Video Screencast Help
New Company Name and Logo Announced. Learn More.

What Exactly is the Recovery Key?

Created: 01 May 2013 | 3 comments

We have SEP 12.1.2 MP1 installed on the server with the SEP manager. I was looking in the SEP Manager folder in program files on the server SEPM is installed on and noticed a folder "Server Private Key Backup," what exactly is this? We do a back up of the database weekly but I don't believe we back this up. What exactly is it and would it be needed if we had to restore from a database back up for some reason?

Operating Systems:

Comments 3 CommentsJump to latest comment

Brɨan's picture

It contains the files needed in the event of a disaster recovery procedure. If you don't have these, you would need to re-install SEPM and manually connect all the clients.

Preparing for disaster recovery

Article:HOWTO80825  |  Created: 2012-10-24  |  Updated: 2013-01-30  |  Article URL

Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

Article:TECH160736  |  Created: 2011-05-24  |  Updated: 2013-04-04  |  Article URL

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture


Check this Article:

Contents of the Symantec Endpoint Protection 12.1 recovery file

Certificates are the industry standard for authenticating and encrypting sensitive data. To prevent the reading of information as it passes through routers in the network, data should be encrypted.

To communicate with the clients, the management server uses a server certificate. For the management server to identify and authenticate itself with a server certificate, Symantec Endpoint Protection Manager encrypts the data by default. However, there are situations where you must disable encryption between the server and the client.

The management server supports the following types of certificates:

  • JKS Keystore file (.jks) (default)

    A Java tool that is called keytool.exe generates the keystore file. The Java Cryptography Extension (.jceks) format requires a specific version of the Java Runtime Environment (JRE). The management server supports only a .jceks keystore file that is generated with the same version as the Java Development Kit on the management server.

    The keystore file must contain both a certificate and a private key. The keystore password must be the same as the key password. You can locate the password in the following file:

    Drive:\\Program Files\Symantec\ Symantec Endpoint Protection Manager\Server Private Key Backup\ The password appears in the keystore.password= line.

  • PKCS12 keystore file (.pfx and .p12)

  • Certificate and private key file (.der and .pem format)

    Symantec supports unencrypted certificates and private keys in the .der or the .pem format. .Pkcs8-encrypted private keys are not supported.

Secondly, Check this Article:

About server certificates

Hope that helps!!

Mithun Sanghavi
Senior Consultant

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Chetan Savade's picture


When you install the Symantec Endpoint Protection Manager, a file named recovery <timestamp>.zip is created. This file contains the information that is required to restore communication between a Symantec Endpoint Protection Manager and the Symantec Endpoint Protection clients. You use this file if the manager needs to be reinstalled for any reason. During the re-installation process, you are prompted to select the recovery file.

Key components of the recovery file

  • The server private key (the tomcat keystore)
  • The server private key password (to unlock the tomcat keystore)
  • The encryption password (also known as the “KCS Key”)
  • The DomainID
  • The Apache SSL keys
  • Configured TCP port numbers

Symantec strongly recommends that you back-up your recovery file and store it in a safe place whenever you install, re-install, or reconfigure the manager. See the Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide for more information about using and backing up the recovery file.


  • The recovery file does not restore policies or groups, which are stored in the Symantec Endpoint Protection Manager database. If the database requires recovery, you must restore it from a backup. See the Symantec Endpoint Protection and Symantec Network Access Control Implementation Guide for more information about recovering the Symantec Endpoint Protection Manager database .
  • Additional recovery files will be generated when upgrading to a newer version or after some configuration changes. The filename format is:


Contents of the Symantec Endpoint Protection 12.1 recovery file

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<