Disabling protected key encryption

Edit online

The generation of cryptographic wrapping keys and the use of protected key management operations on the virtual server is enabled by default.

Before you begin

The use of cryptographic protected key management operations on the virtual server is enabled by default, if:

IBM Z® Central Processor Assist for Cryptographic Functions (CPACF) is installed.
The logical partition running the host is enabled for CPACF key management operations.
You enable CPACF key management operations on the security page of the Customize Activation Profiles task, which is part of the CPC Operational Customization tasks list.

About this task

The CPACF hardware provides a set of key management operations for clear key encryption, pseudo random number generation, hash functions, and protected key encryption. The use of protected key management operations on the virtual server can be configured.

Symmetric encryption uses a cryptographic key to encrypt messages, files, or disks, and the identical key to decrypt them. A cryptographic key is created using a specific algorithm:

Data Encryption Algorithm (DEA), also known as Data Encryption Standard (DES)
Triple DEA (3DEA, TDEA), which is based on DEA and is also known as Triple DES, 3DES, or TDES
Advanced Encryption Standard (AES)

A protected key is a cryptographic key which is itself encrypted by a so-called wrapping key, thus protecting it from unauthorized access.

The unique wrapping keys are associated with the lifetime of a virtual server. Each time the virtual server is started, its wrapping keys are regenerated. There are two wrapping keys: one for DEA or TDEA keys, and one for AES keys.

A set of key management operations can be performed on the virtual server. Protected key management operations are used to encrypt a clear key using a wrapping key.

If you disable the generation of wrapping keys for DEA/TDEA or for AES, you also disable the access to the respective protected key management operations on the virtual server.

Procedure

You configure the generation of wrapping keys by using the keywrap element (see <keywrap>).

Its child element cipher (see <cipher>) enables or disables the generation of a wrapping key and the use of the respective protected key management operations. By default, both the AES and DEA/TDEA wrapping keys are generated.

Specify the wrapping key generation that is to be disabled or enabled.

cipher name attribute:

aes | dea

cipher state attribute:

<state>

<state>

on: Default; enables the wrapping key generation.
off: Disables the wrapping key generation.

Example

This example disables the generation of an AES wrapping key. The DEA/TDEA wrapping key is generated by default.

<keywrap>
    <cipher name="aes" state="off"/>
</keywrap>

The example is equivalent to this one:

<keywrap>
    <cipher name="aes" state="off"/>
    <cipher name="dea" state="on"/>
</keywrap>