ICSF uses master keys to protect other keys. Keys are active on
a system only when they are encrypted under a master key variant,
so the master key protects all keys that are used on the system. A
key is in operational form when it has been encrypted under a master
key variant. A key must be in operational form
to be used with the cryptographic features.
The ICSF administrator initializes and changes master keys using
the ICSF panels or TKE workstation. Master keys always remain in a
secure area in the cryptographic hardware.
Master keys require cryptographic coprocessors.
PKCS #11 or CCA coprocessors must be installed for operations using
encrypted keys.
- DES Master Key
- The DES (DES-MK) master key is a 16-byte (128-bit) key that is
used to protect symmetric DES/TDES keys used on all CCA coprocessors.
The DES master key can be a 128-bit or 192-bit key on the
zBC12, zEC12, and later systems with CEX3C or later coprocessor with
the September 2012 or later licensed internal code.
- AES Master Key
- The AES (AES-MK) master key is a 32-byte (256 bit) key that is
used to protect AES keys and HMAC keys on all CCA coprocessors. It is available on the z9 EC, z9 BC, and later servers
with CEX2 or later coprocessors with the Nov. 2008 or later licensed
internal code.
- RSA Master Key
- The RSA (RSA-MK) master key is a 24-byte (192-bit) key that is
used to protect RSA private keys on all CCA coprocessors.
- ECC Master Key
- The ECC (ECC-MK) master key is a 32-byte (256 bit) key that is
used to protect ECC keys and some RSA keys on CCA coprocessors. It is available on the z196, z114, and later systems
with CEX3C or later coprocessor with the Sept. 2010 or later licensed
internal code.
- PKCS #11 Master Key
- The PKCS #11 (P11-MK) master key is a 32-byte (256 bit) key that
is used to protect secure PKCS #11 operational keys used on the Enterprise
PKCS #11 coprocessor. It is available on the zEC12,
zBC12, and later systems with CEX4P or later PKCS #11 coprocessors.
For more information on PKCS #11 operational keys, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.