Creating Externally Stored Objects

The utilities typically located in either C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C RT (for runtime installation) or C:\Program Files\SafeNet\Protect Toolkit 5\ProtectToolkit C SDK\bin\hsm (for SDK installation) can now be used to create externally-stored keys. Slot 0 is used for externally stored keys. For example, the command ctkmu c -s0 -z1024 -nexternal1 -aX -trsa creates an RSA key pair in external storage.

To backup and restore keys by storing them externally

1.The simplest way to back up keys is to zip the secure external storage files and to export the object keys used in the ExtToken mechanism. As the files are already encrypted, format encryption need not be applied when compressing the files. These files are located in the folder indicated by the ET_PTKC_EXTTOKEN_PATH environment variable and have the extensions .ort and .ods.

2.To access the objects in the ExtToken mechanism, the Cryptoki Library (ID 1 or 4) must be used. When the utilities are used with the Cryptoki Library, the physical slots are made accessible and therefore the objects that underlie the ExtToken mechanism are accessible. To enable the utilities to use the Cryptoki Library, in the Path environment variable, insert the path to the Cryptoki library, so that this folder appears before any other folders containing cryptoki.dll files. For Runtime operation, this is typically C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C RT(if the previous configuration steps were followed). For SDK, this is typically C:\Program Files\SafeNet\Protect Toolkit 5\ProtectToolkit C SDK\bin\hsm.

3.At a command prompt, enter the command ctkmu l –s0. Three objects should be listed with the label ExtToken. The first object is a Data object containing information relating to the configuration of ExtToken. Two secret keys are created; one key is for private objects and the other key is for public objects.

4.Export the objects in slot 0 onto Multiple Custodian smart cards. The following example illustrates how to do this with two smart cards, where the smart card reader is located in slot 1. 

ctkmu x –s0 –c1

5.When restoring keys, the Cryptoki Library (ID 1 or 4) must be used (see step 2). To restore keys after tampering the HSM, uncompress the secure external storage files into the folder indicated by the ET_PTKC_EXTTOKEN_PATH environment variable. Import the secret keys from the smart cards. The following example illustrates how to import the keys if exported in the manner described above.

ctkmu i –s0 –c1

6.To make use of the ExtToken Library the system must be reconfigured to use the ExtToken Library for Application Development or for Runtime Operation.


Customer Support Portal

SafeNet ProtectToolkit 5.7 Product Documentation  08 January 2020  Copyright 2009-2020 Gemalto. All rights reserved.