This topic gives you an overview of key entry and the methods of key entry.

Master keys are used to protect sensitive cryptographic keys that are active on your system. The number and types of master keys you need to enter depends on your hardware configuration and application requirements.

• A DES master key on the Cryptographic Coprocessor Feature protects DES keys and PKA master keys protect DSS and RSA keys.
• On the PCICC, PCIXCC, CEX2C, or CEX3C, the DES master key (DES-MK) protects DES keys and the RSA master key (RSA-MK) protects RSA keys.
• The AES master key (AES-MK) protects AES keys on the CEX2C and CEX3C, and HMAC keys on the CEX3C.
• The ECC master key (ECC-MK) protects ECC keys on the CEX3C.

The first time you start ICSF on your system, you may enter master keys and initialize the cryptographic key data set (CKDS) and PKA cryptographic key data set (PKDS). You can then generate and enter the keys you use to perform cryptographic functions. The master keys you enter protect sensitive keys stored in the CKDS and the PKDS.

If you have no coprocessor, you can initialize the CKDS for use with clear AES and DES data keys. This CKDS can not be used on a system with cryptographic coprocessors.

Because master key protection is essential to the security of the other keys, ICSF stores the master keys within the secure hardware of the cryptographic feature. This nonvolatile key storage area is unaffected by system power outages, because it is protected by a battery power unit. The values of the master keys never appear in the clear outside the cryptographic feature.

Managing master keys involves these tasks:

• Entering the master keys the first time you start ICSF
• Reentering the master keys if they are cleared
• Changing the DES or AES master key periodically
• Changing the PKA master keys periodically