Key-encrypting keys

Key-encrypting keys protect a key that is sent to another system, received from another system, or stored with data in a file. A variation of transport keys are also used to rewrap a key from one key-encrypting key to another key-encrypting key.

Key-encrypting keys are always generated in pairs. Both keys have the same clear key value, but have a different encrypted key value due to the control vector or the associated data.
Exporter key-encrypting key
An exporter key-encrypting key protects keys that are sent from your system to another system. The exporter key at the originator has the same clear value as the importer key at the receiver. An exporter key is paired with an importer key-encrypting key.

DES OKEYXLAT keys must be used when rewrapping a key under a transport key. The AES EXPORTER must have the TRANSLAT key usage enabled when rewrapping a key.

Importer key-encrypting key
An importer key-encrypting key protects keys that are sent from another system to your system. It also protects keys that you store externally in a file that you can import to your system later. The importer key at the receiver has the same clear value as the exporter key at the originator. An importer key is paired with an exporter key-encrypting key.

DES IKEYXLAT keys must be used when rewrapping a key under a transport key. The AES IMPORTER must have the TRANSLAT key usage enabled when rewrapping a key.

Table 1. Keys for the DES key-encrypting key
DES keys Callable services
Key-encrypting key class:
  • These keys are used to wrap other keys.
  • The keys are double-length keys.
EXPORTER Control Vector Translate, Data Key Export, ECC Diffie-Hellman, Key Export, Key Generate, Key Test2, Key Test Extended, Key Translate, Key Translate2, PKA Key Generate, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import, Unique Key Derive
IMPORTER Control Vector Translate, Data Key Import, ECC Diffie-Hellman, Key Generate, Key Import, Key Test2, Key Test Extended, Key Translate, Key Translate2, Multiple Secure Key Import, PKA Key Generate, PKA Key Import, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Restrict Key Attribute, Secure Key Import, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import
IMP-PKA PKA Key Import, Remote Key Export, Trusted Block Create
IKEYXLAT, OKEYXLAT Control Vector Translate, Key Translate, Key Translate2, TR-31 Export,TR-31 Import
Table 2. Keys for the AES key-encrypting key
AES keys Callable services
Key-encrypting key class:
  • These keys are used to wrap other keys.
  • The keys can be 128, 192, or 256 bits in length.
EXPORTER ECC Diffie-Hellman, Key Generate2, Key Test2, Key Translate2, PKA Key Generate, PKA Key Translate, Symmetric Key Export
IMPORTER ECC Diffie-Hellman, Key Generate2, Key Test2, Key Translate2, PKA Key Generate, PKA Key Import, PKA Key Translate, Restrict Key Attribute, Secure Key Import2, Symmetric Key Import2
Availability notes: AES key-encrypting class keys require z114, z196, or later systems with a CEX3C or later coprocessor with the September 2011 or later licensed internal code.
Parent topic: Symmetric keys