Unless they own the DR machine... in which case it should become part of the MK ceremony.
If you have 1 TKE and you own the DR machine, the TKE could manage the remote site as well. You would just have to setup the procedure to enroll another TKE in the case of DR... and store a copy of the smart cards at the 2nd site. The other way for MKs would be using tamper evident envelopes, dual-controlled / logged access to the 3 key parts and some security measure guarding the keys. You should need at least 3 people to make a MK ceremony... in reality.. it would probably be more. Also, CLEARLY documented procedures that are easy to follow and have sign off's for each of the steps. Security logging/alerts, review of logging/alerts that is verifiable.. escalation procedures for possible breach, key change procedures... etc. TKE should be setup in such a way as to prevent others from tampering.. dual locked cabinet? Rob Rob Schramm Senior Systems Consultant Imperium Group On Thu, May 16, 2013 at 2:16 PM, Rob Schramm <[email protected]> wrote: > Todd... ooops. That's what I get for relying on memory!! > > > > > > Rob Schramm > Senior Systems Consultant > Imperium Group > > > > On Wed, May 15, 2013 at 8:08 AM, Todd Arnold <[email protected]> wrote: > >> > There is/was a way to set a CEX card to allow it to keep the MK loaded >> > while being transferred between machines. >> >> Yes, but you also need a TKE to do this. You can "enable" or "disable" >> the crypto card. When the card is "disabled", you cannot perform any >> application-oriented crypto functions with it - for example, encrypting >> data, managing keys, etc. The only things you can do are the functions >> related to re-enabling the card, which is done via TKE. While the card is >> in "disabled" state, you can remove it from your machine and it will not >> lose any of the stored data such as the master keys - but you also cannot >> USE those master keys for anything until the card is re-enabled, and that >> is not possible except through TKE by two authorized administrators. >> >> Here is part of the description that is in the TKE user's manual: >> >> -------------------------- >> A crypto module is either enabled or disabled. When a crypto module is >> enabled, it is available for processing. You can change the status of the >> module >> by pressing the Enable Crypto Module / Disable Crypto Module push button. >> Enable Crypto Module is a dual-signature command and another authority may >> need to co-sign. Disable Crypto Module is a single signature command. >> >> Disabling a crypto module disables all the cryptographic functions for a >> single >> crypto module, a group of crypto modules, or a domain group. This >> disables the >> crypto module for the entire system, not just the LPAR that issued the >> disable. >> -------------------------- >> >> Todd Arnold >> >> ---------------------------------------------------------------------- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to [email protected] with the message: INFO IBM-MAIN >> > > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
