Generic
...
Generic Futurex PKCS #11
Configure the Vectera Plus

Load major keys

1min

For this step, you must log in with an identity that has a role with the Major Keys:Load permission. You can use the default Administrator role and Admin identities.

Major keys are the highest-level keys in a HSM environment. These symmetric keys, stored locally on the HSM, encrypt working keys and critical security parameters. Major keys encrypt all other keys beneath them (with the notable exception of Key Exchange Keys).

Commonly, HSMs within the same environment share major keys to enable synchronization and load balancing, though some settings might not require this.

Load the Futurex Token Key

The Futurex Token Key (FTK) wraps all keys stored on the HSM used with PKCS #11. If using multiple HSMs in a cluster, you can use the same FTK for syncing HSMs. An HSM must have an FTK before you can use it with PKCS #11.

Choose one of the following methods to load the FTK:

Excrypt Manager
FXCLI
1

Go to the Key Management menu, then select [ Load ] for the FTK in the Major Keys section.

You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.

Load the Platform Master Key

The Platform Master Key (PMK) is the primary major key used in general-purpose environments or those using AES cryptographic algorithms. It wraps all users and subordinate keys on the server. The PMK is typically a 256-bit AES key that encrypts system parameters, including SMTP passwords and SFTP credentials. The key is the default for creating or importing keys or certificates and is the major key for asymmetric key generation.

Choose one of the following methods to load the PMK:

Excrypt Manager
FXCLI
1

Go to the Key Management menu, and select [ Load ] for the PMK in the Major Keys section.

You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.

Load the Backup Encryption Key

The also supports loading a Backup Encryption Key (BEK) to back up the HSM configuration or HSM keys.

Choose one of the following methods to load the BEK:

Excrypt Manager
FXCLI

Unlike other major keys on the HSM, if you load the BEK through Excrypt Manager, you must do so from the Maintenance menu.

1

Go to the Maintenance menu, and select any available buttons for backing up keys or configuration.

2

When prompted to load the key, select [ Load Backup Key ].

You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.