ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your security team is designing a hybrid PKI for workloads running on AWS. Compliance demands that a safeguarded copy of the offline root CA's private key be stored at a trusted external site, and that recovering the key must require authorization from at least two senior executives. Which PKI key-management practice fulfills this requirement?
Use envelope encryption to wrap the root key with an AWS KMS customer managed key before exporting it.
Implement key escrow with split-knowledge, requiring multiple custodians to release the escrowed private key.
Enable certificate pinning on clients and configure OCSP stapling to reduce reliance on key backup.
Schedule periodic key rotation using hardware security modules (HSMs) to generate new root CA keys annually.
Storing a duplicate of a critical private key with a trusted third-party, while enforcing that multiple authorized individuals must cooperate to retrieve and use it, is the essence of key escrow with split (or dual) control. Key escrow provides a securely held backup of the key outside the primary location, and split-knowledge/multi-person control ensures that no single individual can unilaterally access or misuse the key. Key rotation changes keys on a schedule but does not guarantee recoverability; key wrapping only protects keys in transit or storage but does not address shared control; certificate pinning and OCSP stapling are certificate validation techniques, not key recovery methods.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is key escrow with split-knowledge?
Open an interactive chat with Bash
What is an offline root CA, and why is it important?
Open an interactive chat with Bash
How does split-knowledge differ from multi-party authorization?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .