Key forms

Edit online

A key that is protected under the master key is in operational form, which means the coprocessor can use it in cryptographic functions on the system.

When you store a key with a file or send it to another system, the key is enciphered under a transport key rather than the master key. The transport key is a key shared by your system and another system for the purpose of securely exchanging other keys. When CCA enciphers a key under a transport key, the key is not in operational form and cannot be used to perform cryptographic functions.

When a key is enciphered under a transport key, the sending system considers the key in exportable form. The receiving system considers the key in importable form. When a key is re-enciphered from under a transport key to under a system's master key, it is in operational form again.

Enciphered keys appear in three forms. The form you need depends on how and when you use a key.
  • Operational key form is used at the local system. Many verbs can use an operational key form.

    The Key Generate, Key Import, Data Key Import, Clear Key Import, and Multiple Clear Key Import verbs can create an operational key form.

  • Exportable key form is transported to another cryptographic system. It can be passed only to another system. The CCA verbs cannot use it for cryptographic functions. The Key Generate, Data Key Export, and Key Export verbs produce the exportable key form.
  • Importable key form can be transformed into operational form on the local system. The Key Import verb (CSNBKIM) and the Data Key Import verb (CSNBDKM) can use an importable key form. Only the Key Generate verb (CSNBKGN) can create an importable key form.

For more information about the key types, see Functions of the AES, DES, and HMAC cryptographic keys. See Key forms and types used in the Key Generate verb for more information about key form.

Symmetric key (DES, AES) flow

The conversion from one key to another key is considered to be a one-way flow. An operational key form cannot be turned back into an importable key form. An exportable key form cannot be turned back into an operational or importable key form. The flow of CCA key forms can be in only one direction:

IMPORTABLE —to→ OPERATIONAL —to→ EXPORTABLE