Hi all, I have some questions about KRA operation. These questions came up as part of my PKCS #12 AES key bag encryption effort. 1) the kra.allowEncDecrypt.recovery setting controls whether unwrapping the archived key takes place on a crypto token (the default) or within Dogtag. It seems to be an instance-wide setting. What is the purpose of this setting? Is it just a provision for environments that do not support the key (un)wrapping on a token? Or does it have some other purpose? 2) When kra.allowEncDecrypt.recovery is false, the private keys being recovered accumulate in the /etc/pki/pki-tomcat/alias NSSDB (i.e. the NSS internal token). Presumably the same occurs for hardware tokens, too. The unwrapping of the archived key in RecoveryService.recoverKey() calls with boolean temporary = false; This seems like the wrong behaviour... why would we want to keep the key in the token? Thanks, Fraser