"MK Ceremony". I like that. :-) Definitely what we'll have to do, as I'm pretty sure we're not going to remove one of our cryptocards and transport it to DR just for this. Interesting idea, though! Is there a way to copy the master keys from one co-processor to another?
>________________________________ > From: Rob Schramm <[email protected]> >To: [email protected] >Sent: Tuesday, May 14, 2013 11:00 PM >Subject: Re: ICSF master keys at DR site > > >Actually... There is a method. But it would be a bit silly... And might >fail for logistic reasons. > >There is/was a way to set a CEX card to allow it to keep the MK loaded >while being transferred between machines. I just remember reading about >it... Not all the details about how long the card could be removed before >re-installing it. > >You can always do it the old fashion way. And have the MK parts stored at >the DR site and do a MK ceremony there.... not near as slick as having a >TKE. > >Of course if you have a TKE at the primary site and store the MK on smart >cards .. you'll have to be a bit more creative. But all the methods I can >think of leave you in a somewhat less secure state... Possibly managable... >But it would depend on the laws/regulation that you are under. > >Rob Schramm >On May 14, 2013 1:11 PM, "Frank Swarbrick" <[email protected]> >wrote: > >> Thank you (and Radoslaw) for your answers. >> >> >> >> >> >________________________________ >> > From: Todd Arnold <[email protected]> >> >To: [email protected] >> >Sent: Tuesday, May 14, 2013 7:35 AM >> >Subject: Re: ICSF master keys at DR site >> > >> > >> >Without a TKE, I don't think there is any other method. >> > >> >If you do have a TKE, there is a very nice and very secure method of >> completely cloning everything from one crypto card to another one. This >> was added a couple of releases ago. Here is the beginning of the >> description from the current TKE user's guide (which I just retrieved from >> Resource Link): >> > >> >------------------------------- >> >Configuration migration >> > >> >The TKE workstation provides tools to securely capture host crypto module >> >configuration data to a file, and then reapply this data to another host >> crypto >> >module or crypto module group. The data that can be securely captured >> includes >> >roles, authorities, domain control settings, and master keys. These tools >> simplify >> >the task of installing new or replacement host crypto modules, and can be >> used for >> >backup and disaster recovery as well. >> > >> >Two tools are provided: one that migrates only public configuration data >> (roles, >> >authorities, domain control settings) and one that migrates all >> configuration data, >> >including secret data, such as master key values. The protocol for >> migrating secret >> >data is more complex than the protocol for migrating only public data, and >> >requires the participation of several smart card holders. >> >------------------------------- >> > >> >Todd Arnold >> > >> >---------------------------------------------------------------------- >> >For IBM-MAIN subscribe / signoff / archive access instructions, >> >send email to [email protected] with the message: INFO IBM-MAIN >> > >> > >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN > > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
