Thales PayShield HSM key management










1















I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:



  • PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?

  • Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?









share|improve this question






















  • Just wondering if this in a university class that has such an HSM?

    – zaph
    Nov 13 '18 at 17:27















1















I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:



  • PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?

  • Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?









share|improve this question






















  • Just wondering if this in a university class that has such an HSM?

    – zaph
    Nov 13 '18 at 17:27













1












1








1








I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:



  • PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?

  • Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?









share|improve this question














I'm reading PayShield docs and have stumbled upon a question regarding key management and LMK when importing keys:



  • PayShield can store up to 20 LMKs. When performing commands (like A6 - Import a Key), how does the HSM know which LMK to use? As a parameter it only asks for a key type, but aren't key types the same for different LMKs (considering they're all variant)?

  • Command import a key asks you to provide key already encrypted under ZMK, for example when transferring a key from one HSM to another. Is there a way to import plaintext unencrypted keys into an HSM? For example, I think of some random sequence and then try to import it into HSM. If not, can you somehow encrypt it under ZMK or must all such new keys be generated using appropriate HSM command?






cryptography hsm






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 13 '18 at 16:13









karolyzzkarolyzz

13115




13115












  • Just wondering if this in a university class that has such an HSM?

    – zaph
    Nov 13 '18 at 17:27

















  • Just wondering if this in a university class that has such an HSM?

    – zaph
    Nov 13 '18 at 17:27
















Just wondering if this in a university class that has such an HSM?

– zaph
Nov 13 '18 at 17:27





Just wondering if this in a university class that has such an HSM?

– zaph
Nov 13 '18 at 17:27












1 Answer
1






active

oldest

votes


















1














  1. You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.


  2. You can not import a clear key, you can form a key from a minimum of two clear components.






share|improve this answer























  • Full disclosure: I had help with this answer. 😁

    – zaph
    Nov 13 '18 at 21:33











  • Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

    – karolyzz
    Nov 23 '18 at 11:32










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285120%2fthales-payshield-hsm-key-management%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














  1. You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.


  2. You can not import a clear key, you can form a key from a minimum of two clear components.






share|improve this answer























  • Full disclosure: I had help with this answer. 😁

    – zaph
    Nov 13 '18 at 21:33











  • Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

    – karolyzz
    Nov 23 '18 at 11:32















1














  1. You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.


  2. You can not import a clear key, you can form a key from a minimum of two clear components.






share|improve this answer























  • Full disclosure: I had help with this answer. 😁

    – zaph
    Nov 13 '18 at 21:33











  • Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

    – karolyzz
    Nov 23 '18 at 11:32













1












1








1







  1. You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.


  2. You can not import a clear key, you can form a key from a minimum of two clear components.






share|improve this answer













  1. You can identify a LMK in the command itself or by port. This is in the command or console reference manuals depending on the type of command.


  2. You can not import a clear key, you can form a key from a minimum of two clear components.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 13 '18 at 17:20









zaphzaph

98k18151193




98k18151193












  • Full disclosure: I had help with this answer. 😁

    – zaph
    Nov 13 '18 at 21:33











  • Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

    – karolyzz
    Nov 23 '18 at 11:32

















  • Full disclosure: I had help with this answer. 😁

    – zaph
    Nov 13 '18 at 21:33











  • Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

    – karolyzz
    Nov 23 '18 at 11:32
















Full disclosure: I had help with this answer. 😁

– zaph
Nov 13 '18 at 21:33





Full disclosure: I had help with this answer. 😁

– zaph
Nov 13 '18 at 21:33













Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

– karolyzz
Nov 23 '18 at 11:32





Thanks. Adding to the answer: after reading the docs, apparently (2) only applies to the console commands. Host does not have this option, thus my original confusion.

– karolyzz
Nov 23 '18 at 11:32

















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53285120%2fthales-payshield-hsm-key-management%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

Node.js Script on GitHub Pages or Amazon S3

Museum of Modern and Contemporary Art of Trento and Rovereto