Key transport methods

8min
This section covers options for transporting keys from an external source to a  HSM, such as a . The process choice depends on the following elements:
The key source (that is, which HSM or key management server vendor you are transferring the keys from)
The key type (symmetric versus asymmetric)
The number of keys that you need to move
Exporting keys from non-Futurex HSMs or key management servers
Typically, third-party HSMs and key management servers support exporting keys, including private keys, under a wrapping key (such as KEK). Sometimes, you must put the HSM or key management server in a special export mode. For details, refer to the documentation specific to each third-party HSM or key management server.
Exporting keys from software sources
Exporting keys from software sources is often a more straightforward process than exporting from HSMs because you can transfer keys in PKCS #12 format. As the Key sources section explains, PKCS #12 defines an archive file format for storing many cryptographic objects as a single file. Commonly, it bundles a private key with its X.509 certificate or bundles all the members of a chain of trust. 
You can use the following command to generate a PKCS #12 file by using OpenSSL if you have the clear private key and its corresponding certificate:
Shell
openssl pkcs12 -export -out bundle.p12 -inkey myKey.pem -in cert.pem

openssl pkcs12 -export -out bundle.p12 -inkey myKey.pem -in cert.pem
﻿
Encrypted key import
You can use the following methods to import encrypted keys into a  or :
For asymmetric keys:
PKCS #12: Use Futurex Command Line Interface (FXCLI)
PKCS #8: Use the RSTE Excrypt Command
For symmetric keys:
Use a Key Exchange Key (KEK)
Clear key import
You can use the following methods to import clear keys into only the  HSM. The  does not support clear key import. 
Method
Description
﻿
Full clear key import by using Excrypt Manager
If you have the full clear key value, import it into the  by logging in under dual control through Excrypt Manager and then loading the key by either the Symmetric or Asymmetric Key Loading Wizard.
﻿
Component import by using either Excrypt Manager or FXCLI
You can also load clear keys as components. In this scenario, more than one person possesses clear key values from different parts of a key. Component holders must then log in to the  under dual control (by using either Excrypt Manager or FXCLI) and load each key component. Then the key parts are XOR'd together and stored on the HSM.
This option is more common in the financial space.
﻿
Converting to KEK for batch import
If you need to import many keys, logging in under dual control and loading every individual key is not feasible. In this situation, you can encrypt all the keys under a single KEK and then batch import them into the  by using the TWKS Excrypt command.
﻿
﻿
Updated 08 Sep 2024
Did this page help you?
Key storage methods
Futurex key storage methods