Loading and setting auxiliary storage pool master key

You can set the auxiliary storage pool (ASP) master key as you would any other master key, by first loading key parts and then setting the ASP master key. The ASP master key is used for protecting data in the independent auxiliary storage pool (known as an independent disk pool in the graphical interface).

When you set up an encrypted independent auxiliary storage pool (IASP), the system generates a data key which encrypts data written to that IASP, and decrypt data read from that IASP. The IASP data key is kept with the IASP and is protected with the ASP master key.
Important: To encrypt an independent disk pool from the disk management folder of the graphical interface, it must be a V6R1 or later version system and it must have Encrypted ASP Enablement feature of IBM i installed. This feature can be ordered separately for a fee.

To set the ASP master key, you must first load master key parts and then set the ASP master key. You can load as many master key parts as you want for the ASP master key. By setting the save/restore master key, the new ASP master key version moves to the current ASP master key version.

To load the ASP master key from the IBM Navigator for i interface, follow these steps:

  1. Select Security from your IBM Navigator for i window.
  2. Select Cryptographic Services Key Management.
  3. Select Manage Master Keys.
  4. Select the ASP master key.
  5. Select Load Part from the Select Actions menu.
  6. Use the Load Part dialog to specify the passphrase.
To set the ASP master key, select the ASP master key and then from the Select Actions menu, select Set.

You can also use the Set Master Key (SETMSTKEY) CL command to set the ASP master key that has parts already added.

Or, if you prefer to write your own application to set the ASP master key, you can do so by using the Set Master Key (QC3SETMK; Qc3SetMasterKey) API.