Using public key cryptography to import symmetric keys

If you want to use a symmetric key to exchange encrypted data with a remote partner, you need to share the symmetric key with the remote partner while keeping it hidden from a third party. The tpf_secure_key_import function allows you to securely import a wrapped (encrypted) symmetric key from a remote key manager using public key cryptography. The symmetric key is unwrapped with the public key pair name specified as input on tpf_secure_key_import and is placed in the symmetric keystore.

Follow this procedure to use the tpf_secure_key_import function to import a symmetric key to your z/TPF system:
  1. Use the ZPUBK GENERATE command to create a public key pair.
  2. Send the public key of this key pair to the enterprise key manager by doing one of the following:
    • Use the ZPUBK REQCERT command to create a certificate on the z/TPF file system that contains the public key and send the certificate to the enterprise key manager. The certificate must be signed by a certificate authority (CA) that is trusted by the enterprise key manager.
    • Use the ZPUBK EXTRACT command to extract the public key directly to the z/TPF file system and send the public key file to the enterprise key manager.
  3. The enterprise key manager wraps (encrypts) the symmetric key using the public key you provided and a padding method supported by z/TPF.
  4. The enterprise key manager sends the encrypted symmetric key to the z/TPF system.
  5. A z/TPF application issues tpf_secure_key_import with the appropriate parameters to import the symmetric key to the symmetric keystore. It can now be used (after activating it with ZPUBK ACTIVATE) to encrypt or decrypt data using the tpf_encrypt_data and tpf_decrypt_data functions.