When considering different key storage methods, keep the following factors in mind:

The following sections explore these considerations.

For general-purpose use cases, the primary method for storing keys is on the HSM. However, some HSM products divert from this norm by storing keys off the HSM (for example, nShields Security World). When keys are stored off the HSM, they are encrypted with a master key that is stored on the HSM.

Encrypted keys are generally in one of the following formats:

Key block formats other than TR-31 exist, such as the Atalla key block and the Thales key block, but they are more proprietary. The American Nation Standards Institute (ANSI) developed TR-31 key blocks, so this format has more widespread support.

A cryptogam is an encrypted blob of data. Aside from the encryption itself, no additional security mechanisms are baked in. Instead of using a cryptogram, we recommend using TR-31 key blocks to manage keys. The advantages of using TR-31 key blocks are explained further in the following section.

The ANSI X9.24-1-2017 specification describes TR-31 key blocks. The key block structure consists of the following parts (Header, Encrypted key data, and MAC).

Our HSMs use TR-31 key blocks for external key escrow and key transport. We recommend using TR-31 key blocks to manage keys instead of cryptograms because key blocks safeguard against unauthorized substitution, replacement, or misuse of cryptographic keys by embedding information about a key within the key and data itself. Cryptograms do not provide this extra level of security.