> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deploying Key Lifecycle Management Services

> Step-by-step deployment of Key Lifecycle Management services for specific use cases.

You can deploy multiple services to support individual use cases, including the following Key Lifecycle Management Services:

* **Initial KTK for Key Exchange**: Using existing plaintext components, a new KTK is created under the CryptoHub master key, which you can then use to import and export working keys.
* **Generate Key**: This service generates keys by using pre-defined Key Types and enables you to export them under a KTK.
* **Import Key**: This service enables you to import a new key (either Global or New key type) under an existing KTK.

The following deployments form an initial **KTK, TEST KTK,** from three plaintext components, generate a **PEK, TEST PEK 1,** with the option to export under the KTK, and then import a **PEK, TEST PEK 2,** under the KTK.

## Initial KTK (KEK/ZMK) for key exchange

Perform the following tasks to complete this process:

1. Deploy the Key Lifecycle Management service.
2. Enter and combine KTK components.

### Deploy the Key Lifecycle Management service

Perform the following steps to deploy the Key Lifecycle Management service.

<Steps>
  <Step>
    Log in to the CryptoHub web dashboard under dual control with your Administrator users.
  </Step>

  <Step>
    On the **Service Management** page, search for **Key Lifecycle Management** or select the **Key Management** service category and then select the **Key Lifecycle Management** service.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>

  <Step>
    Configure **Service Setup** as follows:

    * **Service Name**: Select **3DES KTK XOR 3 Components**
    * **Service Category**: Select **Key Management**
  </Step>

  <Step>
    Configure **Access Control** as follows:

    * Add the following roles:
      * **Key Manager**
      * **Key Holder**
  </Step>

  <Step>
    Configure **Key Approval Setup** as follows:

    * Add the following roles:
      * **Key Holder**
  </Step>

  <Step>
    Configure **Key Configuration** as follows:

    * **Algorithm Type**: Select **Symmetric**
    * **Source**: Select **XOR components import**
    * **Component Source**: Select **Trusted key custodians**
    * **Components**: Select **3**
    * **Key Types**:
      * Select **\[ Add Key Type ]**
      * Select **\[ Autofill From Existing ]**
      * Select the **3DES KTK** checkbox.
      * Select **\[ Save ]**
    * **Permissions for Created Key**: Select **All users of service**
  </Step>

  <Step>
    Configure **Print Key** as follows:

    * **Destination**: Select **Do not print**
  </Step>

  <Step>
    Configure **Webhook** as follows:

    * **Destination**: Select **No webhook**
  </Step>

  <Step>
    Configure **Lifecycle Management** as follows:

    * **State: Active**
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic)
      * Select **\[ Next ]**
    * **State: Archived**
      * Select **Enable** or **Disable**
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic)
      * Select **\[ Next ]**
    * **State: Deactivated**
      * Select **Enable** or **Disable**.
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      * Select **\[ Next ]**
    * **State: Destroyed**
      * This state is always enabled for the service.
      * Manual Transition is required for this state.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>
</Steps>

### Enter and combine KTK components

Perform the following steps to enter and combine KTK components:

<Steps>
  <Step>
    Log out of CryptoHub if you are still logged in with the Administrator users.
  </Step>

  <Step>
    Log in to the CryptoHub web dashboard with the **KeyHolderA** user.
  </Step>

  <Step>
    On the **Service Management** page, go to the **Key Wizard** tab and configure **New Key** as follows:

    * **Service**: Select **3DES KTK XOR 3 Components**.
    * **Key Type**: Select **3DES KTK**.
    * **Key Name**: Enter `Test KTK`.
  </Step>

  <Step>
    On the **Service Management** page, go to the **Deployed Services** tab and select the Key Lifecycle Management service you deployed (such as **3DES KTK XOR 3 Components**).
  </Step>

  <Step>
    Go to **Key Orders/Approvals**.
  </Step>

  <Step>
    Select the checkmark under **Actions** to approve the **Test KTK** key order.

    Perform the following steps:

    1. Enter the first plaintext component
       * 9EE6 5104 E82A 9ED4
       * 88B8 7516 014A 1426
       * 9F35 BCEA 104F 0D29
         Component KCV 5FA3
    2. Select **\[ Load Component ]** and note the **KCV (Key Check Value)** in the pop-up dialog.
       **Note** Hover the cursor over the dialog window to avoid closing.
  </Step>

  <Step>
    Log out of CryptoHub.
  </Step>

  <Step>
    Log in to the CryptoHub web dashboard with the **KeyHolderB** user.
  </Step>

  <Step>
    From the **Service Management** page, go to the **Deployed Services** tab and select the Key Lifecycle Management service you deployed (such as **3DES KTK XOR 3 Components**).
  </Step>

  <Step>
    Go to **Key Orders/Approvals**.
  </Step>

  <Step>
    Select the checkmark under **Actions** to approve the **Test KTK** key order.

    1. Enter the second plaintext component:
       1. A8A7 26D6 5152 6438
       2. 0E07 8C13 1F25 759B
       3. 9E58 E551 2957 5116
          Component KCV 2AF8
    2. Select **\[ Load Component ]** and note the **KCV** in the pop-up dialog.
       **Note** Hover the cursor over the dialog window to avoid closing.
  </Step>

  <Step>
    Log out of CryptoHub.
  </Step>

  <Step>
    Log in to the CryptoHub web dashboard with the **KeyHolderC** user.
  </Step>

  <Step>
    On the **Service Management** page, go to the **Deployed Services** tab and select the Key Lifecycle Management service you deployed (such as **3DES KTK XOR 3 Components**).
  </Step>

  <Step>
    Go to **Key Orders/Approvals**.
  </Step>

  <Step>
    Select the checkmark under **Actions** to approve the **Test KTK** key order.

    1. Enter the third (final) plaintext component:
       * DC76 E50B BCDC C767
       * EF29 3EF7 7A83 4946
       * B35E D56E 15E0 9415
         Component KCV E18B
    2. Select **\[ Load Component ]** and note the **Final Checksum CAF9**.
       **Note** Hover the cursor over the dialog window to avoid closing.
  </Step>
</Steps>

## Generate Key with the option to Export under KTK

Perform the following tasks to complete this process:

1. Deploy Key Lifecycle Management service.
2. Generate key.
3. Export key.

### Deploy Key Lifecycle Management service

Perform the following steps to deploy the Key Lifecycle Management service:

<Steps>
  <Step>
    Log in to the CryptoHub web dashboard under dual control with the **KeyManager1** and **KeyManager2** users.
  </Step>

  <Step>
    From the **Service Management** page, search for **Key Lifecycle Management** or select the **Key Management** service category and then select the **Key Lifecycle Management** service.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>

  <Step>
    Configure the **Service** as follows:

    * **Service Name**: Select **Generate Key**.
    * **Service Category**: Select **Key Management**.
  </Step>

  <Step>
    Configure **Access Control** as follows:

    * Add the following roles:
      * **Key Manager**
  </Step>

  <Step>
    Configure **Key Approval Setup** as follows:

    * Do not add any roles.
  </Step>

  <Step>
    Configure **Key Configuration** as follows:

    * **Algorithm Type**: Select **Symmetric**.
    * **Source**: Select **Randomly generated key**.
    * **Approvals**: Select **0**.
    * **Key Types**:
      * Add the following Key Types: **3DES CVK**, **3DES MAK**, and **3DES PEK**.
    * **Permissions for Created Key**: Select **All users of service**.
  </Step>

  <Step>
    Configure **Print Key** as follows:

    * **Destination**: Select **Do not print**.
  </Step>

  <Step>
    Configure **Webhook** as follows:

    * **Destination**: Select **No webhook**.
  </Step>

  <Step>
    Configure **Lifecycle Management** as follows:

    * **State: Active**
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      * Select **\[ Next ]**.
    * **State: Archived**
      * Choose to Enable or Disable.
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      * Select **\[ Next ]**
    * **State: Deactivated**
      * Choose to Enable or Disable.
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      * Select **\[ Next ]**.
    * **State: Destroyed**
      * This state is always enabled for the service.
      * Manual Transition is required for this state.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>
</Steps>

### Generate key

Perform the following steps to generate a key:

<Steps>
  <Step>
    Go to the main **Service Management** page of the CryptoHub.
  </Step>

  <Step>
    Go to the **Key Wizard** tab.

    Configure **New Key** as follows:

    * **Service**: Select **Generate Key**.
    * **Key Type**: Select **3DES PEK**.
    * **Key Name**: Enter `TEST PEK 1`.
  </Step>

  <Step>
    Select **\[ Finish Setup ]**.
  </Step>

  <Step>
    Select **\[ Manage Keys ]**.
  </Step>

  <Step>
    In the **Actions** field for the key you created, select the **Information** icon and note the UUID of the key in the **Export** section.
  </Step>
</Steps>

### Export key

Perform the following steps to export the key:

<Steps>
  <Step>
    Go to the main **Service Management** page of the CryptoHub.
  </Step>

  <Step>
    Go to the **Deployed Services** tab.
  </Step>

  <Step>
    Select the **Generate Key** service.
  </Step>

  <Step>
    Select the **Key Orders** action.
  </Step>

  <Step>
    In the **Actions** field for the key you created, select the **Information** icon.
  </Step>

  <Step>
    In the **Export** section of the **Key Information** dialog  **Keyblock** field, select either **\[ Copy ]** or **\[ Download ]**.
  </Step>

  <Step>
    In the **Select a KTK** field, type **3DES KTK - Test KEK** and select the key.
  </Step>

  <Step>
    Select **TR-31**, **AKB**, or **ECB no padding** for ANSI X9.17 cryptograms.

    * **TR-31**
      * B0096P0TN00E00008378AD73BB7B6408CCA6CA7C14D8BDDDAFE9E75957746E9FB23F31798B69C1F5C0A838DCB0B1408C

    * **AKB**
      * 1PUNE000,B1EAA2E7C35D27AD0ADA8F22441A01CF09473EC8246E50C3,288B4AB3AD55D308

    * **Cryptogram**
      * 9AE93957C36C22D7BA1A9657C85C4026
  </Step>
</Steps>

## Import Key under KTK

Perform the following tasks to complete this process:

1. Deploy Key Lifecycle Management service.
2. Import key.

### Deploy Key Lifecycle Management service

Perform the following steps to deploy the Key Lifecycle Management service:

<Steps>
  <Step>
    Log in to the CryptoHub web dashboard under dual control with the **KeyManager1** and **KeyManager2** users.
  </Step>

  <Step>
    From the **Service Management** page, search for **Key Lifecycle Management** or select the **Key Management** service category and then select the **Key Lifecycle Management** service.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>

  <Step>
    Configure **Service Setup** as follows:

    * **Service Name**: Select **Import Key**.
    * **Service Category**: Select **Key Management**.
  </Step>

  <Step>
    Configure **Access Control** as follows:

    * Add the following roles:
      * **Key Manager**
  </Step>

  <Step>
    Configure **Key Approval Setup** as follows:

    * Do not add any roles
  </Step>

  <Step>
    Configure **Key Configuration** as follows:

    * **Algorithm Type**: Select **Symmetric**.
    * **Source**: Select **KTK impor** t.
    * **Select KTKs**: Select **3DES KTK - Test KEK**.
    * **Approvals**: Select **0**.
    * **Key Types**:
      1. Select **\[ Add Key Type ]**
      2. Select **\[ Autofill From Existing ]**
      3. Select the checkmark next to **3DES CVK**
      4. Select **\[ Save ]**
      5. Select **\[ Add Key Type ]**
      6. Select **\[ Autofill From Existing ]**
      7. Select the checkmark next to **3DES MAK**
      8. Select **\[ Save ]**
      9. Select **\[ Add Key Type ]**
      10. Select **\[ Autofill From Existing ]**
      11. Select the checkmark next to **3DES PEK**
      12. Select **\[ Save ]**
    * **Permissions for Created Key**: Select **All users of service**.
  </Step>

  <Step>
    Configure **Print Key** as follows:

    * **Destination**: Select **Do not print**.
  </Step>

  <Step>
    Configure **Webhook** as follows:

    * **Destination**: Select **No webhook**.
  </Step>

  <Step>
    Configure **Lifecycle Management** as follows:

    * **State: Active**
      1. Select either **Manual** or **Automatic Transition** (specify the transition period if you selected Automatic)
      2. Select **\[ Next ]**
    * **State: Archived**
      1. Choose to Enable or Disable
      2. Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      3. Select **\[ Next ]**.
    * **State: Deactivated**
      * Choose to Enable or Disable.
      * Select **Manual** or **Automatic Transition** (specify the transition period if you selected automatic).
      * Select **\[ Next ]**.
    * **State: Destroyed**
      * This state is always enabled for the service.
      * Manual Transition is required for this state.
  </Step>

  <Step>
    Select **\[ Deploy ]**.
  </Step>
</Steps>

### Import key

Perform the following steps to import the key:

<Steps>
  <Step>
    Go to the main **Service Management** page of the CryptoHub.
  </Step>

  <Step>
    Go to the **Key Wizard** tab.
  </Step>

  <Step>
    Configure **New Key** as follows:

    * **Service**: Select **Generate Key**.
    * **Key Type**: Select **3DES PEK**.
    * **Key Name**: Enter `TEST PEK 2`.
  </Step>

  <Step>
    Configure **Transfer Key Selection** as follows:

    * **Transfer Key**: Select **Test KEK**.
    * **Key Block**: Select **B0096P0TN00E00008378AD73BB7B6408CCA6CA7C14D8BDDDAFE9E75957746E9FB23F31798B69C1F5C0A838DCB0B1408C**.
    * **Format**: TR-31
  </Step>

  <Step>
    Select **\[ Finish Setup ]**.
  </Step>

  <Step>
    Select **\[ Manage Keys ]**.
  </Step>

  <Step>
    In the **Actions** field for the key you created, select the **Information** icon and note the UUID of the key in the **Export** section.
  </Step>
</Steps>
