To passphrase or not to passphrase? That one’s easy … don’t passphrase! It’s a great way to get your master keys loaded and your cryptographic infrastructure operational, but it's not such a secure way to run your business.
Typically, once your crypto environment is established and you’re running production work, you will change your master keys periodically, as specified in your local security policy. That process will be handled by a key management team or simply within the security group. The initial loading of the master keys might be handled by the systems programmers or the key management team.
First, some background. Historically, your System z secure key crypto hardware required that you load a master key before you could use that hardware. Secure key hardware provides tamper-resistant technology to protect your keys. If an attacker tries to attach a probe to the card to watch the electrons moving around and capture the contents, the card will detect that as an attack and wipe out the data and key material in the card before they can be compromised.
However, you sometimes need keys to leave that secure boundary. The most obvious example would be to store keys in a repository so you could decrypt a message at some point in the future. The secure key hardware relies on a master key to encrypt an operational key before it leaves the secure, tamper-resistant boundary of the card. (You can also use a key-encrypting key when it leaves the security of the card, especially if you’re sharing that key material with another party or system.)
Methods for Loading Master Keys
IBM provides three ways to load master keys into the secure hardware on your z/OS System:
• Passphrase Initialization (PPINT)
• Integrated Cryptographic Service Facility (ICSF) panels
• Trusted Key Entry (TKE) Workstation.
Note: With Linux and the CCA Library for S390 Linux, IBM doesn’t provide a passphrase option; only the TKE Workstation and a panel type interface (panel.exe) similar to the ICSF panels on z/OS.
PPINIT provides a quick, easy way to get your crypto environment initialized and operational. The problem is that it isn’t the most secure method for establishing those master keys.
The TKE Workstation provides the most secure means for loading master keys. You can create multiple key parts on a secure key device inside this standalone workstation, then push those keys to the crypto cards on your host using a secure, encrypted connection. The downside of the TKE Workstation is that it’s another system you must manage (defining users, assigning their roles and granting their authorities), but it provides the most security for your key material.
The ICSF panels provide the means for implementing dual-key ownership of the master key and you can access the crypto hardware to load those key parts using ISPF panels in a Time Sharing Option (TSO) session. You should use a secure TN3270 emulator or other technique to encrypt the session; otherwise, the key material will travel across the network in the clear. Those key parts will at least briefly exist in memory in your TSO address space.