User tasks
This section describes the operational procedures a user can perform during normal ProtectToolkit-M operation.
Creating keysets
To create a new keyset, first ensure that there is enough keyset space available on the HSM. This can be confirmed by opening the ProtectToolkit-M Administration Utility.
If there is not enough space available, an administrator will have to allocate additional keyset space on the HSM. For details please refer to the previous chapter.
To create a keyset
-
Launch the administration utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmadmin.
-
Select the spare keyset space on which to create the keyset from the Active Adapters list.
-
Open the Keyset menu and choose Create Keyset.
-
The administration utility now prompts for the Keyset Name and the Keyset Password. Enter the required information into the fields provided and press OK to create the new keyset.
Note
The name of the keyset should match with the user login name.
-
The new keyset is displayed under the device.
Changing a keyset password
A keyset password may need to be changed periodically. A keyset password is changed by the keyset owner, using the ProtectToolkit-M keyset management utility.
To change the keyset password
-
Launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
From the displayed list, select the desired keyset.
-
Open the Keyset menu and choose Change Password.
-
The user is prompted for the current and new keyset password. Enter the required information into the fields provided and press OK to change the password.
Note
Any existing keyset backups will no longer be useful following a keyset password change, because the backup key is generated from the password. New backups should be created after changing the password.
Adding a key container
Key containers are created within a user’s keyset, so that the keyset can hold key pairs. The keyset owner can add a key container using the ProtectToolkit-M keyset management utility.
To add a key container
-
Launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
From the displayed list, select the desired keyset.
-
Open the Keyset menu and choose Add Container.
-
The user is prompted for the keyset password and key container name. Enter the required information into the fields provided and press OK to create the key container.
Removing a key container
Key containers which are no longer required or hold obsolete key pairs can be removed from a keyset.
Removing a key container is performed by the keyset owner, using the ProtectToolkit-M keyset management utility.
To remove a key container
-
If it is not already open, launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
Select the keyset container which you wish to remove.
-
Open the Keyset menu and choose Remove.
-
The user is prompted for the keyset password and confirmation that the container removal is the required action. Press OK to remove the key container.
Generating a key pair
Key pairs are used by Crypto API to encrypt or sign data. There are two types of key pairs, and they must be created inside a key container. Please refer to Adding a key container.
The keyset owner can generate a key pair using the ProtectToolkit-M keyset utility.
To generate a key pair
-
Launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
Select the keyset container in which to generate a key pair.
-
Open the Container menu and choose Generate Key Pair.
-
The user is prompted to enter the keyset password. Correct password entry will display the generate key pair dialog.
-
The generate key pair dialog will prompt for the key usage and key size.
-
Choose Exchange or Sign depending on the required key pair usage.
-
Select a Key Size from the drop-down list.
-
Check the Exportable checkbox if you want to be able to back up this key pair.
-
Press OK to generate the key pair.
Key usage
Key pairs generated using the keyset management utility have one of two usage attributes. These are:
-
Exchange: This type of key pair is used to encrypt session keys for the user during normal ProtectToolkit-M operation.
-
Sign: This type of key pair is used to create digital signatures for the user during normal ProtectToolkit-M operation.
Each user will generally require both types of keys within their particular keyset.
Key size
Key size is an important consideration when using encryption as a security measure. When discussing key size, the value is given as a bit length, referring to how many digits are represented in the key value. As a general guideline, longer bit lengths produce longer keys and more secure encryption. However, larger key sizes slow the encryption process, due to the larger calculations involved.
Note
If the FIPS Mode security policy is enabled, the cryptographic operations of RSA, DSA, DH, and EC algorithms are restricted to key sizes within a specified range. For more information about the size limitations of keys that are created or imported in FIPS Mode, see FIPS Mode operational restrictions.
Deleting a key pair
The keyset owner can delete a key pair using the ProtectToolkit-M keyset management utility.
To delete a key pair
-
launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
Select the key pair you wish to delete.
-
Open the KeyPair menu and choose Delete.
-
The user is prompted to enter the keyset password. Correct password entry deletes the selected key pair.
Displaying key pair properties
Key pair properties can be displayed by any user of the ProtectToolkit-M keyset management utility.
To display the properties of a key pair
-
Launch the keyset management utility from the Start menu by selecting Start > Programs > SafeNet > ProtectToolkit M > gmksm.
-
Select the key pair for which to display its properties.
-
Open the KeyPair menu and choose Properties.
Information shown includes the following:
-
Keyset: Displays the name of the keyset on which the selected key pair resides.
-
Container: Displays the name of the key container in which the selected key pair resides.
-
Usage: Shows the key usage attribute of the selected key pair. This value will either be “
EXCHANGE
” or “SIGN
”. -
Size: Shows the key size for the selected key pair.
-
Private Key Held: This indicates if the private key for the selected key pair is present as part of the key pair. Since it is possible to import a public key only, this value will either be “
TRUE
” or “FALSE
”. -
Exportable: Indicates whether the selected key pair can be backed up.
-
Backing up and restoring keysets
Users are responsible for backing up their own keysets. The procedures involved in backing up and restoring key pairs or keysets are detailed in Administrative tasks
Keyset backup or restore operations should not be attempted without thorough knowledge of the procedure and the possible consequences of incorrect actions. It is strongly advised that the device administrator is consulted prior to performing a keyset backup or restore operation.