Background information about master key management
There are four types (or sets) of master keys (Symmetric DES, AES, Asymmetric RSA (PKA), and APKA).
There are three master key registers for each of the four types of master key. In other words, there are a total of twelve master key registers.
The APKA master-key register set is used to encrypt and decrypt the Object Protection Key (OPK) that is itself used to wrap the key material of an Elliptic Curve Cryptography (ECC) key. ECC keys are asymmetric.
For each of the four types, there is a master key register in one
of these three categories:
- New master-key (NMK) register
- This register holds a master key that is not yet usable for
decrypting key tokens for normal cryptographic operations.
The NMK register can be in one of these states:
- EMPTY
- No key parts have been loaded yet.
- PARTIALLY FULL
- Some key parts have been loaded, but not the LAST key part. See Master Key Process (CSNBMKP).
- FULL
- The LAST key part has been loaded, but the SET command has not yet been called. See Master Key Process (CSNBMKP).
- Current master-key (CMK) register
- This register holds a master key that can be used to decrypt
internal key tokens for keys in use with normal cryptographic operations.
Internal key tokens are protected under the master key; the keys are
actually stored outside the adapter.
The CMK register can be in one of these states:
- EMPTY
- No valid key has yet been established with the SET command in the life of this adapter, or the adapter has been re-initialized to clear the master key registers.
- VALID
- A master key has been loaded with the SET command.
- Old master-key (OMK) register
- This is the master key that previously has been the CMK, before
the master key that is now in the CMK register. The OMK register can
also be used to decrypt internal key tokens, but for these keys a
warning with return code 0 and reason code 2 is returned, along with
the results from the requested cryptographic operation.
The OMK register can be in one of these states:
- EMPTY
- No valid key is in this register.
- VALID
- A master key that previously was in the CMK register has been shifted to the OMK register by the SET command. The same invocation of the SET command also shifted the contents of the NMK register into the CMK register.