The key aspect of DUKPT is that for each transaction that is originated from the PIN device, the key for encryption shall be unique. The key shall not have any relation with the keys that were used in the past or the keys that might be used for future transactions. The encryption algorithm that shall be used is TDES.
Note
This feature is in preview and available only in the Azure regions East US 2 EUAP and Central US EUAP.
For added assurance when you use Azure Key Vault, you can import or generate a key in a hardware security module (HSM); the key will never leave the HSM boundary. This scenario often is referred to as bring your own key (BYOK). Key Vault uses the nCipher nShield family of HSMs (FIPS 140-2 Level 2 validated) to protect your keys.
Use the information in this article to help you plan for, generate, and transfer your own HSM-protected keys to use with Azure Key Vault.
Note
This functionality is not available for Azure China 21Vianet.
This import method is available only for supported HSMs.
For more information, and for a tutorial to get started using Key Vault (including how to create a key vault for HSM-protected keys), see What is Azure Key Vault?.
Overview
Here's an overview of the process. Specific steps to complete are described later in the article.
Prerequisites
The following table lists prerequisites for using BYOK in Azure Key Vault:
Supported HSMs
Note
To import HSM-protected keys from the nCipher nShield family of HSMs, use the legacy BYOK procedure.
Supported key types
Generate and transfer your key to the Key Vault HSM
To generate and transfer your key to a Key Vault HSM:
Can An Hsm Generate Dukpt Keys DownloadStep 1: Generate a KEK
A KEK is an RSA key that's generated in a Key Vault HSM. The KEK is used to encrypt the key you want to import (the target key).
The KEK must be:
Note
The KEK must have 'import' as the only allowed key operation. 'import' is mutually exclusive with all other key operations.
Use the az keyvault key create command to create a KEK that has key operations set to
import . Record the key identifier (kid ) that's returned from the following command. (You will use the kid value in Step 3.)
Step 2: Download the KEK public key
Use az keyvault key download to download the KEK public key to a .pem file. The target key you import is encrypted by using the KEK public key.
Transfer the KEKforBYOK.publickey.pem file to your offline computer. You will need this file in the next step.
Step 3: Generate and prepare your key for transfer
Refer to your HSM vendor's documentation to download and install the BYOK tool. Follow instructions from your HSM vendor to generate a target key, and then create a key transfer package (a BYOK file). The BYOK tool will use the
kid from Step 1 and the KEKforBYOK.publickey.pem file you downloaded in Step 2 to generate an encrypted target key in a BYOK file.
Transfer the BYOK file to your connected computer.
![]()
Note
Importing RSA 1,024-bit keys is not supported. Currently, importing an Elliptic Curve (EC) key is not supported.
Known issue: Importing an RSA 4K target key from SafeNet Luna HSMs is only supported with firmware 7.4.0 or newer.
Step 4: Transfer your key to Azure Key VaultCan An Hsm Generate Dukpt Keys 2017
To complete the key import, transfer the key transfer package (a BYOK file) from your disconnected computer to the internet-connected computer. Use the az keyvault key import command to upload the BYOK file to the Key Vault HSM.
If the upload is successful, Azure CLI displays the properties of the imported key.
Next stepsCan An Hsm Generate Dukpt Keys In Word
You can now use this HSM-protected key in your key vault. For more information, see this price and feature comparison.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2020
Categories |