Key-management functions

In Security World v13.3.2 and later, you can set the CKNFAST_LOADSHARING environment variable to enable load sharing for the work allocation for key-management functions:

Module selection incurs additional overhead. Therefore, if the case load is light, load sharing might result in a small performance degradation. Most affected operations involve key creation, which includes loading the keys on all modules when loadsharing is in use. For this reason, while there is an increase in throughput, it is not expected to be linear.

The vendor-defined boolean attribute CKA_NC_VALUE_ONLY is available for the C_DeriveKey function. It can only be used to derive a secret key with the following attribute settings:

When CKA_NC_VALUE_ONLY is set to TRUE, it signals that the application intends only to extract the value of the derived key, via C_GetAttributeValue. The derived key will not be loadshared and is not guaranteed to be usable for other operations. If the derived key into which the key has been loaded becomes unavailable, the key will not be usable at all.

CKA_NC_VALUE_ONLY is defined in pkcs11extra.h in the nShield implementation of cryptoki.h.

CKA_NC_VALUE_ONLY provides a performance benefit even in the absence of loadsharing. However, its main benefit is in removing much of the loadsharing overhead and therefore in improving scalability.