...
Key escrow provides for offline storage of users' private keys in an encrypted database for backup and recovery. Once an escrow database is created for an organization, it cannot be removed from the system or made inactive.
If an RAO is given permission to issue client certificates, and the organization is configured for key escrow, the next time that RAO logs into the CMS, s/he will be prompted to initialize a database of encryption keys. Upon doing so, a master decryption key will be issued to the RAO. The RAO should immediately take steps to secure the master decryption key. Failure to do so will render the key escrow feature useless.
...