Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

For this step, you must log in with an identity that has a role with the Major Keys:Load permission. You can use the default Administrator role and Admin identities.
Major keys are the highest-level keys in a Futurex HSM environment. These symmetric keys, stored locally on the HSM, encrypt working keys and critical security parameters. Major keys encrypt all other keys beneath them (with the notable exception of Key Exchange Keys).
Commonly, HSMs within the same environment share major keys to enable synchronization and load balancing, though some settings might not require this.

Load the Futurex Token Key

The Futurex Token Key (FTK) wraps all keys stored on the HSM used with PKCS #11. If using multiple HSMs in a cluster, you can use the same FTK for syncing HSMs. An HSM must have an FTK before you can use it with PKCS #11. Choose one of the following methods to load the FTK:

Excrypt Manager

Perform the following steps to use Excrypt Manager to load the FTK key:
1
Go to the Key Management menu, and select [ Load ] for the FTK in the Major Keys section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.

FXCLI

Perform the following steps to use FXCLI to load the FTK key:
1
Run the following majorkey FXCLI command to load an FTK into the HSM. You must generate a random FTK if this is the first HSM you are setting up. Optionally, you can also load an FTK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
  majorkey random --ftk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If you’re setting up a second HSM in a cluster, load the FTK from smart cards by running the remaining commands in this procedure.
This example recombines the fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the FTK.
FXCLI
  majorkey recombine --key ftk
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
5
Continue to the next smart card.
FXCLI
  smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
7
Complete the fragment recombining process.
FXCLI
  smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
None
smartcard next
result:
    status: success
    statusCode: 0
operationActive: false
kcv: "9211"

Load the Platform Master Key

The Platform Master Key (PMK) is the primary major key used in general-purpose environments or those using AES cryptographic algorithms. It wraps all users and subordinate keys on the server. The PMK is typically a 256-bit AES key that encrypts system parameters, including SMTP passwords and SFTP credentials. The key is the default for creating or importing keys or certificates and is the major key for asymmetric key generation. Choose one of the following methods to load the PMK:

Excrypt Manager

Perform the following steps to use Excrypt Manager to load the PMK:
1
Go to the Key Management menu, and select [ Load ] for the PMK in the Major Keys section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.

FXCLI

Perform the following steps to use Excrypt Manager to load the PMK:
1
Run the following majorkey FXCLI commands to load a PMK into the HSM. You must generate a random PMK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
  majorkey random --pmk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If this is the second HSM you’re setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards, but you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the PMK.
FXCLI
  majorkey recombine --key pmk
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
5
Continue to the next smart card.
FXCLI
  smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
7
Complete the fragment recombining process.
FXCLI
  smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
None
smartcard next
result:
    status: success
    statusCode: 0
operationActive: false
kcv: "9211"

Load the Backup Encryption Key

The Vectera Plus also supports loading a Backup Encryption Key (BEK) to back up the HSM configuration or HSM keys. Choose one of the following methods to load the BEK:

Excrypt Manager

Unlike other major keys on the HSM, if you load the BEK through Excrypt Manager, you must do so from the Maintenance menu. Perform the following steps to use Excrypt Manager to load the BEK:
1
Go to the Maintenance menu, and select any available buttons for backing up keys or configuration.
2
When prompted to load the key, select [ Load Backup Key ].
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.

FXCLI

Perform the following steps to use FXCLI to load the BEK:
1
Run the following majorkey FXCLI commands to load a BEK into the HSM. You must generate a random BEK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
  majorkey random --bek --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If this is the second HSM you’re setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the PMK.
FXCLI
  majorkey recombine --key bek
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
5
Continue to the next smart card.
FXCLI
  smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
  smartcard login
7
Complete the fragment recombining process.
FXCLI
  smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
None
smartcard next
result:
    status: success
    statusCode: 0
operationActive: false
kcv: "9211"