Load Master Encryption Key (LODMSTKEY)
The LODMSTKEY command allows authorized users to specify the passphrase parts for a *NEW version of the Master Encryption Key (MEK).
See Preparing a Master Encryption Key (MEK) by Loading the Passphrase Parts in Getting Started.
The following users can use this command:
- QSECOFR user profile (unless excluded in the Key Officer settings)
- A user profile with *SECADM authority (unless excluded in the Key Officer settings)
- A Key Officer that has a *YES specified for the “Load MEK passphrase parts” authority setting
The default Key Policy requires that each part of the passphrase is entered by a unique user profile.
How to Get There
From the Master Encryption Key Menu, choose option 1, Load Master Encryption Key. Or, prompt (F4) the command CRYPTO/LODMSTKEY.
Options
MEK id number
The id number of the *NEW Master Encryption Key (MEK) that loads with a passphrase.
MEK passphrase part
The part of the passphrase entered.
Rules: The maximum parts (as defined in the Key Policy) cannot be exceeded for the MEK. The parts may be entered in different orders, for instance, part 3 can first be specified, then part 1, then part 2.
Passphrase
The passphrase being used.
Rules: The passphrase is case-sensitive and cannot be the same as a passphrase already entered on another part of the *NEW MEK.
Replace existing part
Indicates whether the passphrase will replace an existing passphrase for the part specified. This is useful if the prior passphrase was entered incorrectly.
The passphrase parts used to load a MEK should be recorded in a safe place (not on the IBM i). An MEK will not be usable if it’s copied or restored to another IBM i serial number. If you want to recreate the same MEK on another IBM i serial number (i.e. in a disaster recovery situation), these same passphrase parts will have to be re-entered (loaded) in the same order.