On 6 Aug 2019 07:59:59 -0700, in bit.listserv.ibm-main
(Message-ID:<lnxp265mb1484a20a9858d5a5271421bec7...@lnxp265mb1484.gbrp265.prod.outlook.com>)
[email protected] (Lennie Dymoke-Bradshaw) wrote:
Access to the ICSF CKDS would not be enough, as the keys
held there are encrypted (wrapped) using the master key.
The master key is held in the Crypto Express domain
corresponding to the LPAR in question. There is no
interface to extract the master key from the Crypto
Express device. The Crypto Express device is a FIPS 140-2
level 4 device so it will resist all sorts of attempts to
get at the master keys. It will destroy those keys before
you can get them out.
Are you suggesting that if the Crypto Express device goes
belly-up, that all encrypted data is forevermore
unavailable? How does one decrypt during disaster testing
or a real disaster?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
