Hi,
Most customers enter a Master Key by key parts where : 2 or more non-zero key parts are used, knowledge of 1 key part is limited to a designated security officer and backup in their organization, no single person is primary or backup on knowledge of more than 1 key part. As I am sure you are aware, knowledge or control of all parts of the Master Key by 1 person has led to trouble in the industry, cases can be found readily by Google search. With the above manual controls it is a simple matter to enter the same Master Key to multiple domains, coordinated/secured access.
The Trusted Key Entry workstation (TKE) makes all of this much easier and adds a layer of security: smart cards can be used to store the key parts. Using a TKE also allows you to load the key parts using dual control processes and commands signed by the security officer holding the key part. The TKE can also configure domain and HSM groups to simplify Master Key load further. A further function of the TKE is the migration wizard, which allows you to pull all configuration from 1 HSM or 1 domain of 1 HSM and apply that securely to another HSM, based again on the properties of dual control so that no single participant in the migration has control of the Master Key and other configuration data when it is outside of the HSM.
Hope this helps and please come back with any further questions!
------------------------------
Richard Kisley
------------------------------
Original Message:
Sent: Tue November 17, 2020 05:47 AM
From: NORDINE MOSBAH
Subject: Master keys sharing
Dear ,
Basic but important question :
---------------------------------
Is it possible to share a generated/loaded Master Key of a domain index(1) in another domain index(2) ?
For example :
If we have an Lpar1 in domain index(1) and Lpar2 in domain index(2) . Is it possible to generate the Master key1 for the Lpar1 in domain index(1) and insert this Master key1 for Lpar2 in the domain index(2) ?
And then , by extension can we use the same Master key in different domain for different Lpars ?
What are the eventual consequences of that (restrictions ? cons ? limits ?)
Thanks in advance .
------------------------------
Nordine Mosbah
------------------------------