zkey kms reencipher
Use the zkey kms reencipher command to reencipher a secure key in a key-management system.
There can be plug-in specific options. Use zkey kms reencipher --help to see which plug-in specific options a plug-in provides or requires.
For KMIP: Use the zkey kms reencipher command
to reencipher the identity key and the wrapping key with a new master key. These keys must be must
be reenciphered when the master keys of the associated AP queues change:
- For cryptographic adapters in CCA coprocessor mode, this is the APKA master key.
- For cryptographic adapters in EP11 coprocessor mode, this is the EP11 master key.
Note: The zkey kms reencipher command does not reencipher secure keys that
were generated by, or have been imported from, the KMIP server, and are now stored in the secure key
repository. Use the regular zkey reencipher command to reencipher those secure
keys.
For EKMF Web: The zkey kms reencipher command re-enciphers the secure-identity key of the EKMF Web plug-in with a new master key. The secure-identity key must be re-enciphered when the APKA master key of the CCA cryptographic adapter changes.
- -n or --to-new
- Reenciphers a secure key with the master key in the NEW register.
- -o or --from-old
- Reenciphers a secure key that is currently enciphered with the master key in the OLD register
with the master key in the CURRENT register.
If both -n and -o are specified, a secure key that is currently enciphered with the master key in the OLD register is reenciphered with the master key in the NEW register.
- -i or --in-place
- Forces an in-place re-enciphering. This is the default for --from-old.
- -s or --staged
- Stores the key in a file, <key-name>.renc, in the secure key repository. The key in <keyname>.skey is still valid. Once a new master key has been set, you must rerun the reencipher command with option --complete. This copies the file <key-name>.renc to <key-name>.skey and thus completes the staged re-enciphering. Re-enciphering from CURRENT to NEW is by default done in staged mode.
- -c or --complete
- Completes a staged re-enciphering.