Information Security Guideline

Introduction

This guideline is meant to provide assistance with key escrow, which is a method of storing keys (passphrases or passwords) used to encrypt and decrypt information so that they can be recovered if they are lost.
This guideline has been issued by the Chief Information Officer to supplement the Cryptographic Controls standard. Compliance with this guideline is recommended, but not mandatory. Questions about this guideline may be referred to information.security@ubc.ca.

Key escrow provides a secure and private method of recovering keys used to encrypt information.
Key escrow cannot be used to track the location of an individual. The only IP address that is recorded is the IP address assigned by a wireless access point, which is typically non-routable (in the 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255 or 192.168.0.0 - 192.168.255.255 ranges). These IP addresses are not unique and cannot be used to track a User’s location.
Additionally, UBC’s encryption service is only accessible on campus or via VPN, which means that UBC can only record UBC-owned IP addresses; if Users connect from off-campus via the VPN, then the system would only record the IP address assigned by UBC.

The encryption packages that UBC IT is currently supporting offer key escrow services. These services are automatically enabled for all users of these encryption packages.
After the key escrow service is enabled, Users may use it to recover keys at any time by calling the UBC IT Help Desk.

The following are alternatives to key escrow:
1. use a Password Safe (see the Password Safe guideline for more information);
2. print out the key and lock it in a safe;
3. save the key file to a USB drive and lock it in a safe; or
4. if using Apple's FileVault, read the following "Set a FileVault recovery key for computers in your organization" article (https://support.apple.com/en-us/HT202385).