Generating keys with KMIP
Keys are generated in the KMIP server, and stored in the zkey repository.
Before you begin
The supported key types depend on the AP queue types bound to the plug-in, CCA or EP11.
When the KMS is bound to CCA AP queues, you can chose whether to generate CCA AES DATA keys or CCA AES CIPHER by using the --key-type option.
Procedure
Use the zkey generate command.
You can specify a
name with the --label option. The label specifies the name of the key in the KMIP
server, whereas --name specifies the name of the key in zkey.
Issue a
command of the form:
# zkey gen --key-type <type> --label <name>The type of the generated key depends on the chosen APQN types. For CCA APQNs, the command generates a CCA-AESDATA key by default, but for EP11 APQNs it generates an EP11-AES key. The new key is generated on the KMIP server and imported into the zkey repository.
To generate a key on the local zkey repository only, use the
--local option. Local keys cannot be imported into KMIP.
For example, assuming you want to encrypt a block device /dev/dasdc1
with the device mapper name enc_vol and generate an XTS key for this
encryption,
issue:
# zkey gen −−name seckey −−volumes /dev/dasdc1:encvol −−label TEST1:TEST2
The
command generates a secure AES key in the KMIP server using the labels TEST1
and TEST2
and stores the XTS key in the secure-key repository using the name
seckey
and associates it with block device /dev/dasdc1 and device-mapper
name encvol
.
Results
The key is saved in KMIP with its properties. You can reuse the key for another system.
After the key is generated you can use the kms list command to see its properties:# zkey list
Key : seckey
-------------------------------------------------------------------------------------
Description : AES key for DASD C1
Secure key size : 272 bytes
Clear key size : 512 bits
XTS type key : Yes
Key type : CCA-AESCIPHER
Volumes : /dev/dasdc1:encvol
APQNs : 08.002f
09.002f
Key file name : /etc/zkey/repository/kmip-dasdc1.skey
Sector size : (system default)
Volume type : LUKS2
Verification pattern : 709bc1e20e34f940362761141e094c65
d15bc6cc177d88e7c704577df96d1484
KMS : KMIP
KMS key label : TEST1
TEST2
Created : 2022-03-23 16:17:14
Changed : (never)
Re-enciphered : (never)