KEY Menu Functions

The KEY menu provides the following functions:

# Function Description
(60) Wrap Key

This option allows you to encrypt a key. You must provide the encryption mechanism type, the handle of the wrapping key (used to encrypt the key), and the handle of the key to be wrapped (the one that is going to be encrypted). Wrapping of private asymmetric keys requires that the Partition Policy 0: “Allow private key wrapping” is turned on, and Policy 1: Allow private key cloning must be off. This is a partition-level action since Luna HSM Firmware 7.1.0.

(61) Unwrap Key

This option allows you to import a wrapped (encrypted) key into the token. You are asked for the mechanism to be used for the unwrapping operation as well as what type of key is being unwrapped. Depending on the type of key being unwrapped, you are asked for some information about the key. Then you must provide a key handle of the token key to be used in the unwrapping (decryption) operation, and finally, give the name of the file containing the wrapped key. If the unwrapping key has an associated CKA_UNWRAP_TEMPLATE attribute, this affects the results of the operation. Note that if you are generating a key in ckdemo, the option to attach an unwrap template is disabled by default. You can enable this option in the OTHERS menu (see OTHERS Menu Functions).

(62) Generate Random Number

This option generates a specified amount of random data. You are asked how many bytes of random data to generate, then are presented with the random value.

(63) Derive Key

This option allows you to use a key derivation mechanism to derive a key on the token. There are several key derivation mechanisms to choose from, and you are presented with a menu of the choices. Depending on the key derivation mechanism, you are asked for some information about the key. If the base key used for generation includes a CKA_DERIVE_TEMPLATE attribute, the information you provide is added with the attributes in the derive template. If your information contradicts the attributes in the derive template, the derive operation fails. Note that if you are generating a key in ckdemo, the option to attach a derive template is disabled by default. You can enable this option in the OTHERS menu (see OTHERS Menu Functions).

(64) PBE Key Generation

This option allows you to perform a "Password Based Encryption" key generation. This option is useful because it allows you to put the same key on multiple tokens without ever knowing the key value itself.

(65) Create Known Keys

This option attempts to load a known key onto the token. However, due to policy setting on most tokens, this option is not allowed. As an alternative, it is possible to encrypt a known key and then unwrap it onto the token. See the Unwrap Key sample code provided with the SDK distribution.

(66) Seed RNG

Provide a seed value to the HSM's Random Number Generator.

(67) EC User Defined Curves

Set the desired attributes and point to a file containing Elliptical Curve parameters for generating EC keys.

(69) Translate Key

This option allows you to re-encrypt an encrypted using a different key and/or mechanism. You are asked for the mechanism and a key handle of the token key to be used in the unwrapping (decryption) operation and the mechanism and key handle of the token key to be used in the wrapping (encryption) operation. Finally, you give the name of the file containing the wrapped key and a file to contain the newly wrapped key.