Background information about master key management

There are four types (or sets) of master keys (Symmetric DES, AES, Asymmetric RSA (PKA), and APKA).

There are three master key registers for each of the four types of master key. In other words, there are a total of twelve master key registers.

The APKA master-key register set is used to encrypt and decrypt the Object Protection Key (OPK) that is itself used to wrap the key material of an Elliptic Curve Cryptography (ECC) key. ECC keys are asymmetric.

For each of the four types, there is a master key register in one of these three categories:
New master-key (NMK) register
This register holds a master key that is not yet usable for decrypting key tokens for normal cryptographic operations.
The NMK register can be in one of these states:
EMPTY
No key parts have been loaded yet.
PARTIALLY FULL
Some key parts have been loaded, but not the LAST key part. See Master Key Process (CSNBMKP).
FULL
The LAST key part has been loaded, but the SET command has not yet been called. See Master Key Process (CSNBMKP).
Current master-key (CMK) register
This register holds a master key that can be used to decrypt internal key tokens for keys in use with normal cryptographic operations. Internal key tokens are protected under the master key; the keys are actually stored outside the adapter.
The CMK register can be in one of these states:
EMPTY
No valid key has yet been established with the SET command in the life of this adapter, or the adapter has been re-initialized to clear the master key registers.
VALID
A master key has been loaded with the SET command.
Old master-key (OMK) register
This is the master key that previously has been the CMK, before the master key that is now in the CMK register. The OMK register can also be used to decrypt internal key tokens, but for these keys a warning with return code 0 and reason code 2 is returned, along with the results from the requested cryptographic operation.
The OMK register can be in one of these states:
EMPTY
No valid key is in this register.
VALID
A master key that previously was in the CMK register has been shifted to the OMK register by the SET command. The same invocation of the SET command also shifted the contents of the NMK register into the CMK register.