This topic gives you an overview of key entry and the methods of
key entry.
Master keys are used to protect sensitive cryptographic keys that
are active on your system. The number and types of master keys you
need to enter depends on your hardware configuration and application
requirements:
- The DES master key (DES-MK) protects DES keys.
- The RSA master key (RSA-MK) protects RSA keys.
- The AES master key (AES-MK) protects AES keys and HMAC keys.
- The ECC master key (ECC-MK) protects ECC and RSA keys.
The first time you start ICSF on your system, you may enter master
keys and initialize the CKDS and PKDS. You can then generate and enter
the keys you use to perform cryptographic functions. The master keys
you enter protect sensitive keys stored in the CKDS and PKDS.
If you have no coprocessor, you can initialize the CKDS for use
with clear AES and DES data keys. This CKDS cannot be used on a system
with cryptographic coprocessors.
Because master key protection is essential to the security of the
other keys, ICSF stores the master keys within the secure hardware
of the cryptographic coprocessors. This nonvolatile key storage area
is unaffected by system power outages because it is protected by a
battery power unit. The values of the master keys never appear in
the clear outside the cryptographic coprocessors.
Managing master keys involves these tasks:
- Entering the master keys the first time you start ICSF.
- Reentering the master keys if they are cleared.
- Changing master keys periodically.