At $previousjob we had copies of the ICSF Master Encryption Keys stored in secure locations. During disaster recovery testing authorized people would re-enter those keys into the crypto-express hardware on that processor. One time we also lost a crypto-express card on our production machine. The working card handled all of our encryption/decryption processing and when the failed card was replaced, we had to enter the ICSF master keys into it before it was able to be used.
Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get&[email protected] ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, August 7, 2019 2:55 AM, Arthur <[email protected]> wrote: > On 6 Aug 2019 07:59:59 -0700, in bit.listserv.ibm-main > (Message-ID:lnxp265mb1484a20a9858d5a5271421bec7...@lnxp265mb1484.gbrp265.prod.outlook.com) > [email protected] (Lennie Dymoke-Bradshaw) wrote: > > > Access to the ICSF CKDS would not be enough, as the keys > > held there are encrypted (wrapped) using the master key. > > The master key is held in the Crypto Express domain > > corresponding to the LPAR in question. There is no > > interface to extract the master key from the Crypto > > Express device. The Crypto Express device is a FIPS 140-2 > > level 4 device so it will resist all sorts of attempts to > > get at the master keys. It will destroy those keys before > > you can get them out. > > Are you suggesting that if the Crypto Express device goes > belly-up, that all encrypted data is forevermore > unavailable? How does one decrypt during disaster testing > or a real disaster? > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
