Validating a secure key from a file

Using the zkey validate command, you can obtain validation information about an existing secure key stored in a binary file.

Specifying the zkey validate command checks if the specified file contains a valid secure key. It also displays further attributes of this secure key, such as the key size, whether it is a secure key that can be used for the XTS cipher mode, and the master key register (CURRENT or OLD) with which the secure key is enciphered.

Example command with output for a valid secure key:


# zkey validate secure_xtskey1.bin
Validation of secure key in file 'secure_xtskey1.bin':
  Status:                Valid
  Secure key size:       272 bytes  
  Key type:              CCA-AESCIPHER
  Clear key size:        512 bits
  XTS type key:          Yes
  Enciphered with:       CURRENT master key (MKVP: 26d69731a66f4255)
  Verification pattern:  0aa2b29a40c946de9b6ae4c7410ffaa2
                         96ad1b20d242c8e5847c821aacbb80bf

The displayed verification pattern can be used to identify the effective key contained in this secure key. Any secure key with the same verification pattern contains the same effective key.

If the secure key is not valid because the master key with which it was wrapped is no longer available, the zkey utility shows an error message:


zkey: Failed to validate a secure key: No such device
zkey: The secure key in file 'seckey.bin' is not valid

The No such device message indicates that there is no cryptographic coprocessor available with the master key that was used to wrap this secure key.

For more information, also refer to the zkey man page.