Key Escrow
What is Key Escrow?
Key EscrowAn arrangement in which copies of cryptographic keys are stored with a trusted third party so they can be recovered by authorized entities under defined conditions.
Key escrow is the practice of depositing a copy of one or more cryptographic keys with a designated trustee — an enterprise key-management system, an HSM, a vendor, or a government — so the keys can be recovered when the original holder is unavailable, has lost them, or when lawful access is required. Enterprises commonly escrow disk-encryption recovery keys (BitLocker, FileVault, LUKS) and email-encryption keys to avoid data loss when employees leave or hardware fails. Government-mandated escrow schemes such as the 1993 Clipper Chip have historically been highly controversial because they weaken end-to-end security and create a high-value target. Good design uses split keys (Shamir Secret Sharing), strong access controls, and detailed audit logs to limit risk.
● Examples
- 01
Microsoft BitLocker can escrow recovery keys to Active Directory or Microsoft Entra ID.
- 02
An organization's PKI escrows decryption keys for S/MIME so encrypted email can be recovered after a key loss.
● Frequently asked questions
What is Key Escrow?
An arrangement in which copies of cryptographic keys are stored with a trusted third party so they can be recovered by authorized entities under defined conditions. It belongs to the Cryptography category of cybersecurity.
What does Key Escrow mean?
An arrangement in which copies of cryptographic keys are stored with a trusted third party so they can be recovered by authorized entities under defined conditions.
How do you defend against Key Escrow?
Defences for Key Escrow typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Key Escrow?
Common alternative names include: Key recovery, Escrowed keys.