Provided by: opencryptoki_3.21.0+dfsg-0ubuntu1.1_amd64 bug

NAME

       pkcshsm_mk_change  - utility to manage and control the re-enciphering of secure keys for a
       concurrent HSM master key change for openCryptoki.

SYNOPSIS

       pkcshsm_mk_change command [OPTIONS]

       pkcshsm_mk_change --help|-h

DESCRIPTION

       Manages and controls the re-enciphering of secure keys for a  concurrent  HSM  master  key
       change  for  openCryptoki.  Secure  keys  are  encrypted by the HSM master key(s). The HSM
       master key(s) must be changed (rolled) from time to time, dependent on policies defined by
       the  HSM  security officer. Whenever a HSM master key is changed, all secure keys that are
       encrypted with that HSM master key must be re-enciphered with the new  to  be  set  master
       key.

       Changing  HSM  master keys needs to be coordinated between the HSM security officer and an
       openCryptoki administrator. The HSM security officer performs a master key change via  the
       TKE  (Trusted  Key  Entry),  while  the openCryptoki administrator performs administrative
       steps using the pkcshsm_mk_change tool to re-encipher all openCryptoki token  and  session
       key  objects, as well as currently active crypto operation states with the new master key.
       Applications using those keys can continue to run, the re-enciphering process takes  place
       transparently to them.

       A concurrent master key change works as follows:

         1. The  HSM  security  officer  loads  the  new  master  keys using the TKE into the NEW
            register of the set of APQNs logically belonging together.

         2. The HSM security officer notifies the openCryptoki administrator that new master keys
            have been loaded for all the APQNs.

         3. The  openCryptoki  administrator  uses the pkcshsm_mk_change to initiate a master key
            change for openCryptoki, specifying the set of APQNs (and master key types) that  are
            to  be changed. The pkcshsm_mk_change tool communicates with running applications and
            performs/controls re-encipherment of the key objects with the new master key.

         4. When the pkcshsm_mk_change tool has completed  its  re-encipherment  processing,  the
            openCryptoki  administrator  notifies  the  HSM security officer that openCryptoki is
            ready to set/activate the new master keys.

         5. The HSM security officer coordinates with other (non-openCryptoki)  applications  and
            once  all  users  of  the  APQNs are OK, he sets/activates the new master keys on the
            APQNs.

         6. The HSM security officer notifies the openCyptoki administrator when  for  all  APQNs
            the new master key have been set/activated.

         7. The openCryptoki administrator uses the pkcshsm_mk_change tool to finalize the master
            key change for openCryptoki. The tool  communicates  with  running  applications  and
            performs/controls  finalizing  the  re-encipherment  of  the key objects with the new
            master key.

         8. When the pkcshsm_mk_change tool has completed its finalizing processing,  the  master
            key change operation is complete.

       The  whole procedure can take an arbitrary amount of time. Especially the time between the
       moment when the new master key has been loaded on all APQNs, and the moment the new master
       keys  are  set/activated can even last several days, due to time required for coordination
       with other (non-openCryptoki) applications/users of the APQNs to prepare  for  the  master
       key change.

       The  time  to  perform  the  re-encipherment  and  finalization (steps 3 and 7) of all key
       objects as such depends on the amount of keys and openCryptoki  applications  using  them,
       but is usually relatively short, i.e. seconds up to a few minutes.

       The  system where openCryptoki runs may be restarted while a master key change is ongoing,
       provided that the  re-encipherment  and  finalization  steps  (steps  3  and  7)  are  not
       interrupted.

       An  ongoing  master key change operation can be canceled using the pkcshsm_mk_change tool,
       as long as for none of the APQNs the new master key has been set/activated, that is up  to
       step 5 from above.

COMMANDS

   Initiate a master key change for openCryptoki
       pkcshsm_mk_change  reencipher  [--apqns|-a APQNS] [--ep11-wkvp|-e WKVP] [--cca-sym-mkvp|-s
       MKVP]  [--cca-asym-mkvp|-S  MKVP]  [--cca-aes-mkvp|-A  MKVP]   [--cca-apka-mkvp|-p   MKVP]
       [--verbose|-v LEVEL]

       Use  the  reencipher  command  to initiate a master key change operation for the specified
       APQNs and master key types and re-encipher all  session  and  token  key  objects  of  the
       affected tokens. For each master key type that is changed, the verification pattern of the
       new, to be set master key must be specified.

       A CryptoExpress adapter in CCA coprocessor mode has 4 different master  keys:  SYM,  ASYM,
       AES, and APKA. The CCA token of openCryptoki only uses SYM, AES, and APKA. Each master key
       type can be change individually, or together with others. You  can  use  the  TKE  or  the
       panel.exe  tool  to  query  the  master  key  verification patterns: 'panel.exe --mk-query
       --mktype=<type> --mkregister=NEW'.  For master key types SYM and ASYM, use the hex  string
       under  [RND],  for types AES and APKA use the hex string under [VER]. For AES and APKA you
       can   also   find   the   master   key    verification    patterns    in    sysfs:    'cat
       /sys/bus/ap/devices/<card>.<domain>/mkvps'.

       A  CryptoExpress adapter in EP11 coprocessor mode has only one master key, called the EP11
       wrapping key (WK). You can use the TKE or the ep11info tool to query the current  wrapping
       key  verification  pattern (WKVP) of an EP11 APQN: 'ep11info -m <adapter> -d <domain> -D'.
       You can also find the wrapping key verification pattern for  EP11  APQNs  in  sysfs:  'cat
       /sys/bus/ap/devices/<card>.<domain>/mkvps'.

       the  pkcshsm_mk_change  reencipher command will query all available slots and determine if
       the token in the slot is affected by the master key change, based on the list of APQNs and
       master key types. For each affected slot, it prompts for the USER pin.

       On successful completion, the id of the master key change operation is displayed.  This id
       must later be specified when finalizing or canceling the operation using the  finalize  or
       cancel command.

   Finalize a master key change for openCryptoki
       pkcshsm_mk_change finalize [--id|-i OPERATION-ID] [--verbose|-v LEVEL]

       Use the finalize command to finalize a master key change operation when the new master key
       has been activated on the APQNs. The id of the master key  change  operation  to  finalize
       must be specified.

   Cancel a master key change for openCryptoki
       pkcshsm_mk_change cancel [--id|-i OPERATION-ID] [--verbose|-v LEVEL]

       Use  the  cancel  command to finalize a master key change operation.  The id of the master
       key change operation to cancel must be specified.  A master key change operation can  only
       be canceled as long as for none of the APQNs the new master key have been set/activated.

   List master key change operations
       pkcshsm_mk_change list [--id|-i OPERATION-ID] [--verbose|-v LEVEL]

       Use  the  list  command  to  list  currently  active  master  key change operations. If no
       operation ID  is  specified,  all  currently  active  master  key  change  operations  are
       displayed, otherwise only the specified one is displayed.

OPTIONS

       -a, --apqns APQNS
              Specifies  a  comma  separated list of APQNs for which a master key change is to be
              performed. Each APQN must be specified in the form  card.domain,  where  both  card
              and  domain  are  in  hex, as displayed by the lszcrypt command. Multiple APQNs are
              separated by a comma.  This options is only valid with the reencipher command.

       -e, --ep11-wkvp WKVP
              Specifies the EP11 wrapping key verification pattern (WKVP) of the new, to  be  set
              EP11  wrapping  key  as a 16 bytes hex string.  This options is only valid with the
              reencipher command.  You can use the TKE or the ep11info tool to query the  current
              wrapping key verification pattern (WKVP) of an EP11 APQN: 'ep11info -m <adapter> -d
              <domain> -D'.  You can also find the wrapping key  verification  pattern  for  EP11
              APQNs in sysfs: 'cat /sys/bus/ap/devices/<card>.<domain>/mkvps'.

       -s, --cca-sym-mkvp MKVP
              Specifies  the CCA master key verification pattern (MKVP) of the new, to be set CCA
              SYM master key as a 8 bytes hex string.   This  options  is  only  valid  with  the
              reencipher  command.  You can use the TKE or the panel.exe tool to query the master
              key verification patterns: 'panel.exe  --mk-query  --mktype=SYM  --mkregister=NEW'.
              Use the hex string under [RND].

       -S, --cca-asym-mkvp MKVP
              Specifies  the CCA master key verification pattern (MKVP) of the new, to be set CCA
              ASYM master key as a 8 bytes hex string.  This  options  is  only  valid  with  the
              reencipher  command.  You can use the TKE or the panel.exe tool to query the master
              key verification patterns: 'panel.exe --mk-query  --mktype=ASYM  --mkregister=NEW'.
              Use the hex string under [RND].

       -A, --cca-aes-mkvp MKVP
              Specifies  the CCA master key verification pattern (MKVP) of the new, to be set CCA
              AES master key as a 8 bytes hex string.   This  options  is  only  valid  with  the
              reencipher  command.  You can use the TKE or the panel.exe tool to query the master
              key verification patterns: 'panel.exe  --mk-query  --mktype=AES  --mkregister=NEW'.
              Use  the hex string under [VER].  You can also find the AES master key verification
              patterns in sysfs: 'cat /sys/bus/ap/devices/<card>.<domain>/mkvps'.

       -p, --cca-apka-mkvp MKVP
              Specifies the CCA master key verification pattern (MKVP) of the new, to be set  CCA
              APKA  master  key  as  a  8  bytes hex string.  This options is only valid with the
              reencipher command.  You can use the TKE or the panel.exe tool to query the  master
              key  verification  patterns: 'panel.exe --mk-query --mktype=APKA --mkregister=NEW'.
              Use the hex string under [VER].  You can also find the APKA master key verification
              patterns in sysfs: 'cat /sys/bus/ap/devices/<card>.<domain>/mkvps'.

       -i, --id OPERATION-ID
              Specifies  the  id  of the master key change operation for the finalize, cancel, or
              list command. On successful completion of the reencipher command,  the  id  of  the
              master key change operation is displayed.

       -v, --verbose LEVEL
              Specifies  the  verbose level (optional): none (default), error, warn, info, devel,
              or debug.

       -h, --help
              Displays help text and exits.

SEE ALSO

       opencryptoki(7)