Usage domain zeroize

Edit online

You can clear or zeroize the cryptographic keys associated with an available usage domain when removing a crypto using the Change LPAR Cryptographic Controls task. Perform zeroize of the cryptographic keys using the Cryptographic Configuration task.

The removal of a crypto from a logical partition could make those cryptographic keys available to another LP, if the crypto and usage domains are then reassigned to a new partition. This can occur when:

Removing the crypto from the candidate list in the Activation profile, then reassigning the crypto to another active partition.
Moving a crypto using the Change LPAR Cryptographic Controls task.

The Usage Domain Zeroize in the Cryptographic Configuration task offers the opportunity to clear the cryptographic keys when desired, not just when the cryptographic settings are modified using the Change LPAR Cryptographic Controls task.

It is recommended that the usage domain zeroize be performed with the crypto offline, but it is not required. When performing the usage domain zeroize with the crypto offline, the zeroize of the usage domain index(es) selected is deferred until the selected crypto is configured online, using the Configure On/Off task.

On the Cryptographic Configuration window, select the crypto and click Domain Management. The Usage Domain Zeroize window displays:

On the Usage Domain Zeroize window, select the usage domain index(es) that have the cryptographic keys you wish to zeroize, then click Zeroize. The zeroize of the Usage Domain Index(es) is deferred until the selected Cryptographic number is configured online (Configure On). When the selected cryptographic number is configured online, the selected Usage Domain indexes is cleared of cryptographic keys.