Key transport methods

this section covers options for transporting keys from an external source to a {{futurex}} hsm or {{k3}} device the process choice depends on the key source (that is, which hsm or key management server vendor you are transferring the keys from), the key type (symmetric versus asymmetric), and the number of keys that you need to move exporting keys from non {{futurex}} hsms or key management servers typically, third party hsms and key management servers support exporting keys, including private keys, under a wrapping key (such as kek) sometimes, you must put the hsm or key management server in a special export mode refer to the documentation specific to each third party hsm or key management server for details exporting keys from software sources exporting keys from software sources is often a more straightforward process than exporting from hsms because you can transfer keys in pkcs #12 format as the key sources section explained, pkcs #12 defines an archive file format for storing many cryptography objects as a single file commonly, it bundles a private key with its x 509 certificate or bundles all the members of a chain of trust you can use the following command to generate a pkcs #12 file by using openssl if you have the clear private key and its corresponding certificate openssl pkcs12 export out bundle p12 inkey mykey pem in cert pem encrypted key import you can use the following methods to import encrypted keys into a {{vectera}} or {{k3}} asymmetric keys pkcs #12 import by using {{futurex}} command line interface ( fxcli ) pkcs #8 by using the rste excrypt command symmetric keys by using a key exchange key (kek) clear key import you can use the following methods to import clear keys into only the {{vectera}} hsm the {{k3}} does not support clear key import method description full clear key import by using excrypt manager if you have the full clear key value, import it into the {{vectera}} by logging in under dual control through excrypt manager and then loading the key by either the symmetric or asymmetric key loading wizard component import by using either excrypt manager or fxcli you can also load clear keys as components in this scenario, more than one person possesses clear key values from different parts of a key component holders must then log in to the {{vectera}} under dual control (by using either excrypt manager or fxcli ) and load each of the key components then the key parts are xor'd together and stored on the hsm this option is more common in the financial space converting to kek for batch import another common use case is if you need to import many keys, making logging in under dual control and loading every individual key unfeasible in this situation, you can encrypt all the keys under a single kek and then batch import them into the {{vectera}} by using the twks excrypt command