A key that is generated in EKMF Web can be reused on other Linux instances. This sharing
is useful for backup, recovery, and cloning setups.
Before you begin
The Linux instance that you want to share the key with, or reuse the key on, must be
connected to the same EKMF Web instance as the original Linux instance from which the key was
generated, see Connecting zkey with EKMF Web.
You need to know the label
of the identity key of the second Linux instance. To find out what the label is, on that Linux
instance issue the command zkey kms info, for example:
The identity key label is the last entry in the list of information.
About this task
A key can be imported to other Linux instances. Use this capability when you set up backup or
recovery systems. System-specific properties, such as the volume, might need to be changed on the
imported key.
Figure 1. A key can be reused on another Linux instance The imported key is protected by a transport key when it is sent to the second Linux instance,
and then reencrypted with the master key of the AP queues the second instance uses.
Procedure
The EKMF Web administrator must allow the
keys to be exported from EKMF Web.
On EKMF Web, go to Key
management on the left navigation bar.
Go to Keys
Select the keys for which to edit export control.
For example, assume
you want to export XTS keys ZKEY.XTS.1.0030 and ZKEY.XTS.2.0030 that were generated
by the Linux instance with the identity key ZKEY.ID.ECC.0022 to the Linux instance with the
identity key ZKEY.ID.ECC.0025. Select the keys as shown in Figure 2.
Figure 2. Select the keys for which you want to change export
control
Select Edit export control.
On the Export control page, click Add key.
In the field that opens, type the name of identity key you want to work
with
For example, assuming you want to export the keys to the Linux instance with the
identity key ZKEY.ID.ECC.0025, as shown in Figure 3.
Figure 3. Add the identity key of the Linux instance on which
you want to reuse the keys
Click Save
In the example shown in Figure 4,
the Linux instance with the identity key ZKEY.ID.ECC.0025 can now import the XTS keys.
Figure 4. The identity key of the Linux instance on which you
want to reuse the keys is added
Optional: On the second Linux instance, check that the keys you want to use
are available for importing.
To check that the key you wanted to import is available, use
the zkey kms list command.
For example, the XTS keys the EKMF Web
administrator allowed export for now show up in the list:
# zkey kms list
Name : emkf-dasdb1
-------------------------------------------------------------------------------------
Key label : ZKEY.XTS1.0030
ZKEY.XTS2.0030
Description : XTS key for DASD B1
Key size : 512 bits
XTS type key : Yes
Key type : CCA-AESCIPHER
Volumes : /dev/dasdb1:enc_disk
Volume type : LUKS2
Sector size : (system default)
Addl. infos : State: ACTIVE
Exporting keys: ZKEY.ID.EC.00022
ZKEY.ID.EC.00025
The keys you want to import must be in the ACTIVE state.
On the second Linux instance, use zkey to import the keys that you want to use. Issue the
zkey kms import command and specify the key label.
For example, to
import the keys with labels starting with ZKEY.XTS, issue a command as
follows:
# zkey kms import -B "ZKEY.XTS*"
You can filter the list of
keys to import, by specifying the -N (name), -B (label),
-l (volume), and -t (type) options with the import command.
For
example, to import the key named emkf-dasdb1 of type
LUKS2:
# zkey kms import --name emkf-dasdb1 -t LUKS2
Change system-specific properties.
The volume and the name are system-specific
and might have to be changed. AP queues are bound to the key management system, and are set
automatically.
If needed, change the volume with the zkey change
command, for example:
