Export Symmetric Key (EXPSYMKEY)

The EXPSYMKEY command allows authorized users to extract the value of a Symmetric Key (DEK) contained within a Key Store.  This command is useful if the key value needs to be shared with another computer system (which is not an IBM i) which needs to encrypt or decrypt data using the same key.

WARNING: If a key value can be exported (retrieved), then the key value could be used to decrypt data without using Powertech Encryption for IBM i’s APIs and security mechanisms.  This security risk can be eliminated by keeping the Key Policy parameter setting DEKRTVVAL(*NO).

It is recommended to specify a KEK (Key Encryption Key) to protect the exported Symmetric Key.  

The Key Policy must allow key values to be retrieved with the parameter setting of DEKRTVVAL(*YES) or (*KEK).

The following users can utilize the EXPSYMKEY command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Maintain DEKs” authority setting

How to Get There

From the Symmetric Encryption Key Menu, choose option 15.

Options

Key label (KEYLABEL)

Indicate the label of the Symmetric Key to export.

Key store name (KEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key.

key-store-name
Enter the name of the Key Store.
*DEFAULT
Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name
Enter the name of the library where the Key Store is located.
*LIBL
Locate the Key Store within the library list.
KEK key label (KKEYLABEL)

Indicate the label of the Key Encryption Key (KEK) to use to encrypt the Symmetric key that will be exported.

The possible values are:

key-label
Enter the key label that will be used.
*NONE
The key will not be encrypted before being exported.
KEK key store name (KKEYSTR)

Indicate the object name and library of the Key Store which contains the Key Encryption Key (KEK).

kek-key-store-name
Enter the name of the Key Store.
*DEFAULT
Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name
Enter the name of the library where the Key Store is located.
Key value format (KEYVALFMT)

Indicate if the key should be exported in hexidecimal, base64 or character format.

Generally the key should always be exported in hexadecimal or base64 format to ensure compatibility with other computer systems.

The possible values are:

*BASE64
The key value will be displayed in base64 format.
*CHAR
The key value will be displayed in character format.
WARNING: The key value may contain special characters which are non-displayable. Therefore it is recommended to use this setting only if the key was manually entered in character format.
*HEX
The key value will be displayed in hexidecimal format.

                   
Export Symmetric Key (EXPSYMKEY)

                                                                             

Type choices, press Enter.                                                


Key label  . . . . . . . . . . .   SSNKEY              

Key store name . . . . . . . . .   PAYROLLDEK    Name, *DEFAULT                 

  Library  . . . . . . . . . . .     KEYSTRLIB   Name, *LIBL                       

KEK key label  . . . . . . . . .   *NONE                                           

KEK key store name . . . . . . .   *DEFAULT      Name, *DEFAULT   

  Library  . . . . . . . . . . .   _____________ Name, *LIBL      

Key value format . . . . . . . .   *HEX          *BASE64, *CHAR, *HEX 

Key value  . . . . . . . . . . .   C2D6C240D3E4C5C2C2C540C1E340D3C9D5D6D4C1

40E2D6C6E3E6C1D9C5404040 
                                                            

Screen Example:  EXPSYMKEY Command with Sample Values

 

Related Topics