Which of the following allows a company to maintain access to encrypted resources when employee
turnover is high?

A.
Recovery agent

B.
Certificate authority

C.
Trust model

D.
Key escrow

Explanation:
If an employee leaves and we need access to data he has encrypted, we can use the key recovery agent
to retrieve his decryption key. We can use this recovered key to access the data.
A key recovery agent is an entity that has the ability to recover a key, key components, or plaintext
messages as needed. As opposed to escrow, recovery agents are typically used to access information that
is encrypted with older keys.
Incorrect Answers:B: A certificate authority (CA) is an organization. A CA is responsible for issuing, revoking, and distributing
certificates. A CA cannot recovery keys.
C: A trust Model is collection of rules that informs application on how to decide the legitimacy of a Digital
Certificate. A trust model cannot recover keys.
D: Key escrow is not used to recover old keys.
Key escrow addresses the possibility that a third party may need to access keys. Under the conditions of
key escrow, the keys needed to encrypt/decrypt data are held in an escrow account (think of the term as
it relates to home mortgages) and made available if that third party requests them. The third party in
question is generally the government, but it could also be an employer if an employee’s private messages
have been called into question.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 262, 279-280, 285-289