I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys: PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)? Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?

You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command. You can not import a clear key, you can form a key from a minimum of two clear components.

cryptographyhsm

karolyzz

Reputation: 510

Thales PayShield HSM key management

I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:

PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?
Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?

Upvotes: 1

Answers (3)

Melinte Razvan

Reputation: 11

in the A6 command you have an optional filed delimited by "%" and after that you need to select the LMK ID.

Upvotes: 1

StockTrader

Reputation: 21

the LMK can be variant or keyblock and it is the only key that you can store on the payShield. You can store up to 20 LMKs depending from the license you own.

Console commands such IK (impor key) or FK (form key) are not really ''importing'' anything in the HSM storage area.

The your produce and display on the console (or form from components) a key encrypted under the LMK you specify in the commands.

You need to store them in your application database and to use these keys you need always to use your PayShield that holds the LMK and is able to make a use of them.

You can address a specific LMK key using host commands in two ways:

specifying the LMK id in the host command
using a specific tpc/udp port to talk with the host following this schema:
- port 1500 -> default LMK
- port 1501 -> LMK id 0
- port 1502 -> LMK id 1 and so on.

Upvotes: 1

zaph

Reputation: 112857

You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.
You can not import a clear key, you can form a key from a minimum of two clear components.

Upvotes: 3

Thales PayShield HSM key management

Answers (3)

Related Questions