About changing recovery passwords

If the Recovery Password must be changed, the administrator must be aware that the former Recovery Password will still be in effect for former backups of the File Server.

The Recovery Password should only be changed if mandated for security reasons, such as a compromised password. If possible the Recovery Password should never be changed. Changing or establishing a Recovery Password will never aide in restoring existing user data. In fact, it can make it more difficult: changing the Recovery Password can result in multiple Recovery Passwords being in use at the same time.

For example, consider the case where a recovery password "pwd1" is established when DLO is installed. Each user's encryption-key is encrypted with the Recovery Password stored on the File Server. When the File Server is backed up, the backup copies all use the Recovery Password "pwd1". If the recovery password is subsequently changed to "pwd2", the user encryption keys on the File Server will be changed to be encrypted with the new Recovery Password. Subsequent backups of the File Server will use the Recovery Password "pwd2". Now there are backups of the File Server using both "pwd1" and "pwd2" as the Recovery Password. When the Emergency Restore feature is used, the administrator must use the Recovery Password that was in effect when the File Server was backed up.