Master key management

After you install IBM Security Guardium Key Lifecycle Manager, an AES 256-bit master key is generated by default in the server. This system-level master key protects key materials that are stored in the database. You can further enhance security by creating a master key for each device group.

Master key

The master key resides in the master key store, which can be one of the following systems:

You can create a new master key and refresh the system-generated one. You can also move a master key from the Java™ keystore to Hardware Security Module (HSM), or IBM Enterprise Key Management Foundation Web (EKMF Web) and vice versa.

Use the Master Key REST Service to manage master key operations. Modifying the master key outside IBM Security Guardium Key Lifecycle Manager can cause unrecoverable data loss.

Device group master key

To enhance data security, IBM Security Guardium Key Lifecycle Manager supports master keys for device groups. The device group master key encrypts the cryptographic objects, such as keys and certificates, of a device group. The master key encrypts this device group master key. Thus, providing a two-layered key wrapping.

You can enable master key for a device group by using the REST interface. For more information, see Enable or Disable Master Key for Device Group REST Service.

You can refresh the device group master key. For more information, see Refresh Master Key for Device Group REST Service.