Key Management Tool versions

  • Updated on Feb 16, 2026
  • Published on Jul 9, 2025
  • 2 minute(s) read
Prev Next

Key Management Tool 5

Authentication Suite Server SDK for Entrust nShield HSM 4.0.1.1 and later includes the Key Management Tool 5 (manager-xc.exe on Windows versions and manager-xc on Unix versions).

  • It supports nShield Connect XC, nShield Solo XC, nShield 5c, and nShield 5s.

  • The menu structure has been completely revamped. Furthermore, if a FIPS 140-2 Level 3 security world is detected, only compatible functions are available.

  • FIPS 140-2 Level 3 functions only support AES for storage keys, transport keys, and key encrypting keys (KEKs).

  • KEKs are now correctly identified by their specific usage, that is, Import-KEK or Export-KEK, respectively.

  • Wrapped keys are now only wrapped using mechanisms that are compatible with FIPS 140-2 Level 3. This means that the length of the resulting wrapped value is longer than in previous versions.

  • FIPS 140-2 Level 3 specific functions can now also work in non-FIPS security world environments and must be used to exchange wrapped keys or KEKs between a non-FIPS and a FIPS security world. However, if the Key Management Tool is used in an existing non-FIPS security world, it will indicate existing KEKs as Old-KEK. These KEKs cannot be used to export wrapped keys to a FIPS-140-2 Level 3 security world.

Updated file structure

To be consistent with the way security worlds are managed, the logical file structure has been changed, so everything bound to a specific security world should now be located in the /kmdata/local/ directory. All key files (*.txt) and the user data file (userdata.sar) are now expected to be located in the directory referenced by the NFAST_KMLOCAL environment variable. If this variable does not exist, the tool will search for the NFAST_KMDATA environment variable and then use the local subdirectory (usually kmdata/local/). For existing deployments, move all your existing user data and key files to the local subdirectory of NFAST_KMDATA before using the Key Management Tool 5.

Key Management Tool 4 (Windows 64-bit and Linux 64-bit versions only)

Authentication Suite Server SDK for Entrust nShield HSM 3.18.1 and later includes the Key Management Tool 4 (manager-xc.exe on Windows versions and manager-xc on Unix versions).

  • It supports Entrust nShield software/hardserver as from version 12.40

  • It supports Entrust nShield HSMs based on the new PowerPCELF architecture (Entrust nShield XC)

Note that the Key Management Tool 4.x is only provided with the Windows 64-bit and Linux 64-bit versions of Authentication Suite Server SDK for Entrust nShield HSM.

Key Management Tool 4.x should also support Entrust nShield software/hardserver from version 12.10.

To have Entrust nShield XC support, the Entrust nShield software must be version 12.20.51 or 12.40 and later.