In these situations, the Cryptographic Coprocessor Feature clears the master key registers so that the master key values are not disclosed.

• If the Cryptographic Coprocessor Feature detects tampering
• If you issue a command from the TKE workstation to zeroize a domain
• If you issue a command from the Support Element to zeroize all domains

In these situations, the PCI Cryptographic Coprocessor Feature (PCICC) clears the master key registers so that the master key values are not disclosed.

• If the PCI Cryptographic Coprocessor Feature detects tampering (the intrusion latch is tripped), ALL installation data is cleared: master keys, retained keys for all domains, as well as roles and profiles.
• If the PCI Cryptographic Coprocessor Feature detects tampering (the secure boundary of the card is compromised), it self-destructs and can no longer be used.
• If you issue a command from the TKE workstation to zeroize a domain

  This command zeroizes the master key data specific to the domain.

• If you issue a command from the Support Element panels to zeroize all domains.

  This command zeroizes ALL installation data: master keys, retained keys and access control roles and profiles.

Although the values of the master keys are cleared, the keys in the CKDS are still enciphered under the cleared DES master key. The RSA and DSS private keys are also each enciphered under one of the cleared PKA master keys. Therefore, to recover the keys in the CKDS, and the PKA private keys, you must reenter the same master keys and set the DES master key. For security reasons, you may then want to change all the master keys.

PR/SM Considerations: If you are running in PR/SM logical partition (LPAR) mode, there are several situations (listed previously) that can cause loss of master keys and other data. In these cases, you must first ensure that key entry is enabled for each LP on the Change LPAR Crypto page on the support element Hardware Master Console. You must then reenter the master keys in each LP. If you zeroize a domain using the TKE workstation, however, the master keys are cleared only in that domain. Master keys in other domains are not affected and do not need to be reentered. For more information about reentering master keys in LPAR mode, see Appendix D. PR/SM Considerations during Key Entry.