Which Pkcs11 File Generates Private Key

admin

The presence of a seal 'pkcs11' block in Vault's configuration file. Vault Key Generation Attributes. If Vault generates the HSM key for you, the following is the list of attributes it uses. These identifiers correspond to official PKCS#11 identifiers. CKACLASS: CKOPRIVATEKEY (It's a private key) CKAKEYTYPE. C# (CSharp) Net.Pkcs11Interop.LowLevelAPI81 Pkcs11.CGenerateKeyPair - 2 examples found. These are the top rated real world C# (CSharp) examples of Net.Pkcs11Interop.LowLevelAPI81.Pkcs11.CGenerateKeyPair extracted from open source projects.

  1. Which Pkcs11 File Generates Private Key Search
  2. Which Pkcs11 File Generates Private Key Code
  3. Which Pkcs11 File Generates Private Key Number
layoutpage_titlesidebar_titledescription
PKCS11 - Seals - Configuration
The PKCS11 seal configures Vault to use an HSM with PKCS11 as the sealwrapping mechanism.

The PKCS11 seal configures Vault to use an HSM with PKCS11 as the seal wrappingmechanism. Vault Enterprise's HSM PKCS11 support is activated by one of thefollowing:

  • The presence of a seal 'pkcs11' block in Vault's configuration file
  • The presence of the environment variable VAULT_HSM_LIB set to the library'spath as well as VAULT_HSM_TYPE set to pkcs11. If enabling via environmentvariable, all other required values (i.e. VAULT_HSM_SLOT) must be alsosupplied.

IMPORTANT: Having Vault generate its own key is the easiest way to get upand running, but for security, Vault marks the key as non-exportable. If yourHSM key backup strategy requires the key to be exportable, you should generatethe key yourself. The list of creation attributes that Vault uses to generatethe key are listed at the end of this document.

Requirements

The following software packages are required for Vault Enterprise HSM:

  • PKCS#11 compatible HSM integration library. Vault targets version 2.2 orhigher of PKCS#11. Depending on any given HSM, some functions (such as keygeneration) may have to be performed manually.
  • The GNU libltdllibrary— ensure that it is installed for the correct architecture of your servers

pkcs11 Example

This example shows configuring HSM PKCS11 seal through the Vault configurationfile by providing all the required values:

pkcs11 Parameters

These parameters apply to the seal stanza in the Vault configuration file: Office 2013 professional product key generator.

  • lib(string: <required>): The path to the PKCS#11 library shared objectfile. May also be specified by the VAULT_HSM_LIB environment variable.Note: Depending on your HSM, this may be either a binary or a dynamiclibrary, and its use may require other libraries depending on which system theVault binary is currently running on (e.g.: a Linux system may require otherlibraries to interpret Windows .dll files).

  • slot(string: <slot or token label required>): The slot number to use,specified as a string (e.g. '0'). May also be specified by the VAULT_HSM_SLOTenvironment variable.

  • token_label(string: <slot or token label required>): The slot token label touse. May also be specified by the VAULT_HSM_TOKEN_LABEL environment variable.

  • pin(string: <required>): The PIN for login. May also be specified by theVAULT_HSM_PIN environment variable. If set via the environment variable,Vault will obfuscate the environment variable after reading it, and it willneed to be re-set if Vault is restarted.

  • key_label(string: <required>): The label of the key to use. If the keydoes not exist and generation is enabled, this is the label that will be givento the generated key. May also be specified by the VAULT_HSM_KEY_LABELenvironment variable.

  • default_key_label(string: '): This is the default key label for decryptionoperations. Prior to 0.10.1, key labels were not stored with the ciphertext.Seal entries now track the label used in encryption operations. The default valuefor this field is the key_label. If key_label is rotated and this value is notset, decryption may fail. May also be specified by the VAULT_HSM_DEFAULT_KEY_LABELenvironment variable. This value is ignored in new installations.

  • hmac_key_label(string: <required>): The label of the key to use forHMACing. This needs to be a suitable type. If Vault tries to create this itwill attempt to use CKK_GENERIC_SECRET_KEY. If the key does not exist andgeneration is enabled, this is the label that will be given to the generatedkey. May also be specified by the VAULT_HSM_HMAC_KEY_LABEL environmentvariable.

  • default_hmac_key_label(string: '): This is the default HMAC key label for signingoperations. Prior to 0.10.1, HMAC key labels were not stored with the signature.Seal entries now track the label used in signing operations. The default valuefor this field is the hmac_key_label. If hmac_key_label is rotated and thisvalue is not set, signature verification may fail. May also be specified by theVAULT_HSM_HMAC_DEFAULT_KEY_LABEL environment variable. This value is ignored innew installations.

  • mechanism(string: <best available>): The encryption/decryption mechanism to use,specified as a decimal or hexadecimal (prefixed by 0x) string. May also bespecified by the VAULT_HSM_MECHANISM environment variable.
    Currently supported mechanisms (in order of precedence):

    • 0x1085CKM_AES_CBC_PAD (HMAC mechanism required)
    • 0x1082CKM_AES_CBC (HMAC mechanism required)
    • 0x1087CKM_AES_GCM
    • 0x0009CKM_RSA_PKCS_OAEP
    • 0x0001CKM_RSA_PKCS

  • hmac_mechanism(string: '0x0251'): The encryption/decryption mechanism touse, specified as a decimal or hexadecimal (prefixed by 0x) string.Currently only 0x0251 (corresponding to CKM_SHA256_HMAC from thespecification) is supported. May also be specified by theVAULT_HSM_HMAC_MECHANISM environment variable. This value is only requiredfor specific mechanisms.

  • generate_key(string: 'false'): If no existing key with the labelspecified by key_label can be found at Vault initialization time, instructsVault to generate a key. This is a boolean expressed as a string (e.g.'true'). May also be specified by the VAULT_HSM_GENERATE_KEY environmentvariable. Vault may not be able to successfully generate keys in allcircumstances, such as if proprietary vendor extensions are required tocreate keys of a suitable type.

Mechanism Specific Flags

  • rsa_encrypt_local(string: 'false'): For HSMs that do not support encryptionfor RSA keys, perform encryption locally. Available for mechanismsCKM_RSA_PKCS_OAEP and CKM_RSA_PKCS. May also be specified by theVAULT_HSM_RSA_ENCRYPT_LOCAL environment variable.

  • rsa_oaep_hash(string: 'sha256'): Specify the hash algorithm to use for RSAwith OAEP padding. Valid values are sha1, sha224, sha256, sha384, and sha512.Available for mechanism CKM_RSA_PKCS_OAEP. May also be specified by theVAULT_HSM_RSA_OAEP_HASH environment variable.

~> Note: Although the configuration file allows you to pass inVAULT_HSM_PIN as part of the seal's parameters, it is strongly recommendedto set this value via environment variables.

pkcs11 Environment Variables

Alternatively, the HSM seal can be activated by providing the followingenvironment variables:

Vault Key Generation Attributes

If Vault generates the HSM key for you, the following is the list of attributesit uses. These identifiers correspond to official PKCS#11 identifiers.

AES Key

  • CKA_CLASS: CKO_SECRET_KEY (It's a secret key)
  • CKA_KEY_TYPE: CKK_AES (Key type is AES)
  • CKA_VALUE_LEN: 32 (Key size is 256 bits)
  • CKA_LABEL: Set to the key label set in Vault's configuration
  • CKA_ID: Set to a random 32-bit unsigned integer
  • CKA_PRIVATE: true (Key is private to this slot/token)
  • CKA_TOKEN: true (Key persists to the slot/token rather than being for onesession only)
  • CKA_SENSITIVE: true (Key is a sensitive value)
  • CKA_ENCRYPT: true (Key can be used for encryption)
  • CKA_DECRYPT: true (Key can be used for decryption)
  • CKA_WRAP: true (Key can be used for wrapping)
  • CKA_UNWRAP: true (Key can be used for unwrapping)
  • CKA_EXTRACTABLE: false (Key cannot be exported)
Which Pkcs11 File Generates Private Key

RSA Key

Public Key

  • CKA_CLASS: CKO_PUBLIC_KEY (It's a public key)
  • CKA_KEY_TYPE: CKK_RSA (Key type is RSA)
  • CKA_LABEL: Set to the key label set in Vault's configuration
  • CKA_ID: Set to a random 32-bit unsigned integer
  • CKA_ENCRYPT: true (Key can be used for encryption)
  • CKA_WRAP: true (Key can be used for wrapping)
  • CKA_MODULUS_BITS: 2048 (Key size is 2048 bits)
  • CKA_PUBLIC_EXPONENT: 0x10001 (Public exponent of 65537)
  • CKA_TOKEN: true (Key persists to the slot/token rather than being for onesession only)

Private Key

  • CKA_CLASS: CKO_PRIVATE_KEY (It's a private key)
  • CKA_KEY_TYPE: CKK_RSA (Key type is RSA)
  • CKA_LABEL: Set to the key label set in Vault's configuration
  • CKA_ID: Set to a random 32-bit unsigned integer
  • CKA_DECRYPT: true (Key can be used for decryption)
  • CKA_UNWRAP: true (Key can be used for unwrapping)
  • CKA_TOKEN: true (Key persists to the slot/token rather than being for onesession only)
  • CKA_EXTRACTABLE: false (Key cannot be exported)

HMAC Key

  • CKA_CLASS: CKO_SECRET_KEY (It's a secret key)
  • CKA_KEY_TYPE: CKK_GENERIC_SECRET_KEY (Key type is a generic secret key)
  • CKA_VALUE_LEN: 32 (Key size is 256 bits)
  • CKA_LABEL: Set to the HMAC key label set in Vault's configuration
  • CKA_ID: Set to a random 32-bit unsigned integer
  • CKA_PRIVATE: true (Key is private to this slot/token)
  • CKA_TOKEN: true (Key persists to the slot/token rather than being for onesession only)
  • CKA_SENSITIVE: true (Key is a sensitive value)
  • CKA_SIGN: true (Key can be used for signing)
  • CKA_VERIFY: true (Key can be used for verifying)
  • CKA_EXTRACTABLE: false (Key cannot be exported)

Key Rotation

This seal supports rotating keys by using different key labels to track key versions. To rotatethe key value, generate a new key in a different key label in the HSM and update Vault'sconfiguration with the new key label value. Restart your vault instance to pick up the new keylabel and all new encryption operations will use the updated key label. Old keys must not be disabledor deleted and are used to decrypt older data.

Which Pkcs11 File Generates Private Key Code

NOTE: Prior to version 0.10.1, key information was not tracked with the ciphertext. Ifrotation is desired for data that was seal wrapped prior to this version must also setdefault_key_label and hmac_default_key_label to allow for decryption of older values.

Which

Learn

Which Pkcs11 File Generates Private Key Number

Command to generate public key in unix. Refer to the HSM Integration - Seal Wrapguide for a step-by-step tutorial.