Replacing a cryptographic coprocessor

The reasons why you might want to exchange a cryptographic coprocessor which is in use for volume encryption is that you either want to upgrade to a new model, or you want to switch from a CCA coprocessor to a EP11 coprocessor, or that you need to replace the old coprocessor due to a defect. The described scenarios include the case where you want to continue to use the old master key on the new coprocessor, as well as the cases where you want to use a different master key with or without the clear key being available.

The scenario of replacing a CCA coprocessor by a EP11 coprocessor is equivalent with changing an encrypted volume from being encrypted with a CCA secure key (AES CIPHER or CCA-AESDATA) to being encrypted with an EP11 AES secure key (EP11-AES). Therefore, the required steps are similar as for Replacing with a different master key with the appropriate differences.

A scenario where you first set the new master key on the old and on the new cryptographic coprocessor, then re-encipher the volume using the old coprocessor with the new master key, and then replace the old cryptographic coprocessor with the new one is not described here explicitly, because this is very similar to the use cases described in Changing master keys and re-enciphering secure keys.