Master Encryption Key Menu

A Master Encryption Key (MEK) is an AES 256 bit Symmetric Key used to protect (encrypt) the Data Encryption Keys (DEKs) contained in a Key Store.  An organization can create up to 8 MEKs per environment on the IBM i.  For instance, a MEK could be created to encrypt the Order Entry DEKs contained in a Key Store, and a second MEK could be created to encrypt the Payroll DEKs contained in another Key Store.

A MEK is generated by Powertech Encryption for IBM i using passphrases entered by designated Key Officers.  Depending on the organization’s key policy, up to 8 different passphrases can be required (by different users) in order to generate a MEK.

The Master Encryption Keys (MEK) are stored in a product-supplied validation list (*VLDL) object.  The MEKs are encrypted with the Product Encryption Key (PEK).

Master Encryption Key (MEK) Versions

Each MEK can have up to three versions which are named *NEW, *CURRENT and *OLD:

*NEW Version

The *NEW version of a MEK is the version in which passphrases are being entered (loaded) by users with the LODMSTKEY (Load Master Key) command.  The *NEW version cannot be used to encrypt DEKs within Key Stores.  In order to convert the *NEW version into the *CURRENT version, an authorized Key Officer must set the Master Key using the CRYPTO/SETMSTKEY command.

*CURRENT Version

The *CURRENT version of a MEK is the current version which can be associated with Key Stores. 

*OLD Version

The *OLD version of a MEK is the prior *CURRENT version of the MEK.  The *OLD version cannot be associated with new Key Stores.  However, DEKs in current Key Stores may still be encrypted under the *OLD version until they are translated (using the TRNKEYSTR command).

How to Get There

From the Main Menu, choose option 2, Master Key Menu.

Options

1. Load Master Encryption Key (LODMSTKEY)

Choose this option to open the Load Master Encryption Key (LODMSTKEY) panel, where authorized users can specify the passphrase parts for a *NEW version of the Master Encryption Key (MEK).

2. Set Master Encryption Key (SETMSTKEY)

Choose this option to open the Set Master Key (SETMSTKEY) panel, which allows authorized users to set the Master Encryption Key (MEK).

3. Display Master Key Attributes (DSPMSTKEY)

Choose this option to open the Display Master Key Attributes (DSPMSTKEY) panel, which allows authorized users to display attributes for a Master Encryption Key (MEK).

4. Clear Master Encryption Key (CLRMSTKEY)

Choose this option to open the Clear Master Encryption Key (CLRMSTKEY) panel, which allows authorized users to clear a version of the Master Encryption Key (MEK).