Excrypt Manager
Configure the Basic Information tab
| Option | Required configuration |
|---|---|
| Role Name | A descriptive name (e.g., ADSS_Signing) |
| Logins Required | Set to 1 If the HSM is in FIPS mode, set Logins Required to 2. |
| Ports | Set to Prod. |
| Connection Sources | Set to Ethernet |
| Managed Roles | Leave blank |
| Use Dual Factor | Set to Never |
| Upgrade Permissions | Leave unchecked |
Configure the Permissions tab
Select the following key permissions:
| Permission | Description |
|---|---|
| Keys | Top-level permission |
| Authorized | Allows keys that require login |
| Import PKI | Allows trusting an external PKI |
| No Usage Wrap | Enables interoperable key wrapping |
Configure the Key Slots tab
Create a range of 1000 total keys that does not overlap with another application partition. Within the specified range, allocate ranges for both symmetric and asymmetric keys.
Enable the required commands
Enable the following commands under Commands:PKCS #11 communication commands:
Key operations commands:
Signing commands:
| Command | Description |
|---|---|
| ECHO | Communication Test / Retrieve Version |
| GPKM | Retrieve key table information |
| HASH | Retrieve device serial |
| RAND | Generate random data |
| TIME | Retrieve HSM time |
| Command | Description |
|---|---|
| ASYL | Load asymmetric key into key table |
| GECC | Generate ECC keypair |
| GPGC | General purpose generate cryptogram from key slot |
| GPKR | General purpose key settings get |
| GPKS | General purpose key settings get / change |
| GRSA | Generate RSA keypair |
| LRSA | Load RSA key into key table |
| Command | Description |
|---|---|
| ASYS | Generate signature using PKI private key |
| GPSR | General purpose RSA encrypt/decrypt or sign/verify with recovery |
FXCLI
Run the following commands to create the application partition and enable the required functions:FXCLI
FXCLI