Key sources
You can migrate key material to a or from the following sources:
- General Purpose HSMs
- Key Management servers
- Payment HSMs
- Software
This section covers the specifics related to general-purpose HSMs and key management servers migrating from software sources. See the External Key Migration (Financial) administrative guide for details on migrating key material from a third-party Payment HSM to the Excrypt SSP Enterprise v.2 or Excrypt Plus.
Most, if not all, major third-party general-purpose HSMs and key management servers provide a method for exporting key material, which you can then migrate to another HSM or key management server, such as a . Refer to the documentation specific to each third-party HSM or key management server for details.
This section covers software sources, including key management software and data structures for storing keys in software.
The following list identifies some products in the key management software space:
- OpenSSL
- AWS Key Management Service
- Google Cloud Key Management
- Azure Key Vault
- Windows Certificate Stores
The following list describes the data structures you can use to store keys in software:
Data structure
Description
PKCS #12
PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. You can use it to bundle a private key with its X.509 certificate or bundle all the members of a chain of trust. PKCS #12 is the successor to Microsoft PFX, but the terms PKCS #12 file and PFX file are sometimes used interchangeably.
PKCS #8
PKCS #8 is a standard syntax for storing private key information. You can encrypt the PKCS #8 private key with a passphrase by using the PKCS #5 standards, which support multiple ciphers. PKCS #8 private keys are typically exchanged in the PEM base64-encoded format.
ECB
Electronic Code Book (ECB) is a simple mode of operation with a block cipher often used with symmetric key encryption. It processes a series of sequentially listed message blocks. The Data Encryption Standard (DES) became an official Federal Information Processing Standard (FIPS) in 1977. DES can use five modes to encrypt data, including ECB, which is the simplest and weakest because repeating plaintext generates repeating ciphertext.