Loading and setting save/restore master key

The save/restore master key is a special purpose master key used to encrypt all the other master keys when you save them in a Save System (SAVSYS) operation. The save/restore master key itself is not saved. The save/restore master key has a default value. So, for optimum security, the save/restore master key should be set to another value.

The save/restore master key has only two versions. The versions are new and current.

Note: Since the save/restore master key is not included in the Save System operation, it is recommended that you write the passphrases for the save/restore master key and store them securely.
You should set the save/restore master key before performing the SAVSYS operation. To set the save/restore master key, you must first load master key parts and then set the save/restore master key.

You can load as many master key parts as you want for the save/restore master key. Setting the save/restore master key causes the new save/restore master key version to move to the current save/restore master key version. After the save/restore master key has been set, you should perform the SAVSYS operation to save the master keys on the save media.

To load a save/restore master key from the IBM® Navigator for i interface, follow these steps:

  1. Select Security from your IBM Navigator for i window.
  2. Select Cryptographic Services Key Management.
  3. Select Manage Master Keys.
  4. Select the Save/restore master key.
  5. Select Load Part from the Select Actions menu.
  6. Specify the Passphrase and click OK.

If you prefer to write your own application to load the save/restore master key, you can do so by using the Load Master Key Part (QC3LDMKP; Qc3LoadMasterKeyPart) API.

You can also use the Add Master Key Part (ADDMSTPART) CL command to load a master key part for the save/restore master key.

To set the save/restore master key, select the Save/restore master key and then from the Select Actions menu, select Set.

If you prefer to write your own application to set the save/restore master key, you can do so by using the Set Master Key (QC3SETMK; Qc3SetMasterKey) API.

You can also use the Set Master Key (SETMSTKEY) CL command to set the save/restore master key that has parts already added.

You cannot use Option 5, Save Licensed Internal Code from the IPL or Install the System menu to save the master key. You must use the SAVSYS operation. You should also perform a SAVSYS operation whenever you load and set any of the master keys.

Parent topic: Managing master keys
Related information:
Key Management APIs
IBM Systems Director Navigator for i5/OS
System i Navigator tasks on the Web
Control language