Master key management
After you install IBM Security Guardium Key Lifecycle Manager, an AES 256-bit master key is generated by default in the server. This system-level master key protects key materials that are stored in the database. You can further enhance security by creating a master key for each device group.
Master key
- Java Cryptography Extension Keystore (JCEKS): This is the default master key store.
- Hardware Security Module (HSM): You need to configure HSM to store the master key. For more information, see Integrating HSM with IBM Security Guardium Key Lifecycle Manager.
- IBM Enterprise Key Management Foundation Web (EKMF Web): You need to configure EKMF Web to store the master key. For more information, see IBM Enterprise Key Management Foundation Web usage in IBM Security Guardium Key Lifecycle Manager.
You can create a new master key and refresh the system-generated one. You can also move a master key from the Java™ keystore to Hardware Security Module (HSM), or IBM Enterprise Key Management Foundation Web (EKMF Web) and vice versa.
Use the Master Key REST Service to manage master key operations. Modifying the master key outside IBM Security Guardium Key Lifecycle Manager can cause unrecoverable data loss.
Device group master key
To enhance data security, IBM Security Guardium Key Lifecycle Manager supports master keys for device groups. The device group master key encrypts the cryptographic objects, such as keys and certificates, of a device group. The master key encrypts this device group master key. Thus, providing a two-layered key wrapping.
You can enable master key for a device group by using the REST interface. For more information, see Enable or Disable Master Key for Device Group REST Service.
You can refresh the device group master key. For more information, see Refresh Master Key for Device Group REST Service.