Generating the master key

Use the keygen program to generate master keys.

To generate the master key, run the following command from the console:

keygen master <masterkeypath> <tripletkeypath> <master_key_id>
  • masterkeypath is the location on your portable memory device where you want to store the master key.
  • tripletkeypath is the location on your portable memory device where you want to store the triplet keys. The triplet keys are later physically distributed to the IBM® Safer Payments instances.
  • master_key_id is the numeric ID for the new generated master key. Every master key that is used by your IBM Safer Payments installation must have its unique ID.

The key generator guides you through the process of generating a master key. You need two master key holders for this process and the masterkeypath and tripletkeypath subdirectories must exist.

The master key is stored as masterkeypath/master_key_private_­<mas­ter_­key_­id>.iris and is created together with tripletkeypath/revoked_­keys.iris.

The file revoked_keys.iris is used during the operation of IBM Safer Payments to store a no-fly list of keys that IBM Safer Payments must never use. To verify authenticity of the revoked_keys.iris file, it must be generated together with the initial master key.
Note: The file revoked_keys.iris is distributed with the initial key distribution to the IBM Safer Payments instances. The file master_key_private_<master_key_id>.iris must never be distributed to IBM Safer Payments instances, or anywhere outside the portable memory device location. Never replace an existing revoked_keys.iris file in the key folder of your configuration. If you change to a usage key from another master key by using the user interface, revoked_keys.iris is reencrypted as well.

If the two master key holders activate the master key that you generated, you can generate any number of usage keys.

You can now directly proceed to Generating usage key triplets, or shut down the PC and store the portable memory device at a safe place until you need to generate usage keys.