View Only

Configuring the PowerVM Trusted System Key

By JOEL WOLFRATH posted Thu September 09, 2021 06:00 PM

Security Logo

The establishment of a PowerVM Trusted System Key assists with providing a total security solution for your Power enterprise.  For example, if you need to perform a Live Partition Mobility operation but there is a problem with the hardware TPM device, the Trusted System Key allows for secure transmission of the data between systems.  The following sections provide information on how to establish a Trusted System Key.

The PowerVM Trusted System Key is a 256 bit symmetric encryption key which can be configured from the Hardware Management Console (HMC) on power systems (starting in POWER7). The Power Hypervisor uses this key (and keys derived from this key) to perform various encryption operations on the system. The system key can exist in two states: 
  1. Uninitialized -- When a system is powered on for the first time, the system key is set to the uninitialized state and remains there until a user manually configures a key.
  2. Configured -- Once the system key is manually set from the HMC, it is moved to the "configured" state. The hypervisor is then allowed to perform additional operations with this key. In order to change the system key in the configured state, the current system key must be specified.
When the system key is in the configured state, the hypervisor will utilize it for the following operations:
  • Encrypted Live Partition Mobility (LPM) in the event of a TPM failure
  • Inactive LPM (and, if applicable, remote restart) for virtual TPM
  • Inactive LPM and Remote Restart for Platform Keystore
Note:  In order for the hypervisor to use the system key for migration the key must be set to the same value on the source and target systems.  To avoid having to change the system key in the future it is recommended to set the system key to the same value for all systems that could participate in migration.  If the system keys are required to match, PowerVM will verify this before allowing the migration to proceed.

Generating a System Key

The HMC command used to configure the system key takes a 32 byte binary file as input. There are a variety of methods which can be used to generate a random 32 byte binary file, e.g. by simply reading out these bytes from the /dev/random pseudorandom number generator on linux:
dd if=/dev/random of=SysKey.bin bs=1 count=32

Configuring the System Key

Once the key file has been copied to the management console
(e.g. using scp), the chtskey command can be used to configure the key or change it to a new value.
chtskey -m <machine name> -o change --newkey /tmp/SysKey.bin
If the system already has a key configured, you will be required to specify the current system key to perform this update.  If you have lost the current key you will need to reset the system key back to the uninitialized state.
chtskey -m <machine name> -o change --newkey /tmp/SysKey.bin --oldkey /tmp/OldKey.bin

Resetting the System Key back to the Uninitialized State

After the system key has been configured, it is possible to perform a reset operation to get back to the
uninitialized state. This involves a series of operations performed from the service processor. Please refer to this article for specific instructions on performing key clear requests.

Contacting the PowerVM Team

Have questions for the PowerVM team or want to learn more?  Follow our discussion group on LinkedIn IBM PowerVM or IBM Community Discussions