Key transport methods

this section covers options for transporting keys from an external source to a {{futurex}} hsm, such as a {{k3}} the process choice depends on the following elements the key source (that is, which hsm or key management server vendor you are transferring the keys from) the key type (symmetric versus asymmetric) the number of keys that you need to move exporting keys from non futurex hsms or key management servers typically, third party hsms and key management servers support exporting keys, including private keys, under a wrapping key (such as kek) sometimes, you must put the hsm or key management server in a special export mode for details, refer to the documentation specific to each third party hsm or key management server exporting keys from software sources exporting keys from software sources is often a more straightforward process than exporting from hsms because you can transfer keys in pkcs #12 format as the key sources section explains, pkcs #12 defines an archive file format for storing many cryptographic objects as a single file commonly, it bundles a private key with its x 509 certificate or bundles all the members of a chain of trust you can use the following command to generate a pkcs #12 file by using openssl if you have the clear private key and its corresponding certificate openssl pkcs12 export out bundle p12 inkey mykey pem in cert pem encrypted key import you can use the following methods to import encrypted keys into a {{vectera}} or {{k3}} for asymmetric keys pkcs #12 use futurex command line interface (fxcli) pkcs #8 use the rste excrypt command for symmetric keys use a key exchange key (kek) clear key import you can use the following methods to import clear keys into only the {{vectera}} hsm the {{k3}} does not support clear key import method description full clear key import by using excrypt manager if you have the full clear key value, import it into the {{vectera}} by logging in under dual control through excrypt manager and then loading the key by either the symmetric or asymmetric key loading wizard component import by using either excrypt manager or fxcli you can also load clear keys as components in this scenario, more than one person possesses clear key values from different parts of a key component holders must then log in to the {{vectera}} under dual control (by using either excrypt manager or fxcli) and load each key component then the key parts are xor'd together and stored on the hsm this option is more common in the financial space converting to kek for batch import if you need to import many keys, logging in under dual control and loading every individual key is not feasible in this situation, you can encrypt all the keys under a single kek and then batch import them into the {{vectera}} by using the twks excrypt command