Key management
External Key Migration
Futurex key storage methods
3min
you can store keys either externally or internally on the {{vectera}} the best method for your architecture depends on your license, chosen management method, and applicable compliance requirements hsm key storage you can also store keys with the hsm these keys, generated on the internal hsm and wrapped with a major key, reside on the hsm internal storage table in one of the 25,000 available key slots you can use these keys only with cryptographic operations on the internal hsm you must use this method of key storage if you're using the pkcs #11 library, which does not support external key escrow for this reason, people using the hsm in a general purpose environment favor this method note that this method is not available through the international api, but you can manage it through the excrypt and standard apis, as well as through excrypt manager and web portal interfaces tr 31 key blocks our hsms use tr 31 key blocks for external key escrow and key transport we recommend using tr 31 key blocks to manage keys instead of cryptograms key blocks safeguard against unauthorized substitution, replacement, or misuse of cryptographic keys by embedding information about a key within the key and data itself cryptograms do not provide this extra level of security a typical key block structure consists of a header, the data, and the key binding method the most common implementation of these key block structures is the tr 31 structure key management server (such as {{k3}} ) the {{k3}} enables a strong, centralized key management platform for you to manage the full key life cycle unlike other key management servers, the {{k3}} enables you to store larger volumes of keys, certificates, and other cryptographic objects in one place this central management of key blocks and information makes key referencing and retrieval far easier while also heightening data integrity external key escrow this method enables you to wrap keys in a major key to store them in another application this method is available through clientless apis the excrypt, standard, and international apis multiple wrapping methods are compatible with external key escrow, including cryptograms, tr 31 key blocks, akb, international key blocks, and {{futurex}} key blocks (now deprecated) if you currently use cryptograms or {{futurex}} key blocks, we recommend converting to tr 31 key blocks refer to the tr 31 key blocks section for more information