Currently, key pairs in the KeyRecoveryData table are encrypted and decrypted using the CAs defaultKey. This does not work with delegated key recovery, since we don't want the CA to have to keys.
Instead, it should be possible to select a key for encrypting locally generated key pairs on the RA. See
ECA-5954 for the GUI part.