With release V5R4, IBM added significant and comprehensive support of cryptographic key management to the Cryptographic Services APIs. This support included the introduction of key stores and new key management facilities as well as the integration of these valuable additions to the existing collection of cryptographic functions. These new offerings all in all provide the foundation for a substantial improvement in the i5/OS built-in cryptographic environment and security, as well as a higher level of cohesion between the cryptographic APIs and the applications taking advantage of them.
As discussed earlier in this column, the new key store object offers a two-tier key store facility that allows you to store both key encryption keys and data encryption keys encrypted under the master key assigned to the key store in question. Following this scheme, the data keys stored in the key store will be encrypted by the master key only.
Depending on the number of data encryption keys to manage and exchange, and your preferences as far as key separation and storage is concerned, you might at some point require storing your data encryption keys encrypted under a key encryption key (KEK). Once your data encryption keys are encrypted under the KEK, you could store the data key in, for example, a data area, a user space, or a physical data file, the latter demonstrated in IBM’s cryptographic sample application presented in the Cryptographic Services APIs manual in the section called “Scenario: Key Management and File Encryption Using the Cryptographic Services APIs” (link provided at the end of this article).