Enabling Private Key Clear Export
In order to support the key archival process, it must be possible for the host machine to obtain the value of the private key in the clear.
Due to the inherent security risks, the Allow Clear Export of Private Keys flag controls whether this value can be obtained. This is a “secure configuration item”.
A secure configuration item is one which is open for reading, but requires authentication for writing. Such configuration items are stored on the HSM and protected by the password of the device administrator.
If Allow Clear Export of Private Keys flag is set to True
, then it is possible to obtain the value of a private key in the clear using the Microsoft Crypto API (MSCAPI) (causing the key archival process to succeed).
If Allow Clear Export of Private Keys is set to False
, then any requests to obtain the value of a private key in the clear are denied (causing the key archival process to fail).
The value of the Allow Clear Export of Private Keys flag can be changed using the SafeNet ProtectToolkit-M Administration Utility.
To set or clear the Allow Clear Export of Private Keys flag:
1.Launch the administration utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmadmin.
2.Select the desired HSM from the Active Adapters list.
3.Open the Adapter menu and choose Set Secure Configuration. The Set Secure Configuration dialog box displays.
4.Set or clear the Allow Clear Export of Private Keys flag as required, then click OK to action the change.