Key-management functions
You can use the CKNFAST_OVERRIDE_SECURITY_ASSURANCES environment variable to modify the way that some functions, including key-management functions, are used.
|
In Security World v13.3.2 and later, you can set the CKNFAST_LOADSHARING
environment variable to enable load sharing for the work allocation for key-management functions:
-
When
CKNFAST_LOADSHARING
is not set, the first available module is selected. -
When
CKNFAST_LOADSHARING
is set, the work is shared between the available modules using a round-robin approach.
Module selection incurs additional overhead. Therefore, if the case load is light, load sharing might result in a small performance degradation. Most affected operations involve key creation, which includes loading the keys on all modules when loadsharing is in use. For this reason, while there is an increase in throughput, it is not expected to be linear.
The vendor-defined boolean attribute CKA_NC_VALUE_ONLY
is available for the C_DeriveKey
function.
It can only be used to derive a secret key with the following attribute settings:
-
CKA_SENSITIVE
set toFALSE
-
CKA_TOKEN
set toFALSE
-
CKA_EXTRACTABLE
set toTRUE
When CKA_NC_VALUE_ONLY
is set to TRUE
, it signals that the application intends only to extract the value of the derived key, via C_GetAttributeValue
.
The derived key will not be loadshared and is not guaranteed to be usable for other operations.
If the derived key into which the key has been loaded becomes unavailable, the key will not be usable at all.
CKA_NC_VALUE_ONLY
is defined in pkcs11extra.h
in the nShield implementation of cryptoki.h
.
CKA_NC_VALUE_ONLY
provides a performance benefit even in the absence of loadsharing.
However, its main benefit is in removing much of the loadsharing overhead and therefore in improving scalability.
C_GenerateKey
Function | Supported in Security World | Performs as in PKCS #11 spec | PKCS #11 spec version |
---|---|---|---|
|
tbc |
Without modifications |
2.40 |
C_GenerateKeyPair
Function | Supported in Security World | Performs as in PKCS #11 spec | PKCS #11 spec version |
---|---|---|---|
|
tbc |
Without modifications |
2.40 |
C_WrapKey
Function | Supported in Security World | Performs as in PKCS #11 spec | PKCS #11 spec version |
---|---|---|---|
|
tbc |
Without modifications |
2.40 |