Key Backup and Recovery

Automatic Key Backup (to disk)

Powertech Encryption for IBM i will automatically perform backups into Save Files before specific maintenance activities are performed within the product. This will allow you to recover prior values in case of accidental changes.

Key Stores

Your organization’s Data Encryption Keys (DEKs) are contained within Key Stores. The Key Stores are Validation List (*VLDL) objects. The names (and library locations) of these *VLDL objects are those names that were specified on the CRTKEYSTR (Create Key Store) command, unless they were later moved or renamed.

Before a Key Store is translated to another MEK, an automatic backup of the Key Store’s *VLDL object is performed into a uniquely named Save File. This Save File will have the name of BACKUPxxxx, where xxxx is a sequential number from 1 to 9999. The Save File will be created in the same library as the *VLDL object.

Master Encryption Keys (MEKs)

The Master Encryption Keys (MEKs) are stored in a Validation List (*VLDL) object named CRVL001, which is stored in the CRYPTO library by default.

Before a Master Encryption Key (MEKs) is set (created), an automatic backup of the CRVL001 *VLDL object is performed into a uniquely named Save File. This Save File will have the name of BACKUPxxxx, where xxxx is a sequential number from 1 to 9999. The Save File will be created in the same library as *VLDL object.

Removing BACKUP save files

The BACKUPxxxx save files should be removed periodically in order to minimize disk usage and to ensure that old keys and data do not remain on the system. These BACKUPxxxx save files should only be removed after you are confident that your applications are working properly.

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
4.04 | 202502250119 | February 2025