NVRAM-Stored Keys
The nShield CSP now supports creating keys protected by the module NVRAM.
The PP_NO_HOST_STORAGE
parameter to CryptAcquireContext
is supported as long as the module with NVRAM is attached.
Setting this parameter to a nonzero value causes all keys generated from that point to be generated with blobs in NVRAM.
The counter persists until CryptReleaseContext is called or until the PP_NO_HOST_STORAGE
parameter is reset to 0
.
The method of creating NVRAM-stored keys is very similar to the method of creating keys with NVRAM counters:
-
call
CryptAcquireContext
to get a handle to a container. -
call
CryptSetProvParam
and set thePP_NO_HOST_STORAGE
property to a non-zero value.
This causes any keys generated with that container handle to be generated with blobs in NVRAM until either of the following occurs:
-
CryptReleaseContext
is called with that container handle. -
CryptSetProvParam
is called to setPP_NO_HOST_STORAGE
to zero.
Creating NVRAM-stored keys requires insertion of the ACS quorum for NVRAM, in the same way as creating key counted keys.
PP_NO_HOST_STORAGE
is a new value and will be set in the wincrypt.h
header file in future versions of the Microsoft Platform SDK.
The following example code can be used until then to define the value correctly:
#ifndef PP_NO_HOST_STORAGE
#define PP_NO_HOST_STORAGE 44
#endif
This feature is only available to users writing CAPI code directly.
To use an NVRAM-stored key in a client application (for example IIS or the Microsoft Certificate Authority), first create the key with the keytst
command-line tool, and then transfer the key across to the required container with the cspimport
utility.
Also, the keytst
and csptest
utilities have gained an extra command-line parameter.
keytst --help
now gives output containing the following information:
Key creation flags (only valid with -cx or -cs):
-e, --export Create the key(s) with the 'exportable' bit set.
-L, --length=BITLEN Specify the new key length (default = 1024).
-C, --counter Create key counters (if supported).
-K, --kitb Create NVRAM-stored key(s) (if supported).
The -C and -K options require you to insert your ACS.
|
The command csptest --help
outputs the following usage message:
Program options:
-f, --flood Run a continuous signature test.
-d, --dsa Use DSA signatures rather than RSA signatures.
-m, --ms Use the MS AES provider rather than nCipher's one
(possibly with modexp offload).
-C, --counters Generate keys with counters (needs NVRAM and ACS).
-K, --kitb Generate keys using KITB (needs NVRAM and ACS).
The csputils
utility displays the NVRAM status of keys using the --detail
option.