Managing master keys

Master keys are used to encrypt other keys. You can load, set, and test master keys. You can clear a master key only after you have set it.

Cryptographic Services allows you to set up eight general-purpose master keys and two-special purpose master keys that cannot be directly modified or accessed by the user (including the security officer). The two special purpose master keys are the Save/Restore master key used for encrypting the master keys while on SAVSYS media and the auxiliary storage pool (ASP) master key used for ASP encryption. Cryptographic Services master keys are 256-bit AES keys that are securely stored within the IBM i Licensed Internal Code (LIC).

Master keys are used to encrypt other keys. If a master key is lost, all keys encrypted under that master key, and consequently all data encrypted under those keys, are lost. It is important you backup the master keys both by saving the passphrases, and by using a SAVSYS operation. To protect the master keys while on the save media, they are encrypted with the save/restore master key.

Note: You should use Transport Layer Security (TLS) to reduce the risk of exposing key values while performing key management functions.
Each master key is composed of four 32-byte values, called versions. The versions are new, current, old, and pending.
  • The new master key version contains the value of the master key while it is being loaded.
  • The current master key version contains the active master key value. This is the value that will be used when a master key is specified on a cryptographic operation (unless specifically stated otherwise).
  • The old master key version contains the previous current master key version. It is used to prevent the loss of data and keys when the master key is changed.
  • The pending master key version holds a master key value that has been restored to the system but cannot be correctly decrypted.

Each version of a master key has a key verification value (KVV). The KVV is a 20-byte hash of the key value. It is used to determine if a master key has changed, or what version of a master key was used in an encryption operation.

The following describes master key operations. All master key operations will create a CY (Cryptographic Configuration) audit record.