Key transport methods

This section covers options for transporting keys from an external source to a Futurex HSM, such as a KMES Series 3. The process choice depends on the following elements:

The key source (that is, which HSM or key management server vendor you are transferring the keys from)
The key type (symmetric versus asymmetric)
The number of keys that you need to move

Exporting keys from non- Futurex HSMs or key management servers

Typically, third-party HSMs and key management servers support exporting keys, including private keys, under a wrapping key (such as KEK). Sometimes, you must put the HSM or key management server in a special export mode. For details, refer to the documentation specific to each third-party HSM or key management server.

Exporting keys from software sources

Exporting keys from software sources is often a more straightforward process than exporting from HSMs because you can transfer keys in PKCS #12 format. As the Key sources section explains, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. Commonly, it bundles a private key with its X.509 certificate or bundles all the members of a chain of trust. You can use the following command to generate a PKCS #12 file by using OpenSSL if you have the clear private key and its corresponding certificate:

Shell

openssl pkcs12 -export -out bundle.p12 -inkey myKey.pem -in cert.pem

Encrypted key import

You can use the following methods to import encrypted keys into a Vectera Plus or KMES Series 3:

For asymmetric keys:
- PKCS #12: Use Futurex Command Line Interface (FXCLI)
- PKCS #8: Use the RSTE Excrypt Command
For symmetric keys:
- Use a Key Exchange Key (KEK)

Clear key import

You can use the following methods to import clear keys into only the Vectera Plus HSM. The KMES Series 3 does not support clear key import.

Method	Description
Full clear key import by using Excrypt Manager	If you have the full clear key value, import it into the Vectera Plus by logging in under dual control through Excrypt Manager and then loading the key by either the Symmetric or Asymmetric Key Loading Wizard.
Component import by using either Excrypt Manager or FXCLI	You can also load clear keys as components. In this scenario, more than one person possesses clear key values from different parts of a key. Component holders must then log in to the Vectera Plus under dual control (by using either Excrypt Manager or FXCLI) and load each key component. Then the key parts are XOR’d together and stored on the HSM. This option is more common in the financial space.
Converting to KEK for batch import	If you need to import many keys, logging in under dual control and loading every individual key is not feasible. In this situation, you can encrypt all the keys under a single KEK and then batch import them into the Vectera Plus by using the TWKS Excrypt command.

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Exporting keys from non- Futurex HSMs or key management servers

Exporting keys from software sources

Encrypted key import

Clear key import

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Documentation Index

​Exporting keys from non- Futurex HSMs or key management servers

​Exporting keys from software sources

​Encrypted key import

​Clear key import

Exporting keys from non- Futurex HSMs or key management servers

Exporting keys from software sources

Encrypted key import

Clear key import