Excrypt Manager
Perform the following steps on Excrypt Manager to create an application partition:In the Basic Information tab, configure all of the fields as follows:
| Option | Required configuration |
|---|---|
| Role Name | Specify any name that you would like for this new application partition. |
| Logins Required | Set to 1 If the HSM is in FIPS mode, you must set Logins Required to 2. |
| Ports | Set to Prod. |
| Connection Sources | Set to Ethernet. |
| Managed Roles | Leave blank because you specify the exact Permissions, Key Slots, and Commands for this application partition or role to have access to. |
| Use Dual Factor | Set to Never. |
| Upgrade Permissions | Leave unchecked. |
In the Permissions tab, select the following key permissions:
| Permission | Description |
|---|---|
| Keys | Top-level permission |
| Authorized | Allows for keys that require login |
| Import PKI | Allows trusting an external PKI. Generally not recommended, but some applications use this option for PKI symmetric key wrapping. |
| No Usage Wrap | Enables interoperable key wrapping without defining key usage as part of the wrapped key. Use this only if you want to exchange keys with external entities or use the HSM to wrap externally used keys. |
In the Key Slots tab, we recommend you create a range of 1000 total keys that do not overlap with another application partition. Within the specified range, you should have ranges for both symmetric and asymmetric keys. If the application requires more keys, configure it accordingly.
To use the HSM functionality, you must enable particular functions on the application partition based on application requirements. Enable the following commands under Commands:PKCS #11 communication commands:
Key operations commands:
Interoperable key wrapping:
Data encryption commands:
Signing commands:
| Command | Description |
|---|---|
| ECHO | Communication Test/Retrieve Version |
| HASH | Retrieve device serial |
| GPKM | Retrieve key table information |
| GPKR | General-purpose key settings get (read-only) |
| GPKS | General-purpose key settings get/change |
| RAND | Generate random data |
| PRMD | Retrieve HSM permissions |
| Command | Description |
|---|---|
| APFP | Generate PKI Public Key from Private Key |
| ASYL | Load asymmetric key into the key table |
| GECC | Generate an ECC Key Pair |
| GPCA | General-purpose add certificate to key table |
| GPGS | General-purpose generate symmetric key |
| GPKA | General-purpose key add |
| GPKD | General-purpose key slot delete/clear |
| GRSA | Generate RSA Private and Public Key |
| LRSA | Load key into the RSA Key Table |
| RPFP | Get public components from the RSA private key |
| Command | Description |
|---|---|
| GPKU | General-purpose key unwrap (unrestricted) |
| GPUK | General-purpose key unwrap (preserves key usage) |
| GPKW | General-purpose key wrap (unrestricted) |
| GPWK | General-purpose key wrap (preserves key usage) |
| Command | Description |
|---|---|
| ADPK | PKI Decrypt Trusted Public Key |
| GHSH | Generate a Hash (Message Digest) Starting in firmware version 7.x, this function is enabled by default and does not need to be specified. |
| GPSE | General-purpose Symmetric Encrypt |
| GPSD | General-purpose Symmetric Decrypt |
| GPGC | General-purpose generate cryptogram from key slot |
| GPMC | General-purpose MAC (Message Authentication Code) |
| GPSR | General-purpose RSA encrypt/decrypt or sign/verify with recovery |
| HMAC | Generate a hash-based message authentication code |
| RDPK | Get Clear Public Key from Cryptogram |
| Command | Description |
|---|---|
| ASYS | Generate a Signature Using a PKI Private Key |
| ASYV | Verify a Signature Using a Public Key |
| GPSV | General-purpose data sign and verify |
| RSAS | Generate a Signature Using a RSA Private Key |
FXCLI
Run the following role FXCLI commands to create the new application partition and enable all needed functions:FXCLI
FXCLI