> IMHO protected key *does require* CryptoExpress option, not for data > processing, but for key storing.
You are right. The keys are stored in a form that is protected by the Crypto Express card. Crypto Express unwraps the key and passes it directly to CPACF. Thus, Crypto Express is needed in order to use the Protected Key CPACF features. Once CPACF receives the key from the Crypto Express, it re-wraps the key using a key encrypting key (KEK) that it generates. That key is not permanent - it goes away if the system is restarted, etc. Thus, keys wrapped under the CPACF KEK are not suitable for long-term storage, such as storage in CKDS. At a very high level, it works something like this: 1. Key read from CKDS 2. Key sent to Crypto Express 3. Crypto Express unwraps the key and sends the cleartext key directly to CPACF 4. CPACF rewraps the key with the volatile KEK it generated when it started up 5. CPACF returns the rewrapped key to the application program 6. Application program uses that rewrapped key in protected mode requests to CPACF ..... 7. When system is powered off, restarted, etc., the CPACF KEK is lost and it generates a new one 8. Repeat from step 1 Todd Arnold ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
