Encrypting a message with HSM Thales

Question

There is a task to encrypt a message with a key stored in HSM (LMK I suppose) to save the encrypted message in database. And decrypt later as well. The commands I find are M0/M2. As I could see both commands require my own key in addition.

I may generate own keys somehow (with HSM or by another way), but how the message be encrypted finally? With the both my and LMK key? Some other way? And should I store my own key somewhere also?

Is it a more direct way to encrypt message with internal HSM key?

Thank in advance, I am very new with HSM Thales.

Answer 1

Commands M0 and M2 on a Thales 9000 Payshield are Encrypt Data Block and Decrypt Data Block respectively.

To use these commands, you have to provide a key in the M0 command which will be used to encrypt the data.

The key you use must itself be encrypted under an LMK keypair, which is stored in the HSM and should not be accessible to you (except in a test environment where you will normally know the values of all the test LMK keypairs).

To get that data encryption key, generate a ZEK, using command A0. The A1 response to this will give you the key. The key you receive is encrypted under an LMK keypair. You can then use this key in an M0/M2 command to encrypt a given block of data. You will need to store the key you receive in the A1 command (it's likely just 16 or 32 hex chars) as it is not stored in the HSM.

Encryption/decryption of any of this data will always have to be performed via the HSM, because only the HSM has access to the LMK keypair required to decrypt your key and make it usable.