nShield Key Attestation Verifier

Introduction

Key attestation refers to a way of cryptographically proving to a third party that a key is generated in the nShield HSM and cannot be exported in clear text.

The nShield Key Attestation Verifier allows a user to generate a JSON bundle containing all necessary certificates and information about a key and HSM to verify its protection and use constraints enforced by the HSM. nShield attestation relies on a KLF2 warrant, a certificate chain which links the HSM to its ESN. Verification of the bundle can be done without access to an HSM.

The nfkmattest tool can be installed as part of the nShield Security World software or as a standalone package.