Abstract: In this paper, we outline the steps necessary to change the AES master key. We will describe the procedure we followed, and some of the questions we asked ourselves during this process. We will also describe some problems we encountered and how we solved them and finally discuss the operational considerations for doing a master key change. In addition, we will cover auditing and review the data and information you can collect for auditing purposes.
Master Keys are used to protect sensitive cryptographic keys that are active on your system.
Master Keys are stored in secure hardware in the cryptographic feature.
Master Keys are used only to encipher and decipher keys.
Master Keys should be changed periodically
This document covers the following:
1. Enter the master key parts by using the ICSF Master Key Entry.
2. Initiate Coordinated CKDS Master Key Change
3. Load the New Master Key Registers
4. Reencipher the key data sets under the new master keys. This fills an empty VSAM data set with the reenciphered keys and makes the data set the new key data set. This new reenciphered key data set is a disk copy.
5. Change the new master keys and activate the reenciphered key data sets.
6. Verify the Master Keys are Active
7. Auditing the master key change