You might have to replace a cryptographic coprocessor
without the need to also change the current master key (for example, when you want to upgrade to a
new coprocessor model long before your security policies require a master key change).
About this task
With a few differences only, this is the same scenario as documented in Sharing master keys across cryptographic coprocessors. The new cryptographic coprocessor is in a way the same as one of the coprocessors
sharing the same master key.Important: Save the master key parts on one or more smart
cards, because this facilitates the key management in many scenarios. If the master key is lost,
there is no way to decrypt the data.
Procedure
-
Set the current master key from the old cryptographic coprocessor on the new coprocessor so that both
coprocessors have the same master key.
-
Start to use the new cryptographic coprocessor when working
with your associated volumes.
In case you are using a secure key stored in the
secure key repository, and the secure key is associated with one or
multiple APQNs, you should update the association using
zkey
change command with option
--apqns. For details see
Changing AES secure keys.