Changing the master key

Edit online

Changing a master key requires reenciphering all secure keys that are enciphered with it. This includes all secure keys in the secure key repository, but also secure keys used by the plug-in, such as the identity key.

About this task

For EKMF Web: EKMF Web supports CCA master keys. In the following, only CCA applies to EKMF Web.

For KMIP: KMIP key-management systems support both CCA and EP11 master keys.

A new CCA or EP11 master key is set on the cryptographic coprocessor that the AP queues of your Linux instance uses. See also the zkey man page.

When a master key changed, you must reencipher all secure keys that are contained in the secure key repository that are associated with the AP queues for which you change the master key. For identity keys and other KMS plug-in keys, you must use the zkey kms reencipher command. For keys used to encrypt volumes, you can also use the zkey kms refresh command.

Procedure

  1. Load the new master key into the NEW register using the TKE.
  2. Reencipher the identity keys and other KMS plug-in keys of the KMS plug-in.
    Reencipher with the --staged option. For example, to reencipher an identity key and other KMS plug-in keys with the master key in the NEW register, issue:
    # zkey kms reencipher --to-new --staged
  3. Reencipher the keys in the secure key repository.
    For example, to reencipher keys that use the AP queues 08.002f, and 09.002f, issue:
    # zkey reencipher --apqns 08.002f,09.002f --to-new --staged
  4. On the TKE, make the new master key the active key by moving it into the CURRENT register.
  5. Complete the reenciphering of the identity key.
    # zkey kms reencipher --complete
  6. Complete the reenciphering of the keys in the secure key repository and the KMS keys.
    # zkey reencipher --apqns 08.002f,09.002f --complete
    Alternatively, use zkey kms refresh. The refresh command reimports the key from the KMS using the current master key. You can use the refresh command to reimport keys even if the master keys were already changed.
    Note: The refresh command does not reencipher local keys.
  7. You must also re-encipher any secure AES volume keys when the AES master key changes. Use the zkey-cryptsetup command to do this.
    For details about the zkey-cryptsetup command, see the command reference in Pervasive Encryption for Data Volumes, SC34-2782.

    To re-encipher the secure key of the encrypted volume /dev/mapper/disk1 in staged mode and complete it later:

    # zkey-cryptsetup reencipher /dev/mapper/disk1 --staged 

Enter passphrase for '/dev/mapper/disk1': disk1pw
The secure volume key of device '/dev/mapper/disk1' is enciphered with the
CURRENT master key and is being re-enciphered with the NEW master key.
Staged re-enciphering is initiated for device '/dev/mapper/disk1'. After the NEW 
master key has been set to become the CURRENT master key, run 'zkey-cryptsetup
reencipher' with option '--complete' to complete the re-enciphering process.

# zkey-cryptsetup reencipher /dev/mapper/disk1 --complete