Generating keys

Keys are generated in EKMF Web, and stored in the zkey repository. Properties that you define for a key, such as the description or the volume, are transferred to EKMF Web.

Before you begin

You need to know:
  • The volumes that you want to encrypt.
  • The type of key you want to generate.

About this task

EKMF Web cannot import existing zkey keys. Keys that were generated locally before the repository was bound to EKMF Web are marked as local, and can be used only on the Linux instance on which zkey runs.

Procedure

  1. Optional: Find out whether the key template uses label tags other than <seqno>.
    If the key template in EKMF Web uses label tags other then the sequential numbering, <seqno>, you must specify them using the -T option when you generate the key. To find out what the label tags are, use the following command:
    # zkey kms info
  2. Use the zkey generate command. You must specify a name. Issue a command of the form:
    # zkey gen --name <name>
    By default, the zkey gen command generates the new key in EKMF Web and imports it into the zkey repository.
    To generate a key on the local zkey repository only, use the --local option. Local keys cannot be imported into EKMF Web.

    Keys that are generated in EKMF Web are always of type CCA−AESCIPHER. The cryptographic size of the keys depends on the underlying EKMF Web template.

    For example, assuming you want to encrypt a volume /dev/dasdb1 with the device mapper name enc_disk and generate an XTS key for this encryption, issue:
    # zkey gen --name emkf-dasdb1 --xts --volumes /dev/dasdb1:enc_disk --description "XTS key for DASD B1"

Results

The key is saved in EKMF Web with its properties. You can reuse the key for another system.

After the key is generated you can use the kms list command to see its properties, such as the two parts of the XTS key:
# zkey list
Key                          : emkf-dasdb1
-------------------------------------------------------------------------------------
        Description          : XTS key for DASD B1
        Secure key size      : 272 bytes
        Clear key size       : 512 bits
        XTS type key         : Yes
        Key type             : CCA-AESCIPHER
        Volumes              : /dev/dasdb1:enc_disk
        APQNs                : 08.002f
                               09.002f
        Key file name        : /etc/zkey/repository/emkf-dasdb1.skey
        Sector size          : (system default)
        Volume type          : LUKS2
        Verification pattern : 709bc1e20e34f940362761141e094c65
                               d15bc6cc177d88e7c704577df96d1484
        KMS                  : EKMFWeb
        KMS key label        : ZKEY.XTS1.00002
                               ZKEY.XTS2.00002
        Created              : 2021-03-17 17:31:14
        Changed              : (never)
        Re-enciphered        : (never)