You use data-encrypting keys to encrypt data. On a system, a data-encrypting key is often encrypted under the master key.

A data-encrypting key can encrypt data that is stored in a file outside the system. The data-encrypting key itself is encrypted under a transport key.

You may also need to protect data that you send from one system to another system. The data-encrypting key that protects this data must be sent with the data so that the receiving system can decrypt the data. In this case, the data-encrypting key is encrypted under a transport key.

Sometimes two systems that want to exchange data are not directly connected. There may be intermediate systems between the systems that the data must travel through, as in Figure 5.

Figure 5. Data Protected When Sent between Intermediate Systems

In this situation, when you pass enciphered data to a system, you do not send a data-encrypting key to decipher the data at the receiving system. Instead, the systems establish pairs of data-encrypting and data-translation keys that exist on the systems. These keys encipher and reencipher the data. The data ends up enciphered under a data-encrypting key that exists on the receiving system. Transport keys may be needed to establish the data-encrypting keys and the data-translation keys on the systems.

Both the sending and receiving systems give data-translation keys to the intermediate system. On the intermediate system, a data-translation key from the sending system matches a data-encrypting key on the sending system. In Figure 5, this key is called Key 1. Also on the intermediate system, a data-translation key from the receiving system matches the data-encrypting key on the receiving system. In Figure 5, this key is called Key 2. Note that Key 1 and Key 2 do not have the same clear key value.

The data-translation keys cannot decipher data. They are used in the ciphertext translate callable service, which reenciphers data from protection under one key to protection under another key.

On the sending system, the plaintext is enciphered under Key 1, so it is ciphertext. Then the ciphertext is sent to the intermediate system. At the intermediate system, the data is reenciphered from under Key 1 to under Key 2 without appearing as plaintext. When the receiving system receives the ciphertext, the system can decipher the ciphertext from under Key 2, so it is plaintext.

Data-translation keys are also used when there is more than one intermediate system between the sending system and receiving system. The sending system and the first intermediate system share a data-encrypting/data-translation key pair. Each pair of neighboring intermediate systems shares a data-translation key pair. The final intermediate system and the receiving system share a data-translation/data-encrypting key pair.