Export Symmetric Key (EXPSYMKEY)

The EXPSYMKEY command allows authorized users to extract the value of a Symmetric Key (DEK) contained within a Key Store. This command is useful if the key value needs to be shared with another computer system (which is not an IBM i) which needs to encrypt or decrypt data using the same key.

WARNING: If a key value can be exported (retrieved), then the key value could be used to decrypt data without using Powertech Encryption for IBM i’s APIs and security mechanisms. This security risk can be eliminated by keeping the Key Policy parameter setting DEKRTVVAL(*NO).

It is recommended to specify a KEK (Key Encryption Key) to protect the exported Symmetric Key.

The Key Policy must allow key values to be retrieved with the parameter setting of DEKRTVVAL(*YES) or (*KEK).

The following users can use the EXPSYMKEY command:

QSECOFR user profile (unless excluded in the Key Officer settings)
A user profile with *SECADM authority (unless excluded in the Key Officer settings)
A Key Officer that has a *YES specified for the “Maintain DEKs” authority setting

How to Get There

From the Symmetric Encryption Key Menu, choose option 15.

Options

Key label (KEYLABEL)

Indicate the label of the Symmetric Key to export.

Key store name (KEYSTR)

Indicate the object name and library of the Key Store which contains the Symmetric Key.

key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

*LIBL Locate the Key Store within the library list.

KEK key label (KKEYLABEL)

Indicate the label of the Key Encryption Key (KEK) to use to encrypt the Symmetric key that will be exported.

The possible values are:

key-label Enter the key label that will be used.

*NONE The key will not be encrypted before being exported.

KEK key store name (KKEYSTR)

Indicate the object name and library of the Key Store which contains the Key Encryption Key (KEK).

The possible values are:

kek-key-store-name Enter the name of the Key Store.

*DEFAULT Use the default Key Store name specified at the Key Policy level.

The possible library values are:

library-name Enter the name of the library where the Key Store is located.

Key value format (KEYVALFMT)

Indicate if the key should be exported in hexidecimal, base64 or character format. Generally, the key should always be exported in hexadecimal or base64 format to ensure compatibility with other computer systems.

The possible values are:

*BASE64 The key value will be displayed in base64 format.

*CHAR The key value will be displayed in character format.

WARNING: The key value may contain special characters which are non-displayable. Therefore it is recommended to use this setting only if the key was manually entered in character format.

*HEX The key value will be displayed in hexidecimal format.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.0 | 202307100156 | July 2023