Cryptographic coprocessor considerations

Edit online

Encrypting volumes with a secure key requires that the Linux™ instances have access to domains of a cryptographic coprocessor configured in CCA or EP11 coprocessor mode, depending on which key types you want to use. These domains contain the AES master key.

Whenever the master key or the coprocessor is changed, then appropriate actions must be taken to retain access to the data. Once the master key is lost, the data on the volumes cannot be recovered anymore.

Use standard procedures to set your AES master keys through the Trusted Key Entry workstation. Your master key should be stored in multiple parts on a set of smart cards. Preserve these smart cards in safe places. In case of a broken cryptographic coprocessor or other disaster, you can use these smart cards to configure a domain on another coprocessor with that master key.

Also, to safeguard against the loss of a master key during the operation of an operating system, consider keeping the same master key on the domains of two or more separate cryptographic coprocessors accessible by that system.

In addition, there might be circumstances where you need to access volumes on different Linux instances attached to different cryptographic coprocessors, being encrypted with the same secure key. In such cases, use the Trusted Key Entry workstation to set the same master key on the same domains on two or more separate cryptographic coprocessors.

Important: If the master key used to create the secure key is lost, you can recover encrypted data only if the clear key, which you used to initially create the secure key, is still available. This is often not the case, especially when you generated your secure key from a random key on the cryptographic coprocessor. Therefore, generate the master key parts on the Trusted Key Entry workstation and store them safely on separate smart cards. Without a master key, you could decrypt your data only if the clear key would still be available.