Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

HSM PSE integration

Export and import Private Keys

search

Export and import Private Keys

Please Note:

Export and import Private Keys

To export SAS generated key (on Slot 0 of one HSM device) to another server (with SAS PCE installed on some other machine), follow the steps:

  1. Export Private Key (from one HSM device)

  2. Import Private Key (to another HSM device)

  3. Verify Private Key Operations Success

For migration of keys from PSEv2 to PSEv3 device please follow the link: https://www.thalesdocs.com/gphsm/ptk/protectserver3/docs/ps_ptk_docs/migration/migrating_keys/index.html

Export Private Keys

  1. Navigate to the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. To launch the KMU tool, double-click the KMU HSM.bat batch file.

    Key Management Utility Window

  3. Log in to KMU using User PIN credentials to verify that a key was generated (for Slot 0), by the SAS solution.

    KMU Login

  4. Log in to KMU (for Slot 0) using Security Officer credentials.

  5. Navigate to Options > Create > Generate Key Components.

    Selecting Generate Key Componenets Option

  6. The Create Key Components popup window is displayed. Edit the following attributes, and click OK:

    1. Mechanism: Select Triple DES from the dropdown list.

    2. Check Export and Import checkboxes.

    3. Clear Private checkbox.

      Create Key Components popup window

  7. Number of Components window is displayed. The field Number of components to create is default populated as 2. Click OK, and click OK again.

    Number of Components popup window

  8. Copy the hexadecimal component and KCV to a text file (say, info.txt file).

  9. Repeat steps 6 and 7, as above, for the second component.

    KMU window

  10. A key is generated, and is now visible.

  11. Log in to KMU using User PIN credentials (for Slot 0). The SAS generated key and the wrapper key are available.

    KMU window

  12. Right-click the SAS generated key and select Export.

  13. The Export Key(s) window is displayed. Select the wrapper key (generated, as above, in step 10) from the Wrapping Key dropdown field and provide a path for the file to export, and click OK.

    Export Key(s) window

  14. The key is exported, and a success message: Export Successful, is displayed.

    Export Successful Message

Import Private Keys

As a prerequisite to importing, SAS and PTKC 5.2.0 should already be installed on this (second) machine with a different HSM device.

  1. Copy the exported file (as above) and the text (info.txt) file to the machine where the key needs to be imported.

  2. Navigate to the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  3. To launch the KMU tool, double-click the KMU HSM.bat batch file.

  4. Log in to KMU using Security Officer credentials.

    KMU Login

  5. Navigate to Options > Create > Enter Key from Components.

    Selecting Generate Key Componenets Option

  6. The Enter Key Components popup window is displayed. Edit the following attributes, and click OK:

    1. Mechanism: Select Triple DES from the dropdown list.

    2. Check Export and Import checkboxes.

      Create Key Componenet Window

    3. Clear Private checkbox.

  7. The Number of Components window is displayed. Enter 2 in the Number of components to enter field, and click OK.

    No. of Components Window

  8. Enter the hexadecimal component values from the text file (info.txt file).

    Ready to Accept Component Popup Window

    The KCV value is populated, by default.

  9. Repeat the above step (step 8) for the second component.

  10. The wrapper key is created. It is the same key that got created in Export Keys (step 11). Right-click to compare and verify that KCVs of these wrapper keys on different machines is the same.

  11. Log in to KMU using User PIN credentials (for Slot 0).

  12. Navigate to Options > Import Key(s).

  13. The Import Key(s) window is displayed. Select the wrapper key (generated, as above, in step 10) from the Wrapping Key dropdown field and provide the path for the file to import. This path should be the same as the one provided for export in step 13 of Export Keys.

  14. The key is imported, and a success message: Import Successful, is displayed. To verify if the same key (which was exported) has been imported, compare KCV of the two keys on different machines.

    Import Successful Message

Verify Key operations

To verify that the Private Key export and import operations were successful, follow the steps:

  1. Launch SAS Manager and login as administrator.

  2. Navigate to System > Setup > HSM Database Encryption.

  3. Provide User PIN (for Slot 0) of the HSM device configured on the second machine.

  4. The message "HSM database encryption was successfully enabled" is displayed. The success message confirms that both the Private Key export and import operations were successful.

    HSM Database Encryption Enabled Message