For this step, you must log in with an identity that has a role with the Major Keys:Load permission. You can use the default Administrator role and Admin identities.
Major keys are the highest-level keys in a HSM environment. These symmetric keys, stored locally on the HSM, encrypt working keys and critical security parameters. Major keys encrypt all other keys beneath them (with the notable exception of Key Exchange Keys).
Commonly, HSMs within the same environment share major keys to enable synchronization and load balancing, though some settings might not require this.
Load the Futurex Token Key
The Futurex Token Key (FTK) wraps all keys stored on the HSM used with PKCS #11. If using multiple HSMs in a cluster, you can use the same FTK for syncing HSMs. An HSM must have an FTK before you can use it with PKCS #11.
Choose one of the following methods to load the FTK:
Excrypt Manager
FXCLI
1
Go to the KeyManagement menu, then select [ Load ] for the FTK in the Major Keys section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
1
Run the following majorkey FXCLI command to load an FTK into the HSM. You must generate a random FTK if this is the first HSM you are setting up. Optionally, you can also load an FTK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
1majorkey random --ftk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If you're setting up a second HSM in a cluster, load the FTK from smart cards by running the remaining commands in this procedure.
This example recombines the fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the FTK.
FXCLI
1majorkey recombine --key ftk
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
5
Continue to the next smart card.
FXCLI
1smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
7
Complete the fragment recombining process.
FXCLI
1smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
The Platform Master Key (PMK) is the primary major key used in general-purpose environments or those using AES cryptographic algorithms. It wraps all users and subordinate keys on the server. The PMK is typically a 256-bit AES key that encrypts system parameters, including SMTP passwords and SFTP credentials. The key is the default for creating or importing keys or certificates and is the major key for asymmetric key generation.
Choose one of the following methods to load the PMK:
Excrypt Manager
FXCLI
1
Go to the KeyManagement menu, and select [ Load ] for the PMK in the Major Keys section.
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
1
Run the following majorkey FXCLI commands to load a PMK into the HSM. You must generate a random PMK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
1majorkey random --pmk --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If this is the second HSM you're setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards, but you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the PMK.
FXCLI
1majorkey recombine --key pmk
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
5
Continue to the next smart card.
FXCLI
1smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
7
Complete the fragment recombining process.
FXCLI
1smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
The also supports loading a Backup Encryption Key (BEK) to back up the HSM configuration or HSM keys.
Choose one of the following methods to load the BEK:
Excrypt Manager
FXCLI
Unlike other major keys on the HSM, if you load the BEK through Excrypt Manager, you must do so from the Maintenance menu.
1
Go to the Maintenance menu, and select any available buttons for backing up keys or configuration.
2
When prompted to load the key, select [ Load Backup Key ].
You can load keys that are XOR’d together, M-of-N fragments, or generated. If this is the first HSM in a cluster, we recommend you generate the key and save it to smart cards as M-of-N fragments.
1
Run the following majorkey FXCLI commands to load a BEK into the HSM. You must generate a random BEK if this is the first HSM you are setting up. Optionally, you can also load a PMK onto smart cards simultaneously with the --fragments-required and --fragments-total flags, as shown in the following example:
FXCLI
1majorkey random --bek --fragments-required [number_from_2_to_9] --fragments-total [number_from_2_to_9]
2
If this is the second HSM you're setting up in a cluster, load the PMK from smart cards by running the remaining commands in this procedure.
This example recombines fragments from only two smart cards. However, you can recombine fragments from up to nine smart cards.
3
Start the major key recombining process for the PMK.
FXCLI
1majorkey recombine --key bek
4
Log in to the first smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
5
Continue to the next smart card.
FXCLI
1smartcard next
6
Log in to the second smart card (enter the smart card PIN when prompted for a password).
FXCLI
1smartcard login
7
Complete the fragment recombining process.
FXCLI
1smartcard next
If the key recreation process succeeded, you see a success message, along with the final key checksum, as shown in the following sample:
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key
Press space bar to start a drag.
When dragging you can use the arrow keys to move the item around and escape to cancel.
Some screen readers may require you to be in focus mode or to use your pass through key