NVRAM-Stored Keys

The nShield CSP now supports creating keys protected by the module NVRAM. The PP_NO_HOST_STORAGE parameter to CryptAcquireContext is supported as long as the module with NVRAM is attached. Setting this parameter to a nonzero value causes all keys generated from that point to be generated with blobs in NVRAM. The counter persists until CryptReleaseContext is called or until the PP_NO_HOST_STORAGE parameter is reset to 0.

The method of creating NVRAM-stored keys is very similar to the method of creating keys with NVRAM counters:

  1. call CryptAcquireContext to get a handle to a container.

  2. call CryptSetProvParam and set the PP_NO_HOST_STORAGE property to a non-zero value.

This causes any keys generated with that container handle to be generated with blobs in NVRAM until either of the following occurs:

  • CryptReleaseContext is called with that container handle.

  • CryptSetProvParam is called to set PP_NO_HOST_STORAGE to zero.

Creating NVRAM-stored keys requires insertion of the ACS quorum for NVRAM, in the same way as creating key counted keys.

PP_NO_HOST_STORAGE is a new value and will be set in the wincrypt.h header file in future versions of the Microsoft Platform SDK. The following example code can be used until then to define the value correctly:


This feature is only available to users writing CAPI code directly. To use an NVRAM-stored key in a client application (for example IIS or the Microsoft Certificate Authority), first create the key with the keytst command-line tool, and then transfer the key across to the required container with the cspimport utility.

Also, the keytst and csptest utilities have gained an extra command-line parameter. keytst --help now gives output containing the following information:

Key creation flags (only valid with -cx or -cs):
-e, --export                Create the key(s) with the 'exportable' bit set.
  -L, --length=BITLEN       Specify the new key length (default = 1024).
  -C, --counter             Create key counters (if supported).
  -K, --kitb                Create NVRAM-stored key(s) (if supported).
The -C and -K options require you to insert your ACS.

The command csptest --help outputs the following usage message:

Program options:
  -f, --flood               Run a continuous signature test.
  -d, --dsa                 Use DSA signatures rather than RSA signatures.
  -m, --ms                  Use the MS AES provider rather than nCipher's one
                             (possibly with modexp offload).
  -C, --counters            Generate keys with counters (needs NVRAM and ACS).
  -K, --kitb                Generate keys using KITB (needs NVRAM and ACS).

The csputils utility displays the NVRAM status of keys using the --detail option.