Note: You can re-encipher a secure key that is currently enciphered under the master key in the
CURRENT register of the CCA or EP11
coprocessor to the master key in the NEW register, as long as the new master key has not been
activated (set). For this purpose, use option --to-new with the zkey utility.
For CCA secure keys only, you can also re-encipher a secure
key which is currently enciphered under the master key in the OLD register of the cryptographic
adapter to the master key in the CURRENT register. For this purpose, use option
--from-old with the zkey utility.
A cryptographic coprocessor configured in EP11 mode
does not have an OLD register. So the --from-old option is not
available.
If both options --from-old and --to-new are
specified, a secure key that is currently enciphered with the master key in the OLD register is
re-enciphered with the master key in the NEW register.
Finally, you can use the auto-detection
function of zkey. The utility detects whether the
secure key is enciphered with a master key from the OLD or from the CURRENT register and
re-enciphers the secure key with the appropriate new master key as described.
For more
information, also refer to the
zkey man page.
Examples:
zkey reencipher securekey.bin --from-old [--output securekey2.bin]
zkey reencipher securekey.bin --to-new [--output securekey2.bin]
zkey re-encipher securekey.bin [--output securekey2.bin]