← All controls

55 Air-gapped recovery identity

A recovery identity, and the materials it needs, kept wholly outside the tenant and offline — so a total domain compromise still leaves a way back in. It is the assumption of failure made concrete: every other recovery path in this catalog runs through something the attacker now controls.

Caveats

This is a process control — it is carried out offline, so there is no Admin Console walkthrough to show.

Ongoing maintenance

How to verify

  1. Open the kit under custody rules and inventory it against the manifest: recovery identity credentials, DNS registrar access, printed runbooks — then re-seal with fresh serials.

v0.0.2Recover policy #11 · #13, #16 (gap G4) ↗