2. Physical Security

2.1. Safes and Dataorganization

If your offline CA consists of one offline notebook and you want to ensure dual control and no single point of failure then you can do it for example with one IT module safe and two data safes. An IT module safe is a safe with own climatisation and UPC which has the same physical protection level like a safe. This safe is used to allow nonstop operation of the notebook which reduces time and availability problems. All three safes should have two locks. This ensures dual access control by key sharing. This is really simple and really efficient too.

The organization of the safes is really easy. You split the CA passphrase into two parts - front and back. The organization of the data and computers is like follows:
  1. The IT module safe includes the notebook (with the CA private key) and the front part of the passphrase.

  2. The first data safe includes the backups (including the private key backups) and the back part of the passphrase.

  3. The second data safe includes the front and back parts of the passphrase.

This organization ensures that one broken safe doesn't corrupt the infrastructure. It is important to start immediately a rollout of a new infrastructure but there is no reason for panic. This arrangement also ensures that a lost of one safe doesn't stop your operation. You need two safes to survive and a lost of one safe is acceptable at minimum for a short period of time.

Please remember that this is a really simple idea for medium risk CAs. High risk CAs should be use more complex schemes to not only tolerate one broken safe. They should be able to tolerate at minimum two broken safes to have a longer schedule for the roll-out of a new CA.

2.2. Buildings

This is more an area for a facility manager. The rooms with the PKI safes inside should have for solid walls and a door with two locks. The room including the climatisation system should be fire safe for 90 minutes (F90). The room and the entry should be camera observed. The cameras in the room itself should show the persons but not the keyboards and monitors. Papers should not be readable. The recorder for the camera should record one week at minimum. The room needs an alarm system. The room must be safe against electro magnetic pulse (EMP) and water too. This is only a short notice. Please ask some assurance specialists or architects for more details.