Create Symmetric Key (CRTSYMKEY)

The CRTSYMKEY command allows authorized users to create a new Data Encryption Key (Symmetric Key) and place it into a Key Store.

The following users can use the CRTSYMKEY command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain DEKs” authority setting

The user must have *CHANGE authority to the Validation List (*VLDL) object containing the Key Store, into which the Key will be created.

How to Get There

From the Symmetric Encryption Key Menu, choose option 11.

Options

Key label (KEYLABEL)

Indicate the unique name (label) of the Key up to 30 characters.

Rules for label name:

The label cannot contain spaces or certain special characters.
The label can contain underscore characters.
The label is not case sensitive. It will be stored in upper case.

Key store name (KEYSTR)

Indicate the object name and library of the Key Store to save the Symmetric Key into.

key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level. You must have *CHANGE authority to the Key Store *VLDL object.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

Encryption allowed with key (ENCRYPTALW)

Indicate whether the Key can be used for encryption purposes.

The possible values are:

*YES This key can be used to encrypt data.

*NO This key cannot be used to encrypt data.

Decryption allowed with key (DECRYPTALW)

Indicate whether the key can be used for decryption purposes.

The possible values are:

*YES This key can be used to decrypt data.

*NO This key cannot be used to decrypt data.

Log encryption usage (LOGENCRYPT)

Indicate if the usage of the Key for encryption purposes will be logged into the audit journal file.

The possible values are:

*YES Usage of the key for encryption will be logged.

*NO Usage of the key for encryption will not be logged.

NOTE: Auditing will have an additional impact on application performance and will consume disk space.

Log decryption usage (LOGDECRYPT)

Indicate whether the usage of the Key for decryption purposes will be logged into the audit journal file.

The possible values are:

*YES Usage of the key for decryption will be logged.

*NO Usage of the key for decryption will not be logged.

NOTE: Auditing will have an additional impact on application performance and will consume disk space.

Key algorithm (ALGORITHM)

Indicate the encryption algorithm to use for creating the Symmetric Key.

The possible values are:

*AES256 Use Advanced Encryption Standard (AES) algorithm and a 256 bit key.

*AES192 Use Advanced Encryption Standard (AES) algorithm and a 192 bit key.

*AES128 Use Advanced Encryption Standard (AES) algorithm and a 128 bit key.

*TDES Use Triple Data Encryption Standard (TDES) algorithm.

Key generation option (GENOPT)

Indicate the option used to generate the Symmetric Key.

The possible values are:

*RANDOM The Key is randomly generated by Powertech Encryption. This is the preferred option.

*REMOTE The key value is stored in an External Key Manager.

*PASS The Key is generated based on a user-entered passphrase, iteration count and salt. Uses the PBKDF2 pseudorandom key function as detailed in RFC2898.

*MANUAL The Key value is manually entered by the user.

Passphrase (PASSPHRASE)

The Passphrase to use for generating the Symmetric Key. Valid for GENOPT(*PASS). The passphrase can be between 1 and 256 characters in length.

Salt (SALT)

The salt value to use for generating the Symmetric Key. Valid for GENOPT(*PASS). The salt value can be between 1 and 32 characters in length.

Iteration count (ITER)

The iteration count to use for generating the Symmetric Key. Valid for GENOPT(*PASS). The iteration count indicates the number of times this function loops through the key creation process. The higher the iteration count, the more difficult it will be for an unauthorized party to reverse-engineer the Symmetric Key. The iteration count can be a number from 1 to 50000.

ASCII input format (ASCII)

Indicate the character set of the passphrase and salt. Valid for GENOPT(*PASS).

The possible values are:

*YES The passphrase and salt uses the ASCII character set.

*NO The passphrase and salt uses the EBCDIC character set.

Character format used (KEYVALFMT)

Indicate the format of the symmetric key value to enter. Valid for GENOPT(*MANUAL).

The possible values are:

*HEX The key value will be entered in hexadecimal format.

*CHAR The key value will be entered in character format.

*BASE64 The key value will be entered in base64 format.

Key value (KEYVAL)

Indicate the actual value of the key. For AES algorithms. Valid for GENOPT(*MANUAL).

Key value (TDKEYVAL)

Indicate the actual value of the key. For TDES algorithm. Valid for GENOPT(*MANUAL).

KEK key label (KKEYLABEL)

Valid for GENOPT(*MANUAL).

Indicate the label of the Key Encryption Key (KEK) which the Symmetric key is encrypted with.

The possible values are:

key-label Enter the label of the KEK.

*NONE The Symmetric Key is not encrypted with a KEK.

KEK key store name (KKEYSTR)

Indicate the object name and library of the Key Store which contains the Key Encryption Key (KEK).

kek-key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

External key manager (EXTKEYMGR)

Valid for GENOPT(*REMOTE). Indicate the name of the External Key Manager that contains the remote key. The properties for the External Key Manager must be predefined using the WRKEKM command.

External key label (EXTKEYLBL)

Valid for GENOPT(*REMOTE). Indicate the label (or name) of the remote key in the External Key Manager. The key label is case sensitive.

External key store name (EXTKEYSTR)

Valid for GENOPT(*REMOTE). If the remote key is in the product, then specify the name of the remote key store that contains the key.

ext-key-store-name Specify the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level on the remote server.

The possible library values are:

library-name Specify the name of the library where the Key Store is located.

Create external key (CRTEXTKEY )

Indicate if you would like to create the key on the remote (external) key manager.

The possible values are:

*YES When creating a key type of *VORMETRIC, a random key will be generated and inserted into the Vormetric Vault. This key entry will point to actual key on the external (remote) key manager. When creating a key type of *KMIP, a key will be generated on the external key manager. This key entry will point to actual key on the external (remote) key manager.

*NO The key will not be created on the remote key manager. A key with the External key label (EXTKEYLBL) should already exist on the remote key manager.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023