Generating keys with KMIP

Keys are generated in the KMIP server, and stored in the zkey repository.

Before you begin

You need to know the type of key you want to generate.

The supported key types depend on the AP queue types bound to the plug-in, CCA or EP11.

When the KMS is bound to CCA AP queues, you can chose whether to generate CCA AES DATA keys or CCA AES CIPHER by using the --key-type option.

Procedure

Use the zkey generate command.
You can specify a name with the --label option. The label specifies the name of the key in the KMIP server, whereas --name specifies the name of the key in zkey.
Issue a command of the form:
# zkey gen --key-type <type> --label <name>
The type of the generated key depends on the chosen APQN types. For CCA APQNs, the command generates a CCA-AESDATA key by default, but for EP11 APQNs it generates an EP11-AES key. The new key is generated on the KMIP server and imported into the zkey repository.
To generate a key on the local zkey repository only, use the --local option. Local keys cannot be imported into KMIP.
For example, assuming you want to encrypt a block device /dev/dasdc1 with the device mapper name enc_vol and generate an XTS key for this encryption, issue:
# zkey gen −−name seckey −−volumes /dev/dasdc1:encvol −−label TEST1:TEST2

The command generates a secure AES key in the KMIP server using the labels TEST1 and TEST2 and stores the XTS key in the secure-key repository using the name seckey and associates it with block device /dev/dasdc1 and device-mapper name encvol.

Results

The key is saved in KMIP with its properties. You can reuse the key for another system.

After the key is generated you can use the kms list command to see its properties:
# zkey list
Key                          : seckey
-------------------------------------------------------------------------------------
        Description          : AES key for DASD C1
        Secure key size      : 272 bytes
        Clear key size       : 512 bits
        XTS type key         : Yes
        Key type             : CCA-AESCIPHER
        Volumes              : /dev/dasdc1:encvol
        APQNs                : 08.002f
                               09.002f
        Key file name        : /etc/zkey/repository/kmip-dasdc1.skey
        Sector size          : (system default)
        Volume type          : LUKS2
        Verification pattern : 709bc1e20e34f940362761141e094c65
                               d15bc6cc177d88e7c704577df96d1484
        KMS                  : KMIP
        KMS key label        : TEST1
                               TEST2
        Created              : 2022-03-23 16:17:14
        Changed              : (never)
        Re-enciphered        : (never)