Listing keys

Use the zkey kms list command to display eligible secure keys that are managed by EKMF Web. These keys can, but must not be in the zkey repository.

About this task

You can filter the displayed list by:
  • Key label, option -B or --label
  • Key name, option -N or --name
  • Associated volumes, option -l or --volumes
  • Volume type, option -t or --volume-type
  • State, option -s or --states
Most of these options are the same as for the zkey list command. For details about the filter options, see zkey kms - Managing secure keys with a KMS plug-in, Pervasive Encryption for Data Volumes, SC34-2782, or the zkey man page.

Use the --states option to filter the list by the key state in EKMF Web. You can specify multiple states, separated by comma. By default, keys in ACTIVE state are displayed.

By default, only keys are displayed that this zkey client is allowed to use. This is controlled by export control options. When the export control options include the identity key of this zkey client as allowed exporting key, can the key be used by this zkey client. Specify the --all option to include keys that this zkey client is not allowed to use. The EKMF Web operator can change the export control options of a key to allow a certain zkey identity key to export the key.

Procedure

  • To list all active keys the zkey instance can use, issue zkey kms list, for example: 
    # zkey kms list
Name                         : emkf-test
-------------------------------------------------------------------------------------
        Key label            : ZKEY.XTS1.00002
                               ZKEY.XTS2.00002
        Description          : A key generated in EKMF Web
        Key size             : 512 bits
        XTS type key         : Yes
        Key type             : CCA-AESCIPHER
        Volumes              : /dev/dasdb1:enc_disk
        Volume type          : LUKS2
        Sector size          : (system default)
        Addl. infos          : State: ACTIVE
                               Exporting keys: ZKEY.ID.EC.00001

Name                         : emkf-test2
-------------------------------------------------------------------------------------
        Key label            : ZKEY.XTS1.00003
                               ZKEY.XTS2.00003
        Description          : 2nd key generated in EKMF Web
        Key size             : 512 bits
        XTS type key         : Yes
        Key type             : CCA-AESCIPHER
        Volumes              : /dev/dasda1:enc_disk
        Volume type          : LUKS2
        Sector size          : (system default)
        Addl. infos          : State: ACTIVE
                               Exporting keys: ZKEY.ID.EC.00001
    For more information on how to make keys available to a zkey instance, see Sharing an EKMF Web key with another system.
  • To filter the list by name, specify a name, or part of a name, for example: 
    # zkey kms list -N "ekmf*"
    This command would result in the same list as in the example before.