Key Archival in Jellyfish 

The Jellyfish PKI (Public Key Infrastructure) suite includes robust support for private key archival, enabling organisations to meet security, compliance, and operational continuity requirements. 

Under typical circumstances, when certificates are issued, the associated private keys are generated and stored solely on the end user’s device. This approach aligns with best practices for key ownership and minimises exposure by ensuring that private keys are not centrally retained. 

However, there are many real-world scenarios where organisations may require the ability to recover private keys—particularly for encryption use cases. For example, access to encrypted data may be permanently lost if a user leaves the organisation, forgets their credentials, or if a device is damaged or compromised. To mitigate this risk, Jellyfish provides optional key archival capabilities that allow organisations to securely retain recoverable copies of private keys. 

When key archival is enabled, private keys are securely stored in an encrypted form. These archived keys are protected using Key Encryption Keys (KEKs) that are backed by a Hardware Security Module (HSM). This ensures that the encryption keys themselves are generated, stored, and managed within a highly secure, tamper-resistant environment. As a result, even if the archival storage were accessed without authorisation, the private keys would remain protected and unusable.

This layered security model ensures that key archival does not compromise the overall integrity of the PKI environment. Instead, it provides a controlled and auditable mechanism for key recovery, balancing strong security practices with practical operational needs.