key Manager
  •  
Related Categories
  • PLA-Support>Sun Systems>TAPE>Backup Software-Filesystems>SN-TP: Encryption
  •  




In this Document
  Goal
  Solution


Applies to:

Oracle Key Manager - Version: 2.0.0 and later   [Release: 2.0 and later ]
Information in this document applies to any platform.

Goal

A customer is using KMS and has set up a Key Split Quorum of 3 but 1 person left the company and didn't pass on his passphrase. 
A second passphrase is in doubt but they may be able to guess it. The third passphrase is known. 
The questions are:

Will repetitive guessing of the key cause any problem eg  the data getting locked?
What options are there if they cannot guess the second passphrase?

Solution

What is the Key split threshold Number 1,2 or 3?
You can try and guess the passphrase as many times as you like, it will not lock anything.

If you can not meet the quorum threshold then really are in trouble, basically can not add new KMA's,
if one goes bad.
Since you do not know the quorum then you also will not be able to restore the database.
Basically your have to start over again, your have to copy all encrypted tapes over to drives with no-encryption or install a new KMS cluster  setup with encrypted drives to copy the data from the tapes.

To avoid this issue recommend, a high key split size of users, with a low threshold depending on customers security policy allow.
i.e - Key split of 10, with a threshold of  3.

Engineering has no secret password to reset the Quorum.
Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback