Note:
You can re-encipher a secure key that is currently enciphered under the master key in the CURRENT
register of the CCA or EP11 coprocessor to the
master key in the NEW register, as long as the new master key has not been activated (set). For this
purpose, use option --to-new with the zkey utility.
You can also re-encipher a secure AES DATA or AES CIPHER key that is currently
enciphered under the master key in the OLD register of the cryptographic adapter to the master key
in the CURRENT register. For this purpose, use option --from-old with the zkey utility. This option is not available for EP11 AES
keys, as cryptographic coprocessors in EP11 mode do not have an
OLD register.
If both options --from-old and --to-new are specified, a secure
key that is currently enciphered with the master key in the OLD register is re-enciphered with the
master key in the NEW register.
Finally, you can use the auto-detection function of zkey. The utility detects whether the secure key is
enciphered with a master key from the OLD or from the CURRENT register and re-enciphers the secure
key with the appropriate new master key as described.
Re-enciphering a secure key contained in the secure key repository can be performed in-place, or in staged mode.
Staged mode means that the re-enciphered secure key is stored in a separate file in the secure key repository. Thus the current secure key is still valid at
this point. Once the new CCA or EP11
master key has been set (made active), you need to rerun the reencipher command
with option --complete to complete the staged re-enciphering. Re-enciphering from
CURRENT to NEW is performed in staged mode by default. You can use option --staged
to force a staged re-enciphering for the OLD to CURRENT case.
Examples:
zkey reencipher --apqns <apqn1,apqn2,...> --from-old --staged
zkey reencipher --apqns <apqn1,apqn2,...> --to-new --staged
zkey re-encipher --apqns <apqn1,apqn2,...> --staged