2. Physical Security

2.1. Safes and Data organization

If your offline CA consists of one offline notebook and you want to ensure dual control and no single point of failure then you can the following method as an example: use one IT module safe and two data safes. An IT module safe is a safe with its own climatization and UPC which has the same physical protection level like a safe. This safe is used to allow nonstop operation of the notebook which reduces time and availability problems. All three safes should have two locks. This ensures dual access control by key sharing. The setup is really simple and really efficient too.

The organization of the safes is really easy. You split the CA passphrase into two parts - front and back. The organization of the data and computers is like follows:

  1. The IT module safe includes the notebook (with the CA private key) and the front part of the passphrase.

  2. The first data safe includes the backups (including the private key backups) and the back part of the passphrase.

  3. The second data safe includes the front and back parts of the passphrase.

This organization ensures that one broken safe doesn't corrupt the infrastructure. It is important to immediately start a roll out of a new infrastructure but there is no reason for panic. This arrangement also ensures that a loss of one safe doesn't stop your operation. You need two safes to survive and the loss of one safe is acceptable at minimum for a short period of time.

Please remember that this is a really simple idea for medium risk CAs. High risk CAs should use more complex schemes to tolerate more than one broken safe. They should be able to tolerate at least two broken safes to have a longer schedule for the roll-out of a new CA.

2.2. Buildings

This is more an area for a facility manager. The rooms with the PKI safes inside should have solid walls and a door with two locks. The room including the climatization system should be fire proof for 90 minutes (F90). The room and the entry should be camera observed. The cameras in the room itself should show the persons but not the keyboards and monitors. Papers should not be readable. The recorder for the camera should record one week at minimum. The room should also have an alarm system and must be safe against electro magnetic pulse (EMP) and water flooding. This is only a short summary of ideas. Please ask some assurance specialists or architects for more details.