Working with Key Stores

You can use the following procedures to view and manage Key Stores:

To translate a Key Store

NOTE: It is highly recommended to execute TRNKEYSTR immediately after the SETMSTKEY command was used to replace the *CURRENT version of a Master Encryption Key with a *NEW version.
IMPORTANT: Before the Key Store is translated, the Validation List (*VLDL) object that contains the Key Store is backed up into a Save File object (sequentially named) within the Powertech Encryption for IBM i library.
  1. Prompt (F4) the command of CRYPTO/TRNKEYSTR. The Translate Key Store (TRNKEYSTR) panel appears.
  2. Press F1 on any parameter for complete online help text.
  3. Press Enter after the parameter values are entered.
IMPORTANT: After executing the TRNKEYSTR command, you should verify that the Key verification values (KEYVV) match between the Key Store and the Master Key by viewing those values with the DSPKEYSTR and DSPMSTKEY commands.

To display Key Store attributes

The DSPKEYSTR command allows authorized users to display the attributes for a Key Store.  This is primarily useful for viewing the Master Encryption Key (MEK) id number and version in which the Key Store entries are encrypted with.

Do the following steps to view a Key Store’s attributes:

  1. Prompt (F4) the command of CRYPTO/DSPKEYSTR. The Display Key Store Attributes (DSPKEYSTR) panel appears.
  2. Enter the Key Store name to display, and then press Enter.
  3. The Key Store’s attributes will be displayed.
  4. Press F1 on any parameter for complete online help text.
NOTE: The Master Key’s Key verification value (KEYVV) value is stored with each Key Store created using that Master Key.  When a Key Store is accessed by a user or application, Powertech Encryption for IBM i will compare the KEYVV values between the Key Store and its corresponding Master Key. If the KEYVV values match, then the Master Key is determined as valid for the Key Store.

To delete a Key Store

Since a Key Store is created as a validation list (*VLDL) object on the IBM i, you can delete a Key Store by using IBM’s DLTVLDL (Delete Validation List) command.

To delete the Key Store, the user must have authority to the DLTVLDL command and must have *OBJEXIST rights to the Validation List object.

WARNING: Do not delete a Key Store which may contain Data Encryption Keys (DEKs) that are needed to decrypt existing data.
WARNING: Back up the Key Store before deleting it. 

Do the following steps to delete a Key Store:

  1. Backup the Validation List (*VLDL) object to backup media or to a Save File object.
  2. Prompt (F4) the command of DLTVLDL. 
  3. Specify the Key Store name and library, and then press Enter.