Validating a secure key from the secure key repository
Using the zkey validate command, you can obtain validation information about a secure key stored in the secure key repository.
Specifying the zkey validate command checks if the specified secure key is valid. It also displays further attributes of this secure key, such as the key size, key type, whether it is a secure key that can be used for the XTS cipher mode, and the register (CURRENT or OLD) where the master key resides with which the secure key is enciphered, together with the master key verification pattern (MKVP). EP11 MKVPs are 16 bytes long, CCA MKVPs are 8 bytes long.
Example command with output for a valid secure key:
# zkey validate --name secure_xtskey1
Key : secure_xtskey1
--------------------------------------------------------------------------
Status : Valid
Description :
Secure key size : 272 bytes
Clear key size : 512 bits
XTS type key : Yes
Key type : CCA-AESCIPHER
Enciphered with : CURRENT master key (MKVP: 26d69731a66f4255)
Volumes : /dev/mapper/disk1:enc-disk1
APQNs : 03.0039
04.0039
Key file name : /etc/zkey/repository/secure_xtskey1.skey
Sector size : (system default)
Volume type : LUKS2
Verification pattern : 303344b12b8258840fa11852a4ecc6d5
84c7a867f893a5dcc0d499557c45bee6
KMS : (local)
KMS key label : (local)
Dummy passphrase : (none)
Created : 2020-07-23 15:27:20
Changed : (never)
Re-enciphered : (never)
1 keys are valid, 0 keys are invalid, 0 warnings
The displayed verification pattern can be used to identify the effective key contained in this secure key. Any secure key with the same verification pattern contains the same effective key.
If the secure key is not valid because the master key with which it was wrapped is no longer available, the zkey utility shows a similar output as for a valid secure key, however, with Status: Invalid, and some other properties are indicated as (unknown).
The zkey tool checks, whether the master key is the same for all of the APQNs associated with a secure key during validation of a secure key. In cases, where no APQNs are associated with the validation of a secure key, then all APQNs available on the system are checked.
For more information, also refer to Generating AES secure keys and to the zkey man page.