OneSpan procedure

When the HSM-level DPX transport key and the KEK custodians arrive, OneSpan proceeds to a key import ceremony. The OneSpan key management procedure, which does not require any customer activity, involves the following steps:

• Import the customer’s KEK with custodians import.

• Import the HSM-level DPX transport key wrapped by the KEK.

Customers may use this procedure to restore the HSM-level DPX transport key in their own HSM (for example, after failure).

Task 1: Import the customer’s KEK with custodians import

To import the customer’s KEK (Thales ProtectServer)

1. In the Key Management Utility window, from the menu, select Options > Create > Enter Key from Components.

2. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AES with key size 256 bits.

   

   Figure: Import the customer’s KEK (1)

With these settings, KEK backup is not possible. To allow backup, set the Exportable option to TRUE.

3. Specify the number of components to enter.

   

   Figure: Import the customer’s KEK (2)

4. Enter the KEK components.

   

   Figure: Import the customer’s KEK (3)

   

   Figure: Import the customer’s KEK (4)

To import the customer’s KEK (Thales Luna)

1. Sign in to the respective HSM slot.

2. Open a command-line prompt.

3. Use the following command to import a key with multiple key custodians:

   import -keytype=aes -keysize=16 -label=kek_customer_id -clearcomponents=custodians_number

   Replace the following:

   • kek_customer_id. The KEK provided by the customer.

   • custodians_number. The number of key custodians.

   You will be prompted for each component, and each of the components KCV will be shown to confirm.

   Take a note of the handle number for the newly imported KEK.

Task 2: Import the HSM-level DPX transport key wrapped by the KEK

To import the HSM-level DPX transport key (Thales ProtectServer)

1. In the Key Management Utility window, from the menu, select Options > Import Key(s).

2. Select the Import encrypted parts and Single Part options.

   

   Figure: Import the HSM-level DPX transport key (1)

   

   Figure: Import the HSM-level DPX transport key (2)

3. Select the Mechanism: Double DES, Triple DES, AES with key size 128 bits or AES with key size 256 bits.

With these settings, backup or export of the HSM-level DPX transport key is not possible. To allow backup, the set the Exportable option to TRUE.

4. Enter the wrapped transport key value.

   

   Figure: Import the HSM-level DPX transport key (3)

5. Check the KCV value.

   

   Figure: Import the HSM-level DPX transport key (4)

OneSpan is now able to use this HSM-level DPX transport key to double-encrypt the DPX file(s) for the customer.

To import the HSM-level DPX transport key (Thales Luna)

1. Sign in to the respective HSM slot.

2. Open a command-line prompt.

3. Use the following command to import the transport key:

   import -key=kek_handle -keyclass=secret -keytype=aes -keysize=24 -private=1 -sensitive=1 -extractable=1 -encrypt=1 -decrypt=1 -sign=1 -verify=1 -derive=1 -wrap=1 -unwrap=1 -modifiable=1 -algo=aes_kwp -inputfile=path -format=format -label=transport_key_label

   Replace the following:

   • kek_handle. The handle number of the KEK imported in Task 1: Import the customer’s KEK with custodians import.

   • path. This is the output file path. This can be a full path (c:\file.txt) or relative to the current one (file.txt).

   • format. Supported values for private or secret key are the following: bin, txt, or text.

   • transport_key_label. A unique label to identify the transport key, for example, OneSpanTransportKey_CustomerXY.

   Take a note of the handle number for the newly imported transport key.

4. Use the following command to see the attributes of the imported transport key and verify its KCV:

   getattribute -handle=transport_key_handle

   Replace transport_key_handle with the transport key handle generated by the previous import command.