> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Load major keys
> Load major keys into Vectera Plus HSM using Excrypt Manager or FXCLI with appropriate permissions.
For this step, you must log in with an identity that has a role with the Major Keys:Load permission. You can use the default Administrator role and Admin identities.
Major keys are the highest-level keys in a Futurex HSM environment. These symmetric keys, stored locally on the HSM, encrypt working keys and critical security parameters. Major keys encrypt all other keys beneath them (with the notable exception of Key Exchange Keys).
Commonly, HSMs within the same environment share major keys to enable synchronization and load balancing, though some settings might not require this.
## Load the Futurex Token Key
The **Futurex Token Key (FTK)** wraps all keys stored on the HSM used with PKCS #11. If using multiple HSMs in a cluster, you can use the same FTK for syncing HSMs. An HSM must have an FTK before you can use it with PKCS #11.
Choose one of the following methods to load the FTK:
### Excrypt Manager
Perform the following steps to use Excrypt Manager to load the FTK key:
Go to the **Key** **Management** menu, and select **\[ Load ]** for the FTK in the **Major Keys** section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
### FXCLI
Perform the following steps to use FXCLI to load the FTK key:
Run the following **majorkey** FXCLI command to load an FTK into the HSM. You must generate a random FTK if this is the first HSM you are setting up. Optionally, you can also load an FTK onto smart cards simultaneously with the `--fragments-required` and `--fragments-total` flags, as shown in the following example:
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey random --ftk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
```
If you're setting up a second HSM in a cluster, load the FTK from smart cards by running the remaining commands in this procedure.
This example recombines the fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
Start the major key recombining process for the FTK.
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey recombine --key ftk
```
Log in to the first smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Continue to the next smart card.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
Log in to the second smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Complete the fragment recombining process.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
```none expandable lines wrap title="None" theme={null}
smartcard next
result:
status: success
statusCode: 0
operationActive: false
kcv: "9211"
```
## Load the Platform Master Key
The **Platform Master Key (PMK)** is the primary major key used in general-purpose environments or those using AES cryptographic algorithms. It wraps all users and subordinate keys on the server. The PMK is typically a 256-bit AES key that encrypts system parameters, including SMTP passwords and SFTP credentials. The key is the default for creating or importing keys or certificates and is the major key for asymmetric key generation.
Choose one of the following methods to load the PMK:
### Excrypt Manager
Perform the following steps to use Excrypt Manager to load the PMK:
Go to the **Key** **Management** menu, and select **\[ Load ]** for the PMK in the **Major Keys** section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
### FXCLI
Perform the following steps to use Excrypt Manager to load the PMK:
Run the following **majorkey** FXCLI commands to load a PMK into the HSM. You must generate a random PMK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the `--fragments-required` and `--fragments-total` flags, as shown in the following example:
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey random --pmk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
```
If this is the second HSM you're setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards, but you can recombine fragments from up to nine smart cards.
Start the major key recombining process for the PMK.
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey recombine --key pmk
```
Log in to the first smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Continue to the next smart card.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
Log in to the second smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Complete the fragment recombining process.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
```none expandable lines wrap title="None" theme={null}
smartcard next
result:
status: success
statusCode: 0
operationActive: false
kcv: "9211"
```
## Load the Backup Encryption Key
The Vectera Plus also supports loading a **Backup Encryption Key (BEK)** to back up the HSM configuration or HSM keys.
Choose one of the following methods to load the BEK:
### Excrypt Manager
Unlike other major keys on the HSM, if you load the BEK through Excrypt Manager, you must do so from the **Maintenance** menu.
Perform the following steps to use Excrypt Manager to load the BEK:
Go to the **Maintenance** menu, and select any available buttons for backing up keys or configuration.
When prompted to load the key, select **\[ Load Backup Key ]**.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
### FXCLI
Perform the following steps to use FXCLI to load the BEK:
Run the following **majorkey** FXCLI commands to load a BEK into the HSM. You must generate a random BEK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the `--fragments-required` and `--fragments-total` flags, as shown in the following example:
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey random --bek --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
```
If this is the second HSM you're setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
Start the major key recombining process for the PMK.
```shell title="FXCLI" expandable lines wrap theme={null}
majorkey recombine --key bek
```
Log in to the first smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Continue to the next smart card.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
Log in to the second smart card (enter the smart card PIN when prompted for a password).
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard login
```
Complete the fragment recombining process.
```shell title="FXCLI" expandable lines wrap theme={null}
smartcard next
```
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
```none expandable lines wrap title="None" theme={null}
smartcard next
result:
status: success
statusCode: 0
operationActive: false
kcv: "9211"
```