Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

HSM PSE integration

Manual key generation

search

Manual key generation

Please Note:

Manual key generation

The following steps can be used to generate a key (and edit its attributes) manually. Follow the steps based on whether you are using the Graphical User Interface (GUI) or Command-Line Interface (CLI).

Graphical User Interface method

  1. Double-click KMU HSM.Bat batch file available at the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. The Key Management Utility (KMU) window is displayed. Select the previously created token [Slot<SLOT_NUMBER> for the first token] and use User PIN option to login.

    Ensure to select <Slot 0> option in Select a token dropdown menu.

    Key Management Utility Window

  3. To create a secret key, navigate to Options > Create > Secret Key.

    Key Management Utility Window

  4. The Generate Secret Key popup window is displayed.

    Generate Secret Key Popup

    Enter/Edit the following fields, and click OK.

    1. Label: Provide the label of the key as: HSM_KEY_AES_ENCRYPTION_VER_13.

    2. Key Size (bits): Change to 256, from the default value of 128.

    Ensure only the following checkboxes are selected:

    • Persistent

    • Sensitive

    • Modifiable

    • Exportable

    • Private

    • Encrypt

    • Decrypt

  5. A key is be generated for the particular slot.

    Displaying generated key

    Key generation can also be done using SAS itself. When you enable the HSM in SAS System Settings, provide the User PIN for the slot and apply changes, a key is created automatically for the slot.

Command-Line Interface method

  1. Execute the KMU HSM.Bat batch file available at the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. To create key(s) in the slot, execute the following command:

    ctkmu c –t<type of key> -s <slot number> -n <label of the Key> -a<attributes of the keys>

    Example: ctkmu c -taes -s0 -nHSM_KEY_AES_ENCRYPTION_VER_13 -aEDMX –z256

    In the above example, the execution of the command generates an AES (256 bit) key named HSM_KEY_AES_ENCRYPTION_VER_13 in Slot 0 with following attributes: Encrypt, Decrypt, Exportable and Modifiable.

    The following lists the attributes that are allowed:
    P: CKA_PRIVATE
    M: CKA_MODIFIABLE
    T: CKA_SENSITIVE
    W: CKA_WRAP
    w: CKA_EXPORT
    I: CKA_IMPORT
    U: CKA_UNWRAP
    X: CKA_EXTRACTABLE
    x: CKA_EXPORTABLE
    R: CKA_DERIVE
    E: CKA_ENCRYPT
    D: CKA_DECRYPT
    S: CKA_SIGN
    V: CKA_VERIFY
    L: CKA_SIGN_LOCAL_CERT

    The following table provides descriptions of the listed keys:

    Flag Description
    Decrypt Security Object supports decryption
    Derive Key can be used to derive operations
    Encrypt Security Object supports encryption
    Exportable Key can be exported in cleartext through the pkcs#11 API (Not backup/restore related).
    NOTE: HSM prevents the export operation.
    Extractable Key can be wrapped with transport key of the HSM (Not backup/restore related)
    Import NA
    Modifiable Allow attributes to be changed after key generation
    Private Authentication required prior to security object being visible
    Senstive Security sensitive attributes non-readable
    Sign Security Object supports signing
    UnWrap Security Object supports unwrapping (can be used to unwrap another key)
    Verify Security Object supports verification (public key)
    Wrap Security Object supports wrapping (can be used to wrap another key)

  3. Close and reopen the Command Prompt, and run the Ctkmu l command.

    A list of the available slot(s) is displayed.

    Displaying list of available slots

    If you need to export the Private Key created at one SAS machine to another SAS machine, refer to Exporting and Importing Private Keys