Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

HSM PSE integration

Manual key generation

search

Please Note:

printsuggest an edit

Manual key generation

The following steps can be used to generate a key (and edit its attributes) manually. Follow the steps based on whether you are using the Graphical User Interface (GUI) or Command-Line Interface (CLI).

copy link to clipboardGraphical User Interface method

  1. Double-click KMU HSM.Bat batch file available at the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. The Key Management Utility (KMU) window is displayed. Select the previously created token [Slot<SLOT_NUMBER> for the first token] and use User PIN option to login.

    note

    Note

    Ensure to select <Slot 0> option in Select a token dropdown menu.

    Key Management Utility Window

  3. To create a secret key, navigate to Options > Create > Secret Key.

    Key Management Utility Window

  4. The Generate Secret Key popup window is displayed.

    Generate Secret Key Popup

    Enter/Edit the following fields, and click OK.

    1. Label: Provide the label of the key as: HSM_KEY_AES_ENCRYPTION_VER_13.

    2. Key Size (bits): Change to 256, from the default value of 128.

    Ensure only the following checkboxes are selected:

    • Persistent

    • Sensitive

    • Modifiable

    • Exportable

    • Private

    • Encrypt

    • Decrypt

  5. A key is be generated for the particular slot.

    Displaying generated key

    note

    Note

    Key generation can also be done using SAS itself. When you enable the HSM in SAS System Settings, provide the User PIN for the slot and apply changes, a key is created automatically for the slot.

copy link to clipboardCommand-Line Interface method

  1. Execute the KMU HSM.Bat batch file available at the following path:

    C:\Program Files\SafeNet\Protect Toolkit 5\Protect Toolkit C SDK\bin

  2. To create key(s) in the slot, execute the following command:

    ctkmu c –t<type of key> -s <slot number> -n <label of the Key> -a<attributes of the keys>

    Example: ctkmu c -taes -s0 -nHSM_KEY_AES_ENCRYPTION_VER_13 -aEDMX –z256

    In the above example, the execution of the command generates an AES (256 bit) key named HSM_KEY_AES_ENCRYPTION_VER_13 in Slot 0 with following attributes: Encrypt, Decrypt, Exportable and Modifiable.

    note

    Note

    The following lists the attributes that are allowed:
    P: CKA_PRIVATE
    M: CKA_MODIFIABLE
    T: CKA_SENSITIVE
    W: CKA_WRAP
    w: CKA_EXPORT
    I: CKA_IMPORT
    U: CKA_UNWRAP
    X: CKA_EXTRACTABLE
    x: CKA_EXPORTABLE
    R: CKA_DERIVE
    E: CKA_ENCRYPT
    D: CKA_DECRYPT
    S: CKA_SIGN
    V: CKA_VERIFY
    L: CKA_SIGN_LOCAL_CERT

    The following table provides descriptions of the listed keys:

    Flag Description
    Decrypt Security Object supports decryption
    Derive Key can be used to derive operations
    Encrypt Security Object supports encryption
    Exportable Key can be exported in cleartext through the pkcs#11 API (Not backup/restore related).
    NOTE: HSM prevents the export operation.
    Extractable Key can be wrapped with transport key of the HSM (Not backup/restore related)
    Import NA
    Modifiable Allow attributes to be changed after key generation
    Private Authentication required prior to security object being visible
    Senstive Security sensitive attributes non-readable
    Sign Security Object supports signing
    UnWrap Security Object supports unwrapping (can be used to unwrap another key)
    Verify Security Object supports verification (public key)
    Wrap Security Object supports wrapping (can be used to wrap another key)

  3. Close and reopen the Command Prompt, and run the Ctkmu l command.

    A list of the available slot(s) is displayed.

    Displaying list of available slots

    note

    Note

    If you need to export the Private Key created at one SAS machine to another SAS machine, refer to Exporting and Importing Private Keys

On this page