3.4.3 Escrow Keys

3.4.3 Escrow Keys

Escrow (see Section 3.8) allows accounts to designate some of their members as Escrow Administrators (EAs), who can access other account members’ (escrowees’) encrypted data in order to support features like legal discovery, retention, and accidental loss prevention. To support these use cases, an account can enable escrow, which prompts each account member with an unskippable notification to add a virtual device to their device list, the escrow device, whose secret keys are encrypted for the EAs.

The escrowee (or potentially one of their account’s EAs) can rotate their escrow device’s key (and therefore concurrently rotate their PUKs) whenever one of the EAs’ devices with access to the escrowee’s keys is revoked (see Section 3.8.2).

Previous3.4.2 Backup KeysNext3.4.1 Lockdown Mode

Last updated 3 months ago