Generic
Key Labeling
4min
we help you streamline and simplify traditional host application api requests between a key management server and an hsm for cryptographic processing legacy approach using the legacy approach, the host application communicates independently with the hsms and key management servers, sending out a single request to each device at a time first, this approach requests the key from the key management server, and then it provides that key to the hsm along with the cryptographic processing request in addition to requiring a more complex application development process, this results in slower transaction processing times and increases the computational burden on the host application improved approach with the new and improved approach presented in this guide, a {{guard}} works as a proxy between the host application and the {{k3}} and hsm this offloads essentially all of the computational burden to the {{guard}} , which is designed for high throughput and can seamlessly communicate with the {{k3}} and hsm, as shown in the following communication flow the host application sends a message to the guardian to pass to the hsm for processing instead of a cryptogram or key block, it sends a key label in the key tag of this message the guardian interrogates the message before forwarding it to the hsm and detects that the key tag has a key label the guardian then requests the encrypted key, held under the key label, from the {{k}} the {{k}} returns the encrypted key to the guardian the guardian replaces the key label with the returned encrypted key in the message and sends the message to the hsm for processing the hsm returns the required response to the guardian the guardian forwards the response to the host application overview of the setup process this section provides an overview of the setup process, and later sections explain the steps in detail this process assumes you have already connected a {{k3}} and an hsm with a {{guard}} by using key and certificate management and hardware security module encryption device groups, respectively refer to the appropriate user guide for instructions on how to set this up complete steps 1 3 on the guardian, and complete steps 4 5 on the {{k}} on the guardian, create a new user group with the required permissions add a new user to the user group created in the first step assign the correct key management group to the appropriate hsm group on the {{k}} , create a new key group in the key group from step 4, give the use permission to the user group created on the guardian in step 1 set up authentication between the host application and the guardian