The DISKKEY command allows you to create keys for use in encrypting disk volumes, list those keys, back up and restore those keys, and to mark keys that should no longer be used.
Encryption keys are stored in the IOPs and must be backed up before being used in the ENCRYPT command or in the KEY option of the RC command.
An encryption key consists of the following parts:
-
A text name, consisting of text specified in DISKKEY CREATE appended with date and time of creation. For example, if the specified text was "JoeData", the key name would be in the form JoeData_2013_05_21_153743.
-
A binary value used as the key when encrypting and decrypting data. This binary value is generated inside an IOP by a random key generation mechanism explicitly designed for generation of cryptographic keys. The binary value is stored in an obscured form on the IOPs and never leaves the IOPs unless in a package that has been encrypted.
-
Attributes, such as an indication that the user wishes to no longer use the key.
Syntax
Explanation
DISKKEY CREATE <key name>
Creates a key for use in encrypting disk volumes.
The specified <key name> can contain only alphanumeric, hyphen, and underscore characters. Key creation date and time is appended in the format _yyyy_mm_dd_hhmmss.
Semantically, key names are case insensitive. As saved for purposes of display, the case of the <key name> entered is preserved if <key name> is quoted and uppercased if not quoted.
After a new key is created, it is in the "new" state. In this state, it cannot be used as the KEY option in an ENCRYPT command or RC command. It is marked usable after it is successfully backed up through one of the following actions:
-
A successful DISKKEY BACKUP CD command. Note that keys are not marked usable until after the CD burn completed successfully and the CD is verified by reading back the data.
-
A successful DISKKEY BACKUP FILE command followed by a successful DISKKEY RESTORE FILE command of the same file.
Note: It is the responsibility of the user to ensure that the file is successfully backed up to a reliable external location between these steps.
DISKKEY SHOW
Lists all disk encryption keys.
DISKKEY SHOW <key name>
Lists all disk encryption keys that start with the specified name. The specified name can be a partial key name; all keys that start with the specified character sequence are listed.
DISKKEY BACKUP CD <unit number> <phrase>
Data sufficient to restore the current set of disk encryption keys is packaged, encrypted, and written to a byte stream file on a blank media on the specified CD drive. The CD is in ISO 9660 format.
The variable <phrase> is a quoted string and is case sensitive.
-
If <phrase> is supplied, it is hashed to generate the key used to encrypt the package. The <phrase> must be remembered and used in any subsequent RESTORE.
-
If <phrase> is not supplied, a key known to the IOP is used to encrypt the package. No <phrase> is used in any subsequent RESTORE.
DISKKEY BACKUP FILE <file title> <phrase>
Data sufficient to restore the current set of disk encryption keys is packaged, encrypted, and written to a byte stream file with the specified title.
The variable <phrase> functions as for BACKUP CD.
| Note: | It is the responsibility of the user to back up the resulting byte stream file. |
LOADER only supports RESTORE from CD. To execute LOADER RESTORE from a byte stream file, burn the byte stream file to an ISO 9660 CD. It should be the be in the root directory and it should be named DISKKEYS.
DISKKEY RESTORE CD <unit number> <phrase>
Restores disk encryption keys from a CD backup. Keys from the backup are merged with any existing keys.
DISKKEY RESTORE FILE <file title> <phrase>
Restores disk encryption keys from a stream file backup. Keys from the backup are merged with any existing keys.
DISKKEY MARK <key name> DEPRECATED
Marks the specified disk encryption key as deprecated. Deprecated keys cannot be used in the ENCRYPT command or in the KEY option of the RC command. Disk volumes which use deprecated keys are fully functional.
This might be useful while certain keys are in the process of being phased out of use.
| Note: | This command fails if the key is in the "new" state. |
DISKKEY MARK <key name> EXPIRED
Marks the specified disk encryption key as expired. Expired keys cannot be used in the ENCRYPT command or in the KEY option of the RC command. When a disk volume that uses an expired key comes online, the MCP issues a warning, but the disk volume is fully functional. This might be useful after certain keys have been phased out of use. Note that keys are never deleted from the key store. If a key is thought to be no longer in use and a disk volume is found that still uses it, the disk volume is usable.
| Note: | This command fails if the key is in the "new" state. |
DISKKEY MARK <key name> USABLE
Use this to undo a previous DISKKEY MARK DEPRECATED or DISKKEY MARK EXPIRED command.
| Note: | This command fails if the key is in the "new" state. |
Examples
Example 1
If entered at 43 seconds after 3:37 PM on May 21, 2013, the following DISKKEY command would create a disk encryption key named JoeData_2013_05_21_153743.
DISKKEY CREATE "JoeData"
Example 2
The following DISKKEY command lists all disk encryption keys starting with JOE (regardless of case). If example 1 has already been executed, the key named JoeData_2013_05_21_153743 would be included.
DISKKEY SHOW JOE
Example 3
The following DISKKEY command backs up all current disk encryption keys to a blank CD mounted on CD 100. The phrase WATERFALL_1739 must be remembered and supplied to the RESTORE command if the backup is ever needed.
DISKKEY BACKUP CD 100 WATERFALL_1739
Example 4
If examples 1 and 3 have already been executed, the following DISKKEY command will mark the disk encryption key named JoeData_2013_05_21_153743 as expired.
DISKKEY MARK JOEDATA EXPIRED
