IBM Crypto Education Community - Group home

How do I ensure an easy hardware migration of my cryptographic master keys?

  

When migrating to new hardware, ICSF master key considerations need to be taken into account to ensure a seamless transition from the source to target cryptographic coprocessors. Prior to performing the hardware migration, it is very important to ensure that the master key parts (for DES, AES, RSA, and ECC) are known AND match the values that were used to initialize your active CKDS and PKDS.  You may have generated your master keys using TKE (recommended due to superior security and overall key management features), master-key-part-load via ICSF panels, or PPINIT (least secure method).  Please refer to the three links below for additional information and instructions based upon your master key management method.

 

 

Finally, if you are using PPINIT for your master key management, please contact Didier Andre from the IBM Washington Systems Center at dandre@us.ibm.com  for a consultation about enhancing your master key security.

Regards,
Laura Sperling (IBM z/OS ICSF Support), Dave Hilliard (IBM z/OS ICSF Support), Eysha Powers (Chief Architect, IBM Z Crypto Portfolio) and Didier Andre (IBM Z Washington Systems Center)