Importing secure keys from KMIP

Restore a corrupted repository or create a backup repository.

About this task

Assume you have an KMIP and pervasive encryption solution on Linux® on IBM® Z. You already have keys on the KMIP server, and you would like to import them into a zkey instance.

You can filter the keys by:
  • Key label, option -B or --label
  • Key name, option -N or --name
  • Associated volumes, option -l or --volumes
  • Volume type, option -t or --volume-type
These options are the same as for the zkey list command. For details about the filter options, see zkey kms - Managing secure keys with a KMS plug-in, Pervasive Encryption for Data Volumes, SC34-2782, or the zkey man page.

Procedure

  1. Install a new Linux instance with zkey. For example, you can use Red Hat Enterprise Linux as of version 8.4 or SUSE Linux Enterprise Server as of 15.3
  2. On the new Linux instance, bind zkey to KMIP and configure the plug-in.
  3. On KMIP, the administrator must give the new zkey system access to the key to import.
  4. On the new Linux instance, import the keys by using the zkey kms import command.
    To import all eligible keys, issue the following command:
    # zkey kms import
    For details on how to refresh only certain keys, see zkey kms import.

Results

Your secure key repository is populated with the keys from KMIP.

If the host name of the newly installed system remains the same, the key names and key properties of the imported keys also remain the same as on the original system.

If the host name is now different, some of the key properties might need adapting to the current system. Use the zkey change and zkey rename commands to adapt the key name and properties as needed.