Key transport methods

8min
This section covers options for transporting keys from an external source to a Futurex HSM or KMES Series 3 device. The process choice depends on the key source (that is, which HSM or Key Management Server vendor you are transferring the keys from), the key type (symmetric versus asymmetric), and the number of keys that you need to move.
Exporting keys from non-Futurex HSMs or key management servers
Typically, third-party HSMs and key management servers support exporting keys, including private keys, under a wrapping key (such as KEK). In some cases, you must put the HSM or key management server in a special export mode. Refer to the documentation specific to each third-party HSM or key management server for details.
Exporting keys from software sources
Exporting keys from software sources is often a more straightforward process than exporting from HSMs because you can transfer keys in PKCS #12 format. As the Key sources section explained, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. Commonly, it bundles a private key with its X.509 certificate or bundles all the members of a chain of trust. 
You can use the following command to generate a PKCS #12 file by using OpenSSL if you have the clear private key and its corresponding certificate:
Shell
openssl pkcs12 -export -out bundle.p12 -inkey myKey.pem -in cert.pem

openssl pkcs12 -export -out bundle.p12 -inkey myKey.pem -in cert.pem
﻿
Encrypted key import
You can use the following methods to import encrypted keys into a Vectera Plus or KMES Series 3:
Asymmetric keys
PKCS #12 import by using Futurex Command Line Interface (FXCLI)
PKCS #8 by using the RSTE Excrypt Command
Symmetric keys
By using a Key Exchange Key (KEK)
Clear key import
You can use the following methods to import clear keys into only the Vectera Plus HSM. The KMES Series 3 does not support clear key import. 
Method
Description
﻿
Full clear key import by using Excrypt Manager
If you have the full clear key value, import it into the Vectera Plus by logging in under dual control through Excrypt Manager and then loading the key by either the Symmetric or Asymmetric Key Loading Wizard.
﻿
Component import by using either Excrypt Manager or FXCLI
You can also load clear keys as components. In this scenario, more than one person possesses clear key values from different parts of a key. Component holders must then log in to the Vectera Plus under dual control (by using either Excrypt Manager or FXCLI) and load each of the key components. Then the key parts are XOR'd together and stored on the HSM.
This option is more common in the financial space.
﻿
Converting to KEK for batch import
Another common use case is if you need to import a large number of keys, making logging in under dual control and loading every individual key unfeasible. In this situation, you can encrypt all the keys under a single KEK and then batch import them into the Vectera Plus by using the TWKS Excrypt command.
﻿
﻿
Updated 26 Jan 2024
Did this page help you?
Key storage methods
Futurex key storage methods