Skip to main content

Techdocs Library > White papers >

Changing the AES Master Key in a Sysplex: Procedure and Auditing

Document Author:
Additional Author(s):

Philippe Richard1
Eysha Powers

Document ID:


Doc. Organization:

IBM Systems

Document Revised:


Product(s) covered:

DFSMS; S/390 Crypto Coprocessor; z Systems; z13; z14; z196; zEC12; zEnterprise 196; zEnterprise EC12; z/OS

Abstract: In this paper, we outline the steps necessary to change the AES master key. We will describe the procedure we followed, and some of the questions we asked ourselves during this process. We will also describe some problems we encountered and how we solved them and finally discuss the operational considerations for doing a master key change. In addition, we will cover auditing and review the data and information you can collect for auditing purposes.
Master Keys are used to protect sensitive cryptographic keys that are active on your system.
Master Keys are stored in secure hardware in the cryptographic feature.
Master Keys are used only to encipher and decipher keys.
Master Keys should be changed periodically
This document covers the following:
1. Enter the master key parts by using the ICSF Master Key Entry.
2. Initiate Coordinated CKDS Master Key Change
3. Load the New Master Key Registers
4. Reencipher the key data sets under the new master keys. This fills an empty VSAM data set with the reenciphered keys and makes the data set the new key data set. This new reenciphered key data set is a disk copy.
5. Change the new master keys and activate the reenciphered key data sets.
6. Verify the Master Keys are Active
7. Auditing the master key change

changing the AES master key.pdfchanging the AES master key.pdf


Hardware; Software; Solutions




IBM Security Solution


IBM System z Family




AES change master key ICSF CPACF crypto coprocessor CEX5S CEX6S dataset encryption pervasive

The Techdocs Library
Is this your first visit to Techdocs (the Technical Sales Library)?

Learn more

Techdocs QuickSearch