When you store a key with a file or send it to another system, you can protect the key in either of these ways:

• DES keys enciphered under a DES transport key.
• DES and AES keys enciphered under the receiver's RSA public key.

When ICSF enciphers a key under a DES transport key, the key is not in operational form and cannot be used to perform cryptographic functions. When you receive a key from a system, the key is enciphered under a transport key. You can reencipher the key from under the transport key to under your master key. You can then use the key on your system. When a key is enciphered under a transport key, the sending system considers it in exportable form, and the receiving system considers it in importable form. When a key is reenciphered from under a transport key to under a system's master key, it is in operational form again.

In an RSA public key cryptographic system, the sending system and receiving system do not need to share complementary importer and exporter key pairs to exchange data-encrypting keys. The sender uses the receiver's public key to encipher the data-encrypting key. The receiver uses his or her own private key to decipher the data-encrypting key. You can use RACF to control which applications can use specific keys and services. For more information, see Using RACF to Protect Keys and Services.