A key store is where the keys (to encrypt and decrypt the data key) are securely kept such that they are available when data needs to be encrypted or decrypted. The Encryption Key Manager uses Java APIs to retrieve and store the key information. The Encryption Key Manager (EKM) allows for the use of hardware or software based key stores that are JCE compliant. In this first release of the Encryption Key Manager, these key stores are supported under z/OS: JCEKS, JCERACFKS, JCE4758KS (JCECCAKS), JCE4758RACFKS (JCECCARACFKS). The first two key stores are software based and the last two are hardware based. The hardware based key stores under z/OS then have a tie to the existing z/OS Integrated Cryptographic Service Facility (ICSF). In addition to the key stores above, these key stores are also available if the key store resides outside of z/OS (in the distributed environment): JCEKS, IBMi5OSkeystore, and PKCS11IMPLKS. The first two key stores are software based and the last one is hardware based. When multiple key stores are available on the system, you may configure which key store to use. The key store can also take advantage of hardware for protecting keys so that the keys are always protected under the hardware master key and the key values never appear in the clear in system memory. Access control to the key store is controlled by z/OS access controls.