Key management
External Key Migration

Futurex key storage methods

4min

You can store keys either externally or internally on the Vectera Plus. The best method for your architecture depends on your license, desired management method, and applicable compliance requirements.

HSM key storage

You can also store keys with the HSM. These keys, generated on the internal HSM and wrapped with a major key, reside on the HSM internal storage table in one of the 25,000 available key slots. You can use these keys only with cryptographic operations on the internal HSM.

You must use this method of key storage if you're using the PKCS #11 library, which does not support external key escrow. For this reason, people using the HSM in a general-purpose environment favor this method. Note that this method is not available through the International API, but you can manage it through the Excrypt and Standard APIs, as well as through Excrypt Manager and Web Portal interfaces.

TR-31 key blocks

Our HSMs use TR-31 key blocks for external key escrow and key transport. We recommend using TR-31 key blocks to manage keys instead of cryptograms. Key blocks safeguard against unauthorized substitution, replacement, or misuse of cryptographic keys by embedding information about a key within the key and data itself. Cryptograms do not provide this extra level of security. A typical key block structure consists of a header, the data, and the key-binding method. The most common implementation of these key block structures is the TR-31 structure.

Key management server (such as KMES Series 3)

The KMES Series 3 enables a strong, centralized key management platform for you to manage the full key life cycle. Unlike other key management servers, the KMES Series 3 enables you to store larger volumes of keys, certificates, and other cryptographic objects in one place. This central management of key blocks and information makes key referencing and retrieval far easier while also heightening data integrity.

External key escrow

This method enables you to wrap keys in a major key so you can store them in another application. This method is available through clientless APIs: the Excrypt, Standard, and International APIs.

Multiple wrapping methods are compatible with external key escrow, including cryptograms, TR-31 key blocks, Atalla key blocks, International key blocks, and Futurex key blocks (now deprecated).

If you currently use cryptograms or Futurex key blocks, we recommend converting to TR-31 key blocks. Refer to the TR-31 Key Blocks section for more information.