Go to content

Export

Main menu option: 5 - Export

Exports keys and objects outside the HSM. To export an object, it must have the export attribute enabled. The output usually goes to a file and in some cases there is also the option of a screen dump.

Warning

Additional, specialized export methods are available in the HSM Operation menu under the EFT and SPB options. See the EFT and SPB topics for more information.

The following types of objects can be exported via the console interfaces:

  1. Symmetric keys

  2. Asymmetric keys

  3. Other objects

The indication (local) always refers to a file name on the user's workstation and the indication (hsm) refers to an object name of the HSM partition.

As long as the authenticated user has permission to read objects in other partition(s), the operation can be performed by indicating the name of the partition and the name of the object with the formation rule:

partition/object

Danger

Plain text export methods should only be used in highly controlled environments protected by other security measures, as the key material will be completely exposed.

When operating in Restricted mode, the RSA KEK method is available for symmetric key export (3DES and AES) and the PKCS#8 method is available for asymmetric key export (RSA or ECC) with derivation of the AES 256 encryption key by a 16-character password.

Symmetric Keys

Symmetric keys can be exported using the following methods:

  1. Protected by KEK, aKey Encryption Key.

    If the KEK is an RSA key, the enveloping method used is the PKCS#1 version 2.1 standard, with the following encryption scheme RSAES-OAEP. The exportable symmetric keys in the HSM are exported encrypted by a public key. The recipient must have the equivalent private key and open the digital envelope following the rules of the encryption scheme.

    Attention

    In KEK(Key Encryption Key) exports, the encryption key must not be weaker than the transported key.

  2. In clear text.

Asymmetric Keys

Asymmetric keys can be exported using the following methods:

  1. Protected by KEK, aKey Encryption Key.

    Attention

    In KEK(Key Encryption Key) exports, the encryption key must not be weaker than the transported key.

  2. PKCS#1; the RSA public and/or private key is exported in clear text with DER encoding. In the case of private key export, the output file format will be ASN.1 as defined in the PKCS#1 v1.5 standard in section 7.1. When exporting the public key, the output file will contain the representation in section 7.2.

    Private key:

    RSAPrivateKey ::= SEQUENCE {
version Version,
modulus INTEGER, -- n
publicExponent INTEGER, -- e
privateExponent INTEGER, -- d
prime1 INTEGER, -- p
prime2 INTEGER, -- q
exponent1 INTEGER, -- d mod (p-1)
exponent2 INTEGER, -- d mod (q-1)
coefficient INTEGER -- (inverse of q) mod p }

    Public key:

    RSAPublicKey ::= SEQUENCE {
modulus INTEGER, -- n
publicExponent INTEGER -- e }

  3. PKCS#8; in this option the asymmetric private key (RSA or ECC/ECDSA) can be exported in plain text or protected by digital envelope. For details on the standards, see the RSA Labs Public-Key Cryptography Standards (PKCS) documents.

    In restricted operating mode, exportable asymmetric keys can only be exported via the PKCS#8 standard using a digital envelope, deriving an AES 256 key from a password of exactly 16 (sixteen) characters, and the derivation is done according to the PKCS#5 version 2.0 standard.

  4. PKCS#12; the certificate and the corresponding private key are exported in a bundle with a transportation scheme PKCS#12 in clear or protected text by encryption derived from a user-defined password. Files are usually created with the extension .pfx or .p12.

Certificates, Chains and Files

Certificate / PKCS#7 / File can be exported:

  1. Certificate: the object indicated must be an X.509 certificate;

  2. PKCS#7 standard certificate chains: the object indicated must be an X.509 certificate chain;

  3. File: objects that are opaque to the HSM, interpreted only as a sequence of bytes.

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

Keys/Objects - Export



 1 - Symmetric Keys
 2 - Asymmetric Keys
 3 - Certificate / PKCS#7 / File













 0 - Main Menu

Option:

Export asymmetric keys in PKCS#8 standard

Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.0.22.0 (DXP) - TCA0000000 - ID master

Keys/Objects - Export - Asymmetric Keys - PKCS#8

Asymmetric Key name (HSM) : myexpRSA
Password (16 characters or ENTER for clear text export): ****************
Confirm password: ****************
Output File (local): myexpRSA.pkcs8

File exported successfully.

Press ENTER key to continue...