Key storage for traditional IBM systems other than IBM Z (RTCMK-focused: Linux, AIX®, Windows)

Edit online

Design point - Keys should be re-enciphered to a master key in the CMK register.

This forces the following process to be followed when changing the master key:
  • Load all the master key parts for a NMK, such that the LAST key part has been loaded, then issue the SET command. Now the previous OMK is gone, the previous CMK is now the OMK, and the CMK contains the newly-loaded value. See SET command.
  • Re-encipher all of an existing CCA host key storage data file's key tokens, which are enciphered under the OMK, to be enciphered under the CMK. This is done using the RTCMK rule_arry keyword of Key Token Change (CSNBKTC) or PKA Key Token Change (CSNDKTC).
    • This immediately replaces operational keys with the re-enciphered version.
    • The CCA key storage file has a data structure with the verification pattern of the most recently SET master key. The key storage implementation also allows writing external tokens into the key storage. This means that external key tokens, and the internal key tokens encrypted under current master key, are allowed into the key storage.

      It is impossible with current implementation to use RTNMK together with CCA key storage.

  • During the re-encipherment:
    • Some of the keys in the CCA key storage files are enciphered under the OMK (because of the shift) and are usable
    • Some of the keys in the CCA key storage files are enciphered under the CMK, either because they are new or because they have been re-enciphered.
    • No new key tokens can be created with the key wrapped using the OMK.

    Both types are usable for cryptographic operations.