Set Master Encryption Key (SETMSTKEY)

The SETMSTKEY command performs the following:

  • The CRVL001 validation list (*VLDL) object, which contains the encrypted MEKs, is backed up into a Save File object (sequentially named).
  • The *NEW version of the MEK is generated (using all the passphrase parts entered)
  • The *OLD version of the MEK is cleared
  • The *CURRENT version of the MEK is copied into the *OLD version of the MEK
  • The *NEW version of the MEK is copied into the *CURRENT version of the MEK

WARNING: The SETMSTKEY command will replace the *OLD version of the MEK with the *CURRENT version.  Before running this command, you should first use the TRNKEYSTR command to translate (re-encrypt) any DEKs in the Key Stores which are still encrypted with the *OLD version of the MEK.

See also Generating the MEK using the Loaded Passphrase Parts in Getting Started.

The following users can utilize the SETMSTKEY command:

  • QSECOFR user profile (unless excluded in the Key Officer settings)
  • A user profile with *SECADM authority (unless excluded in the Key Officer settings)
  • A Key Officer that has a *YES specified for the “Set and clear MEKs” authority setting

How to Get There

From the Master Encryption Key Menu, choose option 2, Set Master Encryption Key. Or, prompt (F4) the command CRYPTO/SETMSTKEY.

Options

MEK id number

Indicate the id number of the Master Encryption Key (MEK) to set. 

NOTE: After running SETMSTKEY… If existing DEKs in Key Stores are encrypted with the MEK, then you should execute the TRNKEYSTR command to translate (re-encrypt) the DEKs in the Key Stores.

 

Related Topics