Example of ML-KEM creation, Backup and Restore
This example is meant to be illustrative of basic functions you might need when using ML-KEM on the Luna HSM as part of your use case. For the specifics of parameters, flags, inputs, outputs, etc., see the ML-KEM Programming Guide.
Prerequisites:
- a Luna HSM or HSMs with firmware version 7.9.0 or newer
- the client is UC 10.9.0 or newer
- two V1 partitions have been created, whether on the same HSM or two separate HSMs.
- policy 43 - Allow non-FIPS algorithms is set to 1
Summary
For this example,
- ML-KEM keys are created in the first partition, and encapsulation/decapsulation operations are run to demonstrate the initial success,
- then the keys are backed-up to a Luna B700 backup HSM,
- the ML-KEM keys are restored to the second partition, and
- the encap/decap operations are repeated to verify that what worked on the first partition also works on the second partition after the keys go through a backup-restore cycle.
1.To get started, launch CKDemo and open a session.
For this example, we show the full CKDemo menu once, for orientation, and thereafter, we show just the specific commands for brevity.
ckdemo (64-bit) v10.9.0-65. Copyright (c) 2025 Thales Group. All rights reserved.
ckdemo is the property of Thales Group and is provided to our customers for
diagnostic and development purposes only. It is not intended for use in
production installations. Any re-distribution of this program in whole or
in part is a violation of the license agreement.
Modified on Jun 11 2025 at 13:22:01
Starting CHRYSTOKI DEMO - SIMULATION LAB
Status: Doing great, no errors (CKR_OK)
TOKEN:
( 1) Open Session ( 2) Close Session ( 3) Login
( 4) Logout ( 5) Change PIN ( 6) Init Token
( 7) Init Pin ( 8) Mechanism List ( 9) Mechanism Info
(10) Get Info (11) Slot Info (12) Token Info
(13) Session Info (14) Get Slot List (15) Wait for Slot Event
(16) Token Status (17) SessionCancel (18) Factory Reset
(19) CloneMofN (33) Token Insert (34) Token Delete
(36) Show Roles (37) Show Role Configuration Policies
(38) Show Role State (39) Get OUID (140) Get Handle
(58) HSM Zeroize (59) Token Zeroize
(160) Show License List (161) QueryLicense (162) HSM Stats
(163) LogoutOther
OBJECT MANAGEMENT:
(20) Create object (21) Copy object (22) Destroy object
(23) Object size (24) Get attribute (25) Set attribute
(26) Find object (27) Display Object
(30) Modify Usage Count (31) Destroy Multiple Objects
(32) Extract Public Key (35) Import Public Key
SECURITY:
(40) Encrypt file (41) Decrypt file (42) Sign
(43) Verify (44) Hash file (45) Simple Generate Key
(46) Digest Key
HIGH AVAILABILITY RECOVERY :
(49) HA Current Status (50) HA Recovery Init (51) HA Recovery Login
(52) HA Group Status
POLICY:
(53) Show Partition Policies (54) Set Partition Policies
(55) Show HSM Policies (56) Set HSM Policies (57) Set Destructive HSM Policies
KEY:
(60) Wrap key (61) Unwrap key (62) Generate random number
(63) Derive Key (64) PBE Key Gen (65) Create known keys
(66) Seed RNG (67) EC User Defined Curves
(68) SM2 User Defined Curves
(69) Translate key
(150) Encapsulate key
(151) Decapsulate key
CA:
(70) Set Domain (71) Clone Key (72) Set MofN
(73) Generate MofN (74) Activate MofN (75) Generate Token Keys
(77) Sign Token Cert
(78) Generate CertCo Cert (79) Modify MofN
(85) Put HSM Data/Parameter
(86) Dup. MofN Keys (87) Deactivate MofN
(88) Get Token Certificates (89) Get HSM Data/Parameter
(112) Set Legacy Cloning Domain
OTHERS:
(90) Self Test
(92) Get App ID
(93) Utilization Metrics
(94) Open Access (95) Close Access
(97) Set App ID (98) Options
OFFBOARD KEY STORAGE:
(101) Extract Masked Object (102) Insert Masked Object
(103) Multisign With Value (104) Clone Object
(105) SIMExtract (106) SIMInsert
(107) SimMultiSign (108) SMKRollover
(109) CPv4 MigrateKeys
(118) Extract Object (119) Insert Object
CLUSTER EXECUTION:
(111) Get Cluster State
(113) Lock Clustered Slot (114) Unlock Clustered Slot
PED INFO:
(120) Set Ped Info (121) Get Ped Info (122) Init RPV
(123) Delete RPV
AUDIT/LOG:
(130) Get Config (131) Set Config (132) Verify logs
(133) Get Time (134) Set Time (135) Import Secret
(136) Export Secret (137) Init Audit (138) Get Status
(139) Log External
SRK:
(200) SRK Get State (201) SRK Restore (202) SRK Resplit
(203) SRK Zeroize (204) SRK Enable/Disable
Per Key Authorization:
(210) Authorize Key (211) Set Authorization Data
(212) Reset Authorization Data (213) Assign Key
(214) Increment Failed Auth Count
Cloning API:
(215) CloneAsSourceInit (216) CloneAsTargetInit
(217) CloneAsSource (218) CloneAsTarget
(219) CPv4 MigrateKeys (220) CPv4 Negotiate Session
(221) CPv4 Close Session
IS6 Migration:
(300) Set IS6 Domain (301) Insert IS6 Group Part
(302) Insert IS6 Member Part (303) Insert IS6 Key
KeyRing Configurations:
(310) Setup KeyRing (311) Add Key to KeyRing
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit
Status: Doing great, no errors (CKR_OK)
Enter your choice :
1
Slots available:
slot#3 - User Token Slot
slot#4 - User Token Slot
slot#204 - Admin Token Slot
Select a slot:
3 <--- This is opening a session in the slot you choose
Status: Doing great, no errors (CKR_OK)
2.Log into the source slot
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 3 <--- This is logging into the slot with the newly opened session *********** Status: Doing great, no errors (CKR_OK)
3.Generate an ML-KEM key of size 512.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 45 <--- This is starting the key-generation dialog Select type of key to generate [ 1] DES [ 2] DES2 [ 3] DES3 [ 5] CAST3 [ 6] Generic [ 7] RSA [ 8] DSA [ 9] DH [10] CAST5 [11] RC2 [12] RC4 [13] RC5 [14] SSL3 [15] ECDSA [16] AES [17] SEED [18] KCDSA-1024 [19] KCDSA-2048 [20] DSA Domain Param [21] KCDSA Domain Param [22] RSA X9.31 [23] DH X9.42 [24] ARIA [25] DH PKCS Domain Param [26] RSA 186-3 Aux Primes [27] RSA 186-3 Primes [28] DH X9.42 Domain Param [29] ECDSA with Extra Bits [30] EC Edwards 25519 [31] EC Montgomery 25519 [32] EC Edwards 448 [33] EC Montgomery 448 [40] SM4 [41] SM2 [42] HSS [43] ML-KEM [44] ML-DSA > 43 <--- You have chosen key-type ML-KEM to generate Enter ML-KEM key set size: [1] ML_KEM_512 [2] ML_KEM_768 [3] ML_KEM_1024 Selection : 1 <--- You have set the ML-KEM key size to 512 - the next several choices are usual key attributes Enter Is Token Attribute [0-1]: 1 Enter Is Sensitive Attribute [0-1]: 1 Enter Is Private Attribute [0-1]: 1 Enter Is Modifiable Attribute [0-1]: 1 Enter Extractable Attribute [0-1]: 1 Enter Encrypt/Decrypt Attribute [0-1]: 1 Enter Sign/Verify Attribute [0-1]: 1 Enter Wrap/Unwrap Attribute [0-1]: 1 Enter Derive Attribute [0-1]: 1 Enter EncapsulateKey/DecapsulateKey Attribute [0-1]: 1 <--- This setting is important to the current example. Generated ML-KEM Public Key: 42 (0x0000002a) Generated ML-KEM Private Key: 39 (0x00000027) Status: Doing great, no errors (CKR_OK)
While making this example, we also created ML-KEM 768 and 1024 keys, to have some objects for backing-up and restoring, so steps 3 and 4 were repeated.
4.Give the new key a label for later reference.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit
Status: Doing great, no errors (CKR_OK)
25
Which object do you want to modify (0 to list available objects) : 42
Edit template for set attribute operation.
(1) Add Attribute (2) Remove Attribute (0) Accept Template :
1
0 - CKA_CLASS 1 - CKA_TOKEN
2 - CKA_PRIVATE 3 - CKA_LABEL
4 - CKA_APPLICATION 5 - CKA_VALUE
6 - CKA_UNKNOWN 7 - CKA_CERTIFICATE_TYPE
8 - CKA_ISSUER 9 - CKA_SERIAL_NUMBER
10 - CKA_KEY_TYPE 11 - CKA_SUBJECT
12 - CKA_ID 13 - CKA_SENSITIVE
14 - CKA_ENCRYPT 15 - CKA_DECRYPT
16 - CKA_WRAP 17 - CKA_UNWRAP
18 - CKA_SIGN 19 - CKA_SIGN_RECOVER
20 - CKA_VERIFY 21 - CKA_VERIFY_RECOVER
22 - CKA_DERIVE 23 - CKA_START_DATE
24 - CKA_END_DATE 25 - CKA_MODULUS
26 - CKA_MODULUS_BITS 27 - CKA_PUBLIC_EXPONENT
28 - CKA_PRIVATE_EXPONENT 29 - CKA_PRIME_1
30 - CKA_PRIME_2 31 - CKA_EXPONENT_1
32 - CKA_EXPONENT_2 33 - CKA_COEFFICIENT
34 - CKA_PRIME 35 - CKA_SUBPRIME
36 - CKA_BASE 37 - CKA_VALUE_BITS
38 - CKA_VALUE_LEN 39 - CKA_LOCAL
40 - CKA_MODIFIABLE 41 - CKA_ECDSA_PARAMS
42 - CKA_EC_POINT 43 - CKA_EXTRACTABLE
44 - CKA_ALWAYS_SENSITIVE 45 - CKA_NEVER_EXTRACTABLE
46 - CKA_CCM_PRIVATE 47 - CKA_FINGERPRINT_SHA1
48 - CKA_OUID 49 - CKA_X9_31_GENERATED
50 - CKA_PRIME_BITS 51 - CKA_SUBPRIME_BITS
52 - CKA_USAGE_COUNT 53 - CKA_USAGE_LIMIT
54 - CKA_EKM_UID 55 - CKA_GENERIC_1
56 - CKA_GENERIC_2 57 - CKA_GENERIC_3
58 - CKA_FINGERPRINT_SHA256 59 - CKA_WARNING_THRESHOLD
60 - CKA_HW_FEATURE_TYPE 61 - CKA_CHECK_VALUE
62 - CKA_BIP32_CHAIN_CODE
63 - CKA_BIP32_VERSION_BYTES
64 - CKA_BIP32_CHILD_INDEX 65 - CKA_BIP32_CHILD_DEPTH
66 - CKA_BIP32_ID 67 - CKA_BIP32_FINGERPRINT
68 - CKA_BIP32_PARENT_FINGERPRINT 69 - CKA_BYTES_REMAINING
70 - CKA_AUTH_DATA 71 - CKA_ASSIGNED
72 - CKA_KEY_STATUS 73 - CKA_FAILED_KEY_AUTH_COUNT
74 - CKA_KEYRING 75 - CKA_KEYRING_OUID
76 - CKA_ENCAPSULATE 77 - CKA_DECAPSULATE
78 - CKA_PARAMETER_SET 79 - CKA_PUBLIC_KEY
80 - CKA_PUBLIC_KEY_INFO 81 - CKA_SEED
Select which one: 3
Enter string value: ML-KEM-512 Public Key <-- Label the public key for easy finding
CKA_LABEL=ML-KEM-512 Public Key
(1) Add Attribute (2) Remove Attribute (0) Accept Template :0
Status: Doing great, no errors (CKR_OK)
Perform similar actions for the Private Key
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit
Status: Doing great, no errors (CKR_OK)
Enter your choice : 25 <--- Now for the recently generated Private Key
Which object do you want to modify (0 to list available objects) : 39
Edit template for set attribute operation.
(1) Add Attribute (2) Remove Attribute (0) Accept Template :
1
0 - CKA_CLASS 1 - CKA_TOKEN
2 - CKA_PRIVATE 3 - CKA_LABEL
4 - CKA_APPLICATION 5 - CKA_VALUE
6 - CKA_UNKNOWN 7 - CKA_CERTIFICATE_TYPE
:
:
:
78 - CKA_PARAMETER_SET 79 - CKA_PUBLIC_KEY
80 - CKA_PUBLIC_KEY_INFO 81 - CKA_SEED
Select which one: 3
Enter string value: ML-KEM-512 Private Key
CKA_LABEL=ML-KEM-512 Private Key
(1) Add Attribute (2) Remove Attribute (0) Accept Template :
0
Status: Doing great, no errors (CKR_OK)
[OPTIONAL] View the properties of the key.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 27 Enter handle of object to display (0 to list available objects) : 39 Object handle=39 CKA_CLASS=00000003 (3) CKA_TOKEN=01 CKA_PRIVATE=01 CKA_LABEL=ML-KEM-512 Private Key CKA_KEY_TYPE=00000049 (73) CKA_SUBJECT= CKA_ID= CKA_SENSITIVE=01 CKA_DECRYPT=01 CKA_UNWRAP=01 CKA_SIGN=01 CKA_SIGN_RECOVER=00 CKA_DERIVE=01 CKA_START_DATE= CKA_END_DATE= CKA_LOCAL=01 CKA_MODIFIABLE=01 CKA_EXTRACTABLE=01 CKA_ALWAYS_SENSITIVE=01 CKA_NEVER_EXTRACTABLE=00 CKA_FINGERPRINT_SHA1=44d2b4803940bdefddcb5992297d61bca41e8934 CKA_OUID=b90000002b00000f436d0f00 CKA_EKM_UID= CKA_GENERIC_1= CKA_GENERIC_2= CKA_GENERIC_3= CKA_FINGERPRINT_SHA256=f555c53b301d150a471e0c36eeb8eb511c3e30421b6ccedc0c6ec3474d226ef9 CKA_ASSIGNED=00 CKA_KEY_STATUS= Flags: 0x01 CK_KEY_STATUS_F_AUTH_DATA_SET(0x1) Failed Key Authorization Limit: 3 CKA_FAILED_KEY_AUTH_COUNT=00000000 (0) CKA_KEYRING=00 CKA_KEYRING_OUID= CKA_UNWRAP_TEMPLATE= CKA_PUBLIC_KEY=8123572b5c51eac15d086724e582a6e9e4... clipped for length ...3173a24967a3eea8bbc454694defccd93f62a543fd0545aa62a3a CKA_DECAPSULATE=01 CKA_PARAMETER_SET=00000001 (1) CKA_PUBLIC_KEY_INFO=30820336300b06096086480165030... clipped for length ...bac3be03b843173a24967a3eea8bbc454694defccd93f62a543fd0545aa62a Status: Doing great, no errors (CKR_OK)
We could create and label additional keys, as desired.
Backup the created keys
These are the slots being used - source, destination, and Backup HSM respectively. For this part of the example, we are using lunacm.
Slots available to the Client... Available HSMs: Slot Id -> 3 Label -> MyPar Serial Number -> 2353942977384 Model -> Luna K7 Firmware Version -> 7.9.0 Bootloader Version -> 1.1.5 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> User Token Slot FM HW Status -> FM Ready Slot Id -> 4 Label -> Par2 Serial Number -> 2353942977385 Model -> Luna K7 Firmware Version -> 7.9.0 Bootloader Version -> 1.1.5 Configuration -> Luna User Partition With SO (PW) Key Export With Cloning Mode Slot Description -> User Token Slot FM HW Status -> FM Ready Slot Id -> 204 Label -> B700 Serial Number -> 123321 Model -> Luna G7 Firmware Version -> 7.7.3 Bootloader Version -> 1.6.0 Configuration -> Luna HSM Admin Partition (PW) Backup Mode Slot Description -> Admin Token Slot HSM Status -> L3 Device, OK HSM Certificates -> *** Test Certs *** Current Slot Id: 3
1.Log into the source slot (partition) if not already logged in.
lunacm:>role login -n co -p co-password Command Result : No Error
2.Backup from current slot (partition) to the Backup HSM
lunacm:>partition archive backup -slot 204 -par mlkem -password co-password -sopassword so-password -domain domain -f You are backing up an SKS partition. Logging in as the SO on slot 204. Creating partition mlkem on slot 204. Verifying that all objects can be backed up... 6 objects found; attempting to back up 6 objects The SMKs were backed up to partition mlkem successfully. Backing up SKS Blobs... Object 107 has been backed up to partition mlkem (new handle 112). Object 65 has been backed up to partition mlkem (new handle 119). Object 44 has been backed up to partition mlkem (new handle 123). Object 38 has been backed up to partition mlkem (new handle 128). Object 39 has been backed up to partition mlkem (new handle 211). Object 42 has been backed up to partition mlkem (new handle 215). Resizing partition mlkem on slot 204 to minimum necessary space. Backup Successfully Completed. 6 objects have been backed up to partition mlkem on slot 204. Command Result : No Error
3.Select the target slot (partition) to which you will restore.
lunacm:>slot set slot 4 Current Slot Id: 4 (Luna User Slot 7.9.0 (PW) Key Export With Cloning Mode) Command Result : No Error
4.Log into the destination slot.
lunacm:>role login -n co -p co-password Command Result : No Error
5.Restore from the backup HSM to the destination slot (partition).
lunacm:>par archive restore -slot 204 -par mlkem -password co-password You are restoring an SKS partition. Logging in to partition mlkem on slot 204 as the user. Verifying that all objects can be restored... 6 objects found; attempting to restore 6 objects Restoring the SKS partition The SMKs were restored from partition mlkem successfully. Restoring SKS Blobs... Object 69 has been restored from partition mlkem (handle 215). Object 112 has been restored from partition mlkem (handle 211). Object 76 has been restored from partition mlkem (handle 128). Object 75 has been restored from partition mlkem (handle 123). Object 117 has been restored from partition mlkem (handle 119). Object 123 has been restored from partition mlkem (handle 112). Restore Successfully Completed. 6 objects have been restored from partition mlkem on slot 204. Command Result : No Error lunacm:>exit
Verify
Having restored (above), we can verify that what came from the source partition and was restored onto the target partition are the same.
Go back to lunacm for this portion. The sequence is:
>Encapsulate with one of the original ml-kem public keys and
>Decapsulate with the restored private key then
>Run encapsulation again with the restored public key and
>Decapsulate with the original private key.
First, encapsulate with one of the original ML-KEM public keys.
1.Open a session on the source slot.
Starting CHRYSTOKI DEMO - SIMULATION LAB
Status: Doing great, no errors (CKR_OK)
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit
Status: Doing great, no errors (CKR_OK)
Enter your choice : 1
Slots available:
slot#3 - User Token Slot
slot#4 - User Token Slot
slot#204 - Admin Token Slot
Select a slot: 3
Status: Doing great, no errors (CKR_OK)
2. Log in as Crypto Officer.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 3 <--- Log in as Crypto Officer Partition SO [0] Crypto Officer [1] Crypto User [2] Limited Crypto Officer [3]: 1 Enter PIN : *********** Status: Doing great, no errors (CKR_OK)
3.Open a session on the target slot.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 1 Slots available: slot#3 - User Token Slot slot#4 - User Token Slot slot#204 - Admin Token Slot Select a slot (last selected slot = 3): 4 Status: Doing great, no errors (CKR_OK)
4.Log into the target slot as Crypto Officer.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit
Status: Doing great, no errors (CKR_OK)
Enter your choice : 3 <--- Log in as Crypto Officer
Sessions available:
session#1 - slot 3
session#2 - slot 4
Select a session: 2
Partition SO [0]
Crypto Officer [1]
Crypto User [2]
Limited Crypto Officer [3]: 1
Enter PIN : ***********
Status: Doing great, no errors (CKR_OK)
5.Encapsulate an AES key on the source partition (the first session opened).
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 150 <--- Encapsulate a key Sessions available: session#1 - slot 3 session#2 - slot 4 Select a session: 1 Type of symmetric key to be encapsulated: [1] AES [2] GENERIC Secret > 1 Enter handle of the public ML-KEM encapsulate key (0 to list available objects) : 0 handle 107 (0x0000006b) – label: ML-KEM-1024 Private Key handle 65 (0x00000041) – label: ML-KEM-1024 Public Key handle 44 (0x0000002c) – label: ML-KEM-768 Private Key handle 38 (0x00000026) – label: ML-KEM-768 Public Key handle 39 (0x00000027) – label: ML-KEM-512 Private Key handle 42 (0x0000002a) – label: ML-KEM-512 Public Key Number of objects found = 6 Enter handle of the public ML-KEM encapsulate key (0 to list available objects) : 65 Enter the length in bytes of AES key being encapsulated [1] 16 [2] 24 [3] 32: 3 ML-KEM Secret Key Attributes: Enter Is Token Attribute [0-1]: 1 Enter Is Sensitive Attribute [0-1]: 1 Enter Is Private Attribute [0-1]: 1 Enter Is Modifiable Attribute [0-1]: 1 Enter Encrypt/Decrypt Attribute [0-1]: 1 Enter Sign/Verify Attribute [0-1]: 1 Enter Wrap/Unwrap Attribute [0-1]: 1 Enter Derive Attribute [0-1]: 1 Enter Extractable Attribute [0-1]: 1 New key handle is 115 (0x00000073) CipherText written to file (ciphertext.key) Status: Doing great, no errors (CKR_OK)
6.Decapsulate on the target partition.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 151 Sessions available: session#1 - slot 3 session#2 - slot 4 Select a session: 2 Type of symmetric key to be decapsulated: [1] AES [2] GENERIC Secret > 1 Enter handle of the private ML-KEM decapsulate key (0 to list available objects) : 0 handle 123 (0x0000007b) – label: ML-KEM-1024 Private Key handle 117 (0x00000075) – label: ML-KEM-1024 Public Key handle 75 (0x0000004b) – label: ML-KEM-768 Private Key handle 76 (0x0000004c) – label: ML-KEM-768 Public Key handle 112 (0x00000070) – label: ML-KEM-512 Private Key handle 69 (0x00000045) – label: ML-KEM-512 Public Key Number of objects found = 6 Enter handle of the private ML-KEM decapsulate key (0 to list available objects) : 123 Enter the length in bytes of AES key being decapsulated [1] 16 [2] 24 [3] 32: 3 Enter filename with the cipher text (ciphertext.key?): ML-KEM Secret Key Attributes: Enter Is Token Attribute [0-1]: 1 Enter Is Sensitive Attribute [0-1]: 1 Enter Is Private Attribute [0-1]: 1 Enter Is Modifiable Attribute [0-1]: 1 Enter Encrypt/Decrypt Attribute [0-1]: 1 Enter Sign/Verify Attribute [0-1]: 1 Enter Wrap/Unwrap Attribute [0-1]: 1 Enter Derive Attribute [0-1]: 1 Enter Extractable Attribute [0-1]: 1 New key handle is 128 (0x00000080) Status: Doing great, no errors (CKR_OK)
7.Encapsulate on the target partition.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Enter your choice : 150 Sessions available: session#1 - slot 3 session#2 - slot 4 Select a session: 2 Type of symmetric key to be encapsulated: [1] AES [2] GENERIC Secret > 1 Enter handle of the public ML-KEM encapsulate key (0 to list available objects) : 0 handle 128 (0x00000080) – label: Decapsulation Recovered AES Key handle 123 (0x0000007b) – label: ML-KEM-1024 Private Key handle 117 (0x00000075) – label: ML-KEM-1024 Public Key handle 75 (0x0000004b) – label: ML-KEM-768 Private Key handle 76 (0x0000004c) – label: ML-KEM-768 Public Key handle 112 (0x00000070) – label: ML-KEM-512 Private Key handle 69 (0x00000045) – label: ML-KEM-512 Public Key Number of objects found = 7 Enter handle of the public ML-KEM encapsulate key (0 to list available objects) : 117 Enter the length in bytes of AES key being encapsulated [1] 16 [2] 24 [3] 32: 3 ML-KEM Secret Key Attributes: Enter Is Token Attribute [0-1]: 1 Enter Is Sensitive Attribute [0-1]: 1 Enter Is Private Attribute [0-1]: 1 Enter Is Modifiable Attribute [0-1]: 1 Enter Encrypt/Decrypt Attribute [0-1]: 1 Enter Sign/Verify Attribute [0-1]: 1 Enter Wrap/Unwrap Attribute [0-1]: 1 Enter Derive Attribute [0-1]: 1 Enter Extractable Attribute [0-1]: 1 New key handle is 129 (0x00000081) CipherText written to file (ciphertext.key) Status: Doing great, no errors (CKR_OK)
8.Now, go back and decapsulate on the source partition.
(TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice : 151 Sessions available: session#1 - slot 3 session#2 - slot 4 Select a session: 1 Type of symmetric key to be decapsulated: [1] AES [2] GENERIC Secret > 1 Enter handle of the private ML-KEM decapsulate key (0 to list available objects) : 0 handle 115 (0x00000073) – label: Encapsulation Generated AES Key handle 107 (0x0000006b) – label: ML-KEM-1024 Private Key handle 65 (0x00000041) – label: ML-KEM-1024 Public Key handle 44 (0x0000002c) – label: ML-KEM-768 Private Key handle 38 (0x00000026) – label: ML-KEM-768 Public Key handle 39 (0x00000027) – label: ML-KEM-512 Private Key handle 42 (0x0000002a) – label: ML-KEM-512 Public Key Number of objects found = 7 Enter handle of the private ML-KEM decapsulate key (0 to list available objects) : 107 Enter the length in bytes of AES key being decapsulated [1] 16 [2] 24 [3] 32: 3 Enter filename with the cipher text (ciphertext.key?): ML-KEM Secret Key Attributes: Enter Is Token Attribute [0-1]: 1 Enter Is Sensitive Attribute [0-1]: 1 Enter Is Private Attribute [0-1]: 1 Enter Is Modifiable Attribute [0-1]: 1 Enter Encrypt/Decrypt Attribute [0-1]: 1 Enter Sign/Verify Attribute [0-1]: 1 Enter Wrap/Unwrap Attribute [0-1]: 1 Enter Derive Attribute [0-1]: 1 Enter Extractable Attribute [0-1]: 1 New key handle is 135 (0x00000087) Status: Doing great, no errors (CKR_OK) (TITLE) menu titles, (99 or FULL) Full Help, (NONE) No help, (0 or EXIT) Quit Status: Doing great, no errors (CKR_OK) Enter your choice :
The above demonstrates that the original (source), that was backed up to the Backup HSM, and the restored keys (restored from the Backup HSM onto the target partition), can successfully encapsulate and decapsulate the material.
