Creating and storing primary DES KEKs

Edit online

Key encrypting keys (KEKs) are encrypted under the Data Encryption Standard (DES) master key and stored in DES key storage for local use.

Key parts used to create a KEK can be randomly generated or entered as clear text information. The parts can also be saved to disk or diskette in clear text for transporting to other nodes or for re-creating the local KEK.

Note: The Cryptographic Node Management (CNM) utility supports only DES KEKs for the transport of keys between nodes. Applications can use the CCA API to furnish the services needed for public-key-based or Advanced Encryption Standard (AES)-based key distribution.
To create and store a primary DES KEK (or other double-length operational key), complete the following steps:
  1. From the Keys menu, click Primary DES Key-encrypting keys. The Primary DES Key-encrypting keys window is displayed.

    At any time, you can click New to clear all data fields and reset all the radio buttons to their default settings.

  2. Select the radio button for the desired key part to be entered: First Part, Middle Part, or Last Part.
  3. Enter data in the Key Part fields by doing one of the following actions:
    • Click Open to retrieve pre-existing Key Part, Control Vector, and Key Label data that was previously stored on disk by using the Save command.
    • Click Generate to fill the Key Part fields with coprocessor generated random numbers.
    • Manually enter data into the Key Part fields. Each of the Key Part fields accepts 4 hexadecimal digits.
  4. Select a control vector for the key:
    • To use a default KEK control vector, select the appropriate Default Importer or Default Exporter radio button.
    • To use a custom control vector, select the Custom radio button. In the Control Vector fields, enter the left or right half of a control vector for any double-length key. Note that the key part bit (bit 44) must be on and that each byte of the control vector must have even parity.

      For detailed information about control vectors, see IBM CCA Basic Services Reference and Guide for the IBM® 4765 PCIe and 4764 PCI-X Cryptographic Coprocessors manual.

  5. Enter a key label to identify the key token in key storage.
  6. Click Load to load the key part into the coprocessor and store the resulting key token into key storage.
  7. Click Save to save the unencrypted key part and its associated control vector and key label values to disk.
  8. Save to disk or Load to key storage. the remaining key part information by following steps 2 - 7. Be sure to use the same key label for each part of a single key.