> There is/was a way to set a CEX card to allow it to keep the MK loaded > while being transferred between machines.
Yes, but you also need a TKE to do this. You can "enable" or "disable" the crypto card. When the card is "disabled", you cannot perform any application-oriented crypto functions with it - for example, encrypting data, managing keys, etc. The only things you can do are the functions related to re-enabling the card, which is done via TKE. While the card is in "disabled" state, you can remove it from your machine and it will not lose any of the stored data such as the master keys - but you also cannot USE those master keys for anything until the card is re-enabled, and that is not possible except through TKE by two authorized administrators. Here is part of the description that is in the TKE user's manual: -------------------------- A crypto module is either enabled or disabled. When a crypto module is enabled, it is available for processing. You can change the status of the module by pressing the Enable Crypto Module / Disable Crypto Module push button. Enable Crypto Module is a dual-signature command and another authority may need to co-sign. Disable Crypto Module is a single signature command. Disabling a crypto module disables all the cryptographic functions for a single crypto module, a group of crypto modules, or a domain group. This disables the crypto module for the entire system, not just the LPAR that issued the disable. -------------------------- Todd Arnold ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
