Recovering a secure key repository

Restore a corrupted repository or create a backup repository.

Before you begin

This scenario assumes:
  • Your organization uses EKMF Web
  • You have a user ID and password for EKMF Web

About this task

Assume you have an EKMF Web and pervasive encryption solution on Linux® on IBM® Z, but your data center is flooded. Now your secure key repository is gone. But luckily, your encrypted volumes are safe, and you use EKMF Web, so your keys are safe.

You can recover a secure key repository by setting up a new repository on a new Linux instance, and reimporting the keys from EKMF Web.

Procedure

  1. Install a new Linux instance with zkey. For example, you can use Red Hat Enterprise Linux as of version 8.4 or SUSE Linux Enterprise Server as of 15.3
  2. On the new Linux instance, bind zkey to EKMF Web.
  3. On the new Linux instance, configure zkey.
  4. On EKMF Web, the administrator must allow the keys from your old secure key repository to be exported from EKMF Web into the new secure key repository.
  5. On the new Linux instance, import the keys by using the zkey kms import command.
    To import all eligible keys, issue the following command:
    # zkey kms import
    For details on how to refresh only certain keys, see zkey kms import.

Results

Your secure key repository is populated with the keys from EKMF Web, and you can resume working.

If the host name of the newly installed system remains the same, the key names and key properties of the imported keys also remain the same as on the original system.

If the host name is now different, some of the key properties might need adapting to the current system. Use the zkey change and zkey rename commands to adapt the key name and properties as needed.