Key-encrypting keys
Key-encrypting keys protect a key that is sent to another system, received from another system, or stored with data in a file. A variation of transport keys are also used to rewrap a key from one key-encrypting key to another key-encrypting key.
Key-encrypting keys are always generated in pairs. Both keys have
the same clear key value, but have a different encrypted key value
due to the control vector or the associated data.
- Exporter key-encrypting key
- An exporter key-encrypting key protects keys that are sent from
your system to another system. The exporter key at the originator
has the same clear value as the importer key at the receiver. An exporter
key is paired with an importer key-encrypting key.
DES OKEYXLAT keys must be used when rewrapping a key under a transport key. The AES EXPORTER must have the TRANSLAT key usage enabled when rewrapping a key.
- Importer key-encrypting key
- An importer key-encrypting key protects keys that are sent from
another system to your system. It also protects keys that you store
externally in a file that you can import to your system later. The
importer key at the receiver has the same clear value as the exporter
key at the originator. An importer key is paired with an exporter
key-encrypting key.
DES IKEYXLAT keys must be used when rewrapping a key under a transport key. The AES IMPORTER must have the TRANSLAT key usage enabled when rewrapping a key.
DES keys | Callable services |
---|---|
Key-encrypting key class:
|
|
EXPORTER | Control Vector Translate, Data Key Export, ECC Diffie-Hellman, Key Export, Key Generate, Key Test2, Key Test Extended, Key Translate, Key Translate2, PKA Key Generate, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import, Unique Key Derive |
IMPORTER | Control Vector Translate, Data Key Import, ECC Diffie-Hellman, Key Generate, Key Import, Key Test2, Key Test Extended, Key Translate, Key Translate2, Multiple Secure Key Import, PKA Key Generate, PKA Key Import, PKA Key Translate, Prohibit Export Extended, Remote Key Export, Restrict Key Attribute, Secure Key Import, Secure Messaging for Keys, Symmetric Key Generate, TR-31 Export, TR-31 Import |
IMP-PKA | PKA Key Import, Remote Key Export, Trusted Block Create |
IKEYXLAT, OKEYXLAT | Control Vector Translate, Key Translate, Key Translate2, TR-31 Export,TR-31 Import |
AES keys | Callable services |
---|---|
Key-encrypting key class:
|
|
EXPORTER | ECC Diffie-Hellman, Key Generate2, Key Test2, Key Translate2, PKA Key Generate, PKA Key Translate, Symmetric Key Export |
IMPORTER | ECC Diffie-Hellman, Key Generate2, Key Test2, Key Translate2, PKA Key Generate, PKA Key Import, PKA Key Translate, Restrict Key Attribute, Secure Key Import2, Symmetric Key Import2 |
Availability notes: AES key-encrypting
class keys require z114, z196, or later systems with a CEX3C or later
coprocessor with the September 2011 or later licensed internal code.