Key-management functions

You can use the CKNFAST_OVERRIDE_SECURITY_ASSURANCES environment variable to modify the way that some functions, including key-management functions, are used.

In Security World v13.3.2 and later, you can set the CKNFAST_LOADSHARING environment variable to enable load sharing for the work allocation for key-management functions:

  • When CKNFAST_LOADSHARING is not set, the first available module is selected.

  • When CKNFAST_LOADSHARING is set, the work is shared between the available modules using a round-robin approach.

Module selection incurs additional overhead. Therefore, if the case load is light, load sharing might result in a small performance degradation. Most affected operations involve key creation, which includes loading the keys on all modules when loadsharing is in use. For this reason, while there is an increase in throughput, it is not expected to be linear.

The vendor-defined boolean attribute CKA_NC_VALUE_ONLY is available for the C_DeriveKey function. It can only be used to derive a secret key with the following attribute settings:

  • CKA_SENSITIVE set to FALSE

  • CKA_TOKEN set to FALSE

  • CKA_EXTRACTABLE set to TRUE

When CKA_NC_VALUE_ONLY is set to TRUE, it signals that the application intends only to extract the value of the derived key, via C_GetAttributeValue. The derived key will not be loadshared and is not guaranteed to be usable for other operations. If the derived key into which the key has been loaded becomes unavailable, the key will not be usable at all.

CKA_NC_VALUE_ONLY is defined in pkcs11extra.h in the nShield implementation of cryptoki.h.

CKA_NC_VALUE_ONLY provides a performance benefit even in the absence of loadsharing. However, its main benefit is in removing much of the loadsharing overhead and therefore in improving scalability.

C_GenerateKey

Function Supported in Security World Performs as in PKCS #11 spec PKCS #11 spec version

C_GenerateKey

tbc

Without modifications

2.40

C_GenerateKeyPair

Function Supported in Security World Performs as in PKCS #11 spec PKCS #11 spec version

C_GenerateKeyPair

tbc

Without modifications

2.40

C_WrapKey

Function Supported in Security World Performs as in PKCS #11 spec PKCS #11 spec version

C_WrapKey

tbc

Without modifications

2.40

C_UnwrapKey

Function Supported in Security World Performs as in PKCS #11 spec PKCS #11 spec version

C_UnwrapKey

tbc

Without modifications

2.40

C_DeriveKey

Function Supported in Security World Performs as in PKCS #11 spec PKCS #11 spec version

C_DeriveKey

tbc

Without modifications

2.40