Actually... There is a method. But it would be a bit silly... And might fail for logistic reasons.
There is/was a way to set a CEX card to allow it to keep the MK loaded while being transferred between machines. I just remember reading about it... Not all the details about how long the card could be removed before re-installing it. You can always do it the old fashion way. And have the MK parts stored at the DR site and do a MK ceremony there.... not near as slick as having a TKE. Of course if you have a TKE at the primary site and store the MK on smart cards .. you'll have to be a bit more creative. But all the methods I can think of leave you in a somewhat less secure state... Possibly managable... But it would depend on the laws/regulation that you are under. Rob Schramm On May 14, 2013 1:11 PM, "Frank Swarbrick" <[email protected]> wrote: > Thank you (and Radoslaw) for your answers. > > > > > >________________________________ > > From: Todd Arnold <[email protected]> > >To: [email protected] > >Sent: Tuesday, May 14, 2013 7:35 AM > >Subject: Re: ICSF master keys at DR site > > > > > >Without a TKE, I don't think there is any other method. > > > >If you do have a TKE, there is a very nice and very secure method of > completely cloning everything from one crypto card to another one. This > was added a couple of releases ago. Here is the beginning of the > description from the current TKE user's guide (which I just retrieved from > Resource Link): > > > >------------------------------- > >Configuration migration > > > >The TKE workstation provides tools to securely capture host crypto module > >configuration data to a file, and then reapply this data to another host > crypto > >module or crypto module group. The data that can be securely captured > includes > >roles, authorities, domain control settings, and master keys. These tools > simplify > >the task of installing new or replacement host crypto modules, and can be > used for > >backup and disaster recovery as well. > > > >Two tools are provided: one that migrates only public configuration data > (roles, > >authorities, domain control settings) and one that migrates all > configuration data, > >including secret data, such as master key values. The protocol for > migrating secret > >data is more complex than the protocol for migrating only public data, and > >requires the participation of several smart card holders. > >------------------------------- > > > >Todd Arnold > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to [email protected] with the message: INFO IBM-MAIN > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
