chtskey - change trusted system key
Synopsis
Description
Options
Examples
Environment
Bugs
Author
See Also
chtskey -m managed-system -o {change | restore}
--newkey file [--oldkey file] [--force] [--help]
chtskey changes the trusted system key for the managed-system. The trusted system key is used for virtual Trusted Platform Module (vTPM) data encryption.If the trusted system key for a managed system is not set, the managed system automatically generates the default trusted system key when the first partition that uses vTPM is activated.
-m The name of the managed system for which to set the trusted system key. The name may either be the user-defined name for the managed system, or be in the form tttt-mmm*sssssss, where tttt is the machine type, mmm is the model, and sssssss is the serial number of the managed system. The tttt-mmm*sssssss form must be used if there are multiple managed systems with the same user-defined name. -o The operation to perform. Valid values are change to set the trusted system key and re-encrypt vTPM data, and restore to set the trusted system key without re-encrypting vTPM data. The restore operation is only allowed when all of the partitions that are using vTPM are shut down.
Re-encryption of vTPM data may take a long time to complete.
--newkey The name of the binary file that contains the new key. If the file is on removable media, the media must be present in the removable media device and the device must be mounted with the mount command before this command is issued. The lsmediadev command can be used to display all of the removable media devices on the HMC.
--oldkey The name of the binary file that contains the current key. This option is not required the first time a user sets the trusted system key for the managed-system. After the first time, this option is required. If the file is on removable media, the media must be present in the removable media device and the device must be mounted with the mount command before this command is issued. The lsmediadev command can be used to display all of the removable media devices on the HMC.
--force Specify this option to force the trusted system key to be changed when vTPM data is still being re-encrypted due to a previous trusted system key change operation. vTPM data loss may occur. --help Display the help text for this command and exit.
Set the trusted system key for the first time. The key file exists in the user’s home directory on the HMC:chtskey -m sys1 -o change --newkey keyfile
Set the trusted system key after it has been set at least once. The key files are on a USB flash memory device which is connected to the HMC:
lsmediadev (to obtain mount points)
mount /media/sdb1
chtskey -m 8233-E8B*1000ABC -o change --newkey /media/sdb1/newkeyfile
--oldkey /media/sdb1/oldkeyfile
None
None
IBM Austin
lstskey
| Linux | CHTSKEY (1) | October 2011 |