Changing key properties

To change a property of a key, use the zkey change command

About this task

Properties that you change with the zkey change command are updated in KMIP.

You can change the description, the volume, the volume type, and the sector size. You cannot change the name with the change command. For how to rename a key, see Renaming a key in the repository.

You cannot change the AP queues for a key that is bound to a KMIP plug-in. To change the AP queues, use the zkey kms configure command with the --apqns option.

Other properties represent the same physical entity, but need different names on different systems, for example, the same physical volume can be mounted to two Linux instances under different names. The same key can be imported on another Linux instance, to another zkey repository, under a different name.

For details about the zkey change command, see the zkey command reference in Pervasive Encryption for Data Volumes, SC34-2782, or the man page.

Procedure

  1. Optional: List the key properties.
    For example, assuming the key generated before:
    # zkey list
    Key                          : emkf-dasdb1
    -------------------------------------------------------------------------------------
            Description          : AES key for DASD C1
            Secure key size      : 272 bytes
            Clear key size       : 512 bits
            XTS type key         : Yes
            Key type             : CCA-AESCIPHER
            Volumes              : /dev/dasdb1:enc_disk
            APQNs                : 08.002f
                                   09.002f
            Key file name        : /etc/zkey/repository/kmip-dasdc1.skey
            Sector size          : (system default)
            Volume type          : LUKS2
            Verification pattern : 709bc1e20e34f940362761141e094c65
                                   d15bc6cc177d88e7c704577df96d1484
            KMS                  : KMIP
            KMS key label        : TEST1
                                   TEST2
            Created              : 2022-03-23 17:31:14
            Changed              : (never)
            Re-enciphered        : (never)
    
    You can change the description, the volume, the volume type, and the sector size. You cannot change the name with the change command. For how to rename a key, see Renaming a key in the repository.
  2. Use the zkey change and specify the name of the key, followed by the property you want to change.
    For example, to change the key label:
    # zkey change -N seckey -l "This is my secret key"

Results

The key now has the new description in the zkey repository as well as on the KMIP server:
# zkey list
Key                          : seckey
-------------------------------------------------------------------------------------
        Description          : This is my secret key

                ...
        Created              : 2022-03-17 17:31:14 
        Changed              : 2022-03-18 12:08:10
        Re-enciphered        : (never)