Load major keys

for this step, you must log in with an identity that has a role with the major keys\ load permission you can use the default administrator role and admin identities major keys are the highest level keys in a {{futurex}} hsm environment these symmetric keys, stored locally on the hsm, encrypt working keys and critical security parameters major keys encrypt all other keys beneath them (with the notable exception of key exchange keys) commonly, hsms within the same environment share major keys to enable synchronization and load balancing, though some settings might not require this load the {{futurex}} token key the futurex token key (ftk) wraps all keys stored on the hsm used with pkcs #11 if using multiple hsms in a cluster, you can use the same ftk for syncing hsms an hsm must have an ftk before you can use it with pkcs #11 choose one of the following methods to load the ftk excrypt manager perform the following steps to use excrypt manager to load the ftk key go to the key management menu, and select \[ load ] for the ftk in the major keys section you can load keys that are xor’d together, m of n fragments, or generated if this is the first hsm in a cluster, we recommend you generate the key and save it to smart cards as m of n fragments fxcli perform the following steps to use fxcli to load the ftk key run the following majorkey fxcli command to load an ftk into the hsm you must generate a random ftk if this is the first hsm you are setting up optionally, you can also load an ftk onto smart cards simultaneously with the fragments required and fragments total flags, as shown in the following example fxcli majorkey random ftk fragments required \[number from 2 to 9] fragments total \[number from 2 to 9] if you're setting up a second hsm in a cluster, load the ftk from smart cards by running the remaining commands in this procedure this example recombines the fragments from only two smart cards however, you can recombine fragments from up to nine smart cards start the major key recombining process for the ftk fxcli majorkey recombine key ftk log in to the first smart card (enter the smart card pin when prompted for a password) fxcli smartcard login continue to the next smart card fxcli smartcard next log in to the second smart card (enter the smart card pin when prompted for a password) fxcli smartcard login complete the fragment recombining process fxcli smartcard next if the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample smartcard next result status success statuscode 0 operationactive false kcv "9211" load the platform master key the platform master key (pmk) is the primary major key used in general purpose environments or those using aes cryptographic algorithms it wraps all users and subordinate keys on the server the pmk is typically a 256 bit aes key that encrypts system parameters, including smtp passwords and sftp credentials the key is the default for creating or importing keys or certificates and is the major key for asymmetric key generation choose one of the following methods to load the pmk excrypt manager perform the following steps to use excrypt manager to load the pmk go to the key management menu, and select \[ load ] for the pmk in the major keys section you can load keys that are xor’d together, m of n fragments, or generated if this is the first hsm in a cluster, we recommend you generate the key and save it to smart cards as m of n fragments fxcli perform the following steps to use excrypt manager to load the pmk run the following majorkey fxcli commands to load a pmk into the hsm you must generate a random pmk if this is the first hsm you are setting up optionally, you can also load a pmk onto smart cards simultaneously with the fragments required and fragments total flags, as shown in the following example fxcli majorkey random pmk fragments required \[number from 2 to 9] fragments total \[number from 2 to 9] if this is the second hsm you're setting up in a cluster, load the pmk from smart cards by running the remaining commands in this procedure this example recombines fragments from only two smart cards, but you can recombine fragments from up to nine smart cards start the major key recombining process for the pmk fxcli majorkey recombine key pmk log in to the first smart card (enter the smart card pin when prompted for a password) fxcli smartcard login continue to the next smart card fxcli smartcard next log in to the second smart card (enter the smart card pin when prompted for a password) fxcli smartcard login complete the fragment recombining process fxcli smartcard next if the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample smartcard next result status success statuscode 0 operationactive false kcv "9211" load the backup encryption key the {{vectera}} also supports loading a backup encryption key (bek) to back up the hsm configuration or hsm keys choose one of the following methods to load the bek excrypt manager unlike other major keys on the hsm, if you load the bek through excrypt manager, you must do so from the maintenance menu perform the following steps to use excrypt manager to load the bek go to the maintenance menu, and select any available buttons for backing up keys or configuration when prompted to load the key, select \[ load backup key ] you can load keys that are xor’d together, m of n fragments, or generated if this is the first hsm in a cluster, we recommend you generate the key and save it to smart cards as m of n fragments fxcli perform the following steps to use fxcli to load the bek run the following majorkey fxcli commands to load a bek into the hsm you must generate a random bek if this is the first hsm you are setting up optionally, you can also load a pmk onto smart cards simultaneously with the fragments required and fragments total flags, as shown in the following example fxcli majorkey random bek fragments required \[number from 2 to 9] fragments total \[number from 2 to 9] if this is the second hsm you're setting up in a cluster, load the pmk from smart cards by running the remaining commands in this procedure this example recombines fragments from only two smart cards however, you can recombine fragments from up to nine smart cards start the major key recombining process for the pmk fxcli majorkey recombine key bek log in to the first smart card (enter the smart card pin when prompted for a password) fxcli smartcard login continue to the next smart card fxcli smartcard next log in to the second smart card (enter the smart card pin when prompted for a password) fxcli smartcard login complete the fragment recombining process fxcli smartcard next if the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample smartcard next result status success statuscode 0 operationactive false kcv "9211"