A cloud deployment appliance includes a key stored internally and that is used during restore to decrypt encrypted backup images. That key is not available to an administrator of the appliance; instead, the administrator receives a “value” that has been generated externally to the appliance and, in particular, by applying a public key of a public key pair to the key. The value is possessed by the administrator, but it does not expose the key. Upon a given occurrence, such as a disk failure in the appliance, the administrator uses the value to obtain” the key, which is then used to restore an encrypted backup image. The key is obtained by having the administrator provide the value to an entity, e.g., the appliance manufacturer, who then recovers the key for the administrator (by applying the private key of the public key pair).