Overview

  • Published on Feb 10, 2026
  • 1 minute(s) read
Prev Next

This topic outlines the protection mechanisms for DPX files and authenticator application BLOBs. Additionally, it describes the cryptographic keys that are involved.

Protection of DPX files (transmission)

OneSpan offers two methods to protect a DIGIPASS export file (DPX) file during the transmission from OneSpan to the customer.

Standard DPX file encryption

With standard DPX file encryption, the DPX file is encrypted with a cryptographic key that resides in the software. This cryptographic key is called the software-level DPX transport key.

Double DPX file encryption

With double DPX file encryption, a DPX file is encrypted twice:

  • Hardware-based. The DPX file is encrypted with a cryptographic key that resides in the HSM. This cryptographic key is called the HSM-level DPX transport key.

  • Software-based. The DPX file is encrypted with a cryptographic key that resides in the software. This cryptographic key is called the software-level DPX transport key.

Protection of authenticator application BLOBs and payload key BLOBs (storage)

When importing a DPX file into a database using Authentication Suite Server SDK for Entrust nShield HSM, the resulting authenticator application BLOBs (and of payload key BLOBs if any) after migration will be encrypted twice after HSM migration:

  • The confidentiality and integrity of the sensitive authenticator application BLOB data, such as Digipass keys and other secrets, (and of the sensitive payload key BLOB data if any) are protected by encrypting and electronically signing them using the HSM-level BLOB storage key. This key resides in the customer’s HSM.

  • The confidentiality and integrity of the entire authenticator application BLOBs/ payload key BLOBs are protected by encrypting and electronically signing the BLOB using the software-level BLOB storage key.

This approach ensures that sensitive data fields are encrypted with a key that is securely stored. On the other hand, maintenance operations that involve less sensitive data fields, such as resynchronizing a Digipass authenticator with Authentication Suite Server SDK, can still be performed very efficiently because the HSM is not involved.

The HSM-level BLOB storage key can be of either type 3DES or AES. For more information, refer to  HSM-level BLOB storage key. In case of using HSM-level BLOB storage key of type 3DES with the Authentication Suite Server SDK for Entrust nShield HSM, the resulting authenticator application BLOBs (and of payload key BLOBs if any) are hardware encrypted only.