Key storage on z/OS (RTNMK-focused)
Design point - Keys should be re-enciphered to a master key in the NMK register.
This forces the following process to be followed when changing
the master key:
- Load all the master key parts for a NMK, such that the LAST key part has been loaded, but the SET command has not been issued. Now the NMK register is in the FULL state.
- Re-encipher all of an existing key storage (for example: CKDS) to a copy of that key storage that is not online, using the RTNMK rule array keyword of Key Token Change (CSNBKTC) (for AES or DES) or PKA Key Token Change (CSNDKTC) (for PKA), creating CKDS-pending. Keys in this copy are enciphered under the NMK register, and so are not usable for normal cryptographic operations.
- Invoke the SET command for the NMK. See SET command. Now the master keys in the current CKDS are enciphered under the OMK (because of the shift), and are usable. Also, the master keys in the CKDS-pending are also usable because the NMK has now become the CMK.
- Delete the old CKDS and change CKDS-pending to be the normal CKDS, completing the process.