Changing AES secure keys

Use the zkey change command to change the description, the associated volumes, the associated cryptographic coprocessors (APQNs), the sector size, and the volume type of a secure key contained in the secure key repository.

Specify the name of the key that is to be changed using the --name option. You cannot use wildcards.

You can set, replace, add, or remove volume and cryptographic coprocessor (APQN) associations. To set or replace an association, specify the association with the --volumes or the --apqns options. To add an association, specify the new association prefixed with a + sign with the --volumes or the --apqns option. To remove an association, specify the association to remove prefixed with a − sign with the --volumes or the --apqns option. You cannot mix + and − in one specification. You can either add or remove or set the associations with one command.

Note: The secure key itself cannot be changed, only information about the secure key is changed. To rename a secure key, use the rename command. To re-encipher a secure key with a new CCA or EP11 master key, use the reencipher command.

Example:

# zkey change --name secure_xtskey1 --volumes +/dev/mapper/disk2:enc-disk2
# zkey change --name secure_xtskey1 --apqns -04.0039
# zkey change --name secure_xtskey1 --volume-type plain
# zkey change --name secure_xtskey1 --sector-size 4096
Note: Linux™ allows hot-plugging of cryptographic coprocessors (APQNs). You might need to update the APQN associations when an APQN had been added to or removed from the Linux instance.