Importing AES secure keys into the secure key repository

Use the zkey import command to import an existing secure key contained in a file into the secure key repository.

When importing a secure key in a key repository, additional information can be associated with a secure key using the --description, --volumes, --apqns, or the --sector-size options.

Example:

# zkey import seckey.bin --name imported_seckey
# zkey import seckey.bin --name imported_seckey \
--description "This is an imported secure key" \
--volumes /dev/mapper/disk1:enc-disk1 --volume-type LUKS2 \
--apqns 03.0039,04.0039
 

To import a secure LUKS2 volume key from a volume encrypted with that secure key, you need to first export the volume key into a binary file and then import it into the secure key repository and associate the volume with it.

Example:

# cryptsetup luksDump /dev/mapper/disk<n> --dump-master-key \
  --master-key-file seckey.bin

WARNING!
========
Header dump with volume key is sensitive information
which allows access to encrypted partition without passphrase.
This dump should be always stored encrypted on safe place.

Are you sure? (Type uppercase yes): YES
Enter passphrase for /dev/mapper/disk<n>: disk<n>pw

# zkey import seckey.bin --name imported_key_of_disk<n> \
--volumes /dev/mapper/disk<n>:enc-disk<n>
 
Notes:
  • The zkey import command can also import AES CIPHER keys and EP11 secure keys. When importing an AES CIPHER key, additional checks are performed on this key, such as a check of the history section of the secure key. If a potentially insecure setting is detected, you are prompted to confirm the import. Imported AES CIPHER keys are restricted for export in any way, regardless of the export setting of the imported keys. The only export that is kept allowed is the export to CPACF protected keys, so that these keys can be used with the PAES cipher.
  • The zkey import command requires the CCA host library (libcsulcca.so) to be installed when secure keys of type CCA-AESCIPHER are imported. For the supported environments and downloads, see:
    http://www.ibm.com/security/cryptocards