Key forms

A key that is protected under the master key is in operational form, which means ICSF can use it in cryptographic functions on the system.

When you store a key with a file or send it to another system, the key is enciphered under a transport key rather than the master key because, for security reasons, the key should no longer be active on the system. When ICSF enciphers a key under a transport key, the key is not in operational form and cannot be used to perform cryptographic functions.

When a key is enciphered under a transport key, the sending system considers the key in exportable form. The receiving system considers the key in importable form. When a key is reenciphered from under a transport key to under a system's master key, it is in operational form again.

Enciphered keys appear in three forms. The form you need depends on how and when you use a key.
  • Operational key form is used at the local system. Many callable services can use an operational key form.

    The Key Token Build, Key Token Build2, Key Generate, Key Generate2, Key Import, Data Key Import, Clear Key Import, Multiple Clear Key Import, Secure Key Import, Secure Key Import2, Multiple Secure Key Import, Symmetric Key Import, Symmetric Key Import2, and TR-31 Import callable services can create an operational key form.

  • Exportable key form is transported to another cryptographic system. It can only be passed to another system. The ICSF callable services cannot use it for cryptographic functions. The Key Generate, Key Generate2, Data Key Export, and Symmetric Key Export callable services produce the exportable key form.
  • Importable key form can be transformed into operational form on the local system. Key Import, Data Key Import, and Symmetric Key Import2 callable services can use an importable key form. Only the Key Generate callable service can create an importable key form. The Secure Key Import and Multiple Secure Key Import, and Secure Key Import2 callable services can convert a clear key into an importable key form.

For more information about the key types, see either Functions of symmetric cryptographic keys or the z/OS Cryptographic Services ICSF Administrator's Guide. See Key forms and types used in the Key Generate callable service for more information about key form.