When the encryption key is lost all of the information it was used to protect becomes cryptographically erased. This means that the data will never be decrypted again regardless of the reason the key was lost, whether it is a hardware failure, a software bug, a human error or some other disaster. This type of loss is referred to as a catastrophic key loss and it can have a devastating effect on the business in terms of lost revenue, destroyed competitive advantage, regulatory ramifications or even going out of business.
When considering the use of encryption technology it is important to understand that there must be a process for key recovery or else it will not be effective. The decision as to if and when a key is needed for recovery should be made on the basis of the type of key (signature, authentication or encryption), what it will be used for, who owns the key, will the recovered data be useful and the lifecycle of the key [2].
It is recommended that a back up key be created and maintained for any encrypted information. The backup keys should be separated and secured in different locations depending upon the category of the key and a procedure for recovery must be developed and communicated to all employees and contractors. It is also recommended that a key rotation process be implemented to prevent excessive re-use of any given key which makes the data susceptible to cracking by malicious actors.
