Enabling and Using Session-Level Encryption

Enter the key-encrypting keys before performing any operation. KEKs are shared between the LUs that are going to be involved. KEKs reside in key storage (.kek file) and are used to protect data (session) keys when they are sent to the partner node or Logical Unit (LU).

The following commands are available to add or modify these keys:
amdsec clear
This command clears the AMDSEC key storage. All key-encrypting keys are discarded.
amdsec pass <new passphrase>
This command sets the AMDSEC passphrase. Using this passphrase, the key-encrypting keys are secured before they go to the storage file (by encryption). The default passphrase is amdsec security
amdsec addkey <label> <key value> <key form> <option>
amdsec adds a key-encrypted key to key storage.
  • <label> is the key label for this KEK (up to 5 key label tokens of 8 bytes each). See Naming Labels for KEKs for further details.
  • <key value> is the KEK value. It must be 16 bytes in hexadecimal (32 hex digits), optionally separated by the - (hyphen) character.
  • <key form> is the value importer or exporter.
  • <option> is the value translate. Specify this option to have the translate attribute for this key.

    This parameter is optional. Data key translate is required only when you are running APPN encryption.

Example: 
	amdsec addkey cm@lu@im.netid.cpnam1.netid.lunam2 
			8182-d4e7-836a-4d6f-8182-d4e7-830a-4d6f importer

	amdsec addkey cm@lu@ex.netid.cpnam2.netid.lunam1 
			8182-d4e7-836a-4d6f-8182-d4e7-830a-4d6f exporter

When entering KEKs, it is often easier to edit the commands in a batch (.bat) file and then execute the command to enter your keys in key storage.

amdsec repkey <label> <key value> <key form> <option>
amdsec replaces a key-encrypted key in key storage.
  • <label> is the key label for this KEK (up to 5 key label tokens of 8 bytes each). See Naming Labels for KEKs for further details.
  • <key value> is the KEK value. It must be 16 bytes in hexadecimal (32 hex digits), optionally separated by the - (hyphen) character.
  • <key form> is the value importer or exporter.
  • <option> is the value translate. Specify this option to have the translate attribute for this key.

    This parameter is optional. Data key translate is required only when you are running APPN encryption.

Example: 
	amdsec repkey cm@lu@im.netid.cpnam1.netid.lunam2 
			8182-d4e7-836a-4d6f-8182-d4e7-830a-4d6f importer

	amdsec repkey cm@lu@ex.netid.cpnam2.netid.lunam1 
			8182-d4e7-836a-4d6f-8182-d4e7-830a-4d6f exporter
amdsec list
amdsec lists your KEK labels in key storage.
Example: 
	amdsec list