When considering different key storage methods, keep the following factors in mind:Documentation Index
Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
Use this file to discover all available pages before exploring further.
- Storage location: Do you store keys on or off the HSM?
- Format: In what format do you store encrypted keys?
Storing keys on or off the HSM
For general-purpose use cases, you primarily store keys on the HSM. However, some HSM products divert from this norm by storing keys off the HSM (for example, nShields Security World). In this case, you encrypt those off-HSM keys with a master key that you store on the HSM.Encrypted key format
Encrypted keys are generally in one of the following formats:- Cryptogram
- TR-31 key block
What is a cryptogram?
A cryptogam is an encrypted blob of data. Aside from the encryption itself, no additional security mechanisms are baked in. However, instead of using a cryptogram, we recommend using TR-31 key blocks to manage keys. The advantages of using TR-31 key blocks are explained further in the following section.What is a TR-31 key block?
The ANSI X9.24-1-2017 specification describes TR-31 key blocks. The key block structure consists of the following parts:| Part | Description |
|---|---|
| Header | The header is the least sensitive part of the key block. It defines the key block type, key usage, and key type. |
| Encrypted key data | This part contains all the key sensitive data, including the actual key values and their size. It can optionally contain the ciphering mode used and data padding options. |
| MAC | The Message Authentication Code (MAC), an integrity check of the header and key data, ensures that the key block is unmodified. |