Key Attribute Defaults
The following default attribute settings are applied to generated keys/keypairs, and to unwrapped private/secret keys, unless your application specifies different values.
Management Attributes
| Attribute | Default Value | |||
|---|---|---|---|---|
| Generated Public Keys | Generated Private Keys | Unwrapped Private/Secret Keys | Derived Secret Keys | |
| CKA_TOKEN | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) |
| CKA_PRIVATE | 1 (TRUE) if Crypto Officer logged in 0 (FALSE) if Crypto Officer not logged in |
1 (TRUE) if Crypto Officer logged in 0 (FALSE) if Crypto Officer not logged in |
1 (TRUE) if Crypto Officer logged in 0 (FALSE) if Crypto Officer not logged in |
1 (TRUE) if Crypto Officer logged in 0 (FALSE) if Crypto Officer not logged in |
| CKA_SENSITIVE |
N/A |
1 (TRUE) | 1 (TRUE) | 0 (FALSE) |
| CKA_MODIFIABLE | 1 (TRUE) | 1 (TRUE) | 1 (TRUE) | 1 (TRUE) |
| CKA_EXTRACTABLE | N/A | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) |
| CKA_ALWAYS_SENSITIVE | N/A | Always the same value as CKA_SENSITIVE | Always 0 (FALSE) | Inherited from base key(s) depending on CKA_SENSITIVE history* |
| CKA_NEVER_EXTRACTABLE | N/A | Always the opposite value of CKA_EXTRACTABLE | Always 0 (FALSE) | Inherited from base key(s) depending on CKA_EXTRACTABLE history** |
* CKA_ALWAYS_SENSITIVE=1 assures that the key and the key(s) from which it was derived have always been sensitive (CKA_SENSITIVE=1). If a newly-derived key has CKA_ALWAYS_SENSITIVE=0, it means the key(s) from which it derives has had CKA_SENSITIVE=0 at some point.
** CKA_NEVER_EXTRACTABLE=1 assures that the key and the key(s) from which it was derived have never been extractable (CKA_EXTRACTABLE has always been set to 0). If a newly-derived key has CKA_NEVER_EXTRACTABLE=0, it means the key(s) from which it derives has had CKA_EXTRACTABLE=1 at some point.
Key Usage Attributes
| Attribute | Default Value | |||
|---|---|---|---|---|
| Generated Public Keys | Generated Private Keys | Unwrapped Private/Secret Keys | Derived Secret Keys | |
| CKA_ENCRYPT | 0 (FALSE) | N/A | 0 (FALSE) | 0 (FALSE) |
| CKA_DECRYPT | N/A | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) |
| CKA_WRAP | 0 (FALSE) | N/A | 0 (FALSE) | 0 (FALSE) |
| CKA_UNWRAP | N/A | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) |
| CKA_SIGN | N/A | 0 (FALSE) | 0 (FALSE) | 0 (FALSE) |
| CKA_VERIFY | 0 (FALSE) | N/A | 0 (FALSE) | 0 (FALSE) |
| CKA_DERIVE | 0 (FALSE) | N/A | 0 (FALSE) | 0 (FALSE) |
Vendor-defined key attributes
| KEY ATTRIBUTE | DESCRIPTION |
|---|---|
| CKA_CCM_PRIVATE | Not used by the Luna HSM; it does not affect any of the HSM functionality. This is an old attribute that was used in the firmware 3.x HSMs, the Luna CA and Luna CA3 products. |
| CKA_OUID | This is a 12-byte unique identifier for the object, unique across all Luna HSMs. It can be used to identify the object across multiple HSM. |
| CKA_EKM_UID | This is not used by the Luna HSM, it does not affect any of the HSM functionality. It is intended to be used by our EKM Key Manager SHIM to store a KEY ID, so that the key manager can track keys efficiently. Customer applications should not use this (they should use the CKA_GENERIC_1/2/3 attributes defined below). |
| CKA_GENERIC_1/2/3 | These are not used by the Luna HSM, and do not affect any of the HSM functionality. They are variable length attributes that store an array of CK_BYTE and are provided for customer applications to make use of, to store whatever data they want. |
