Generating and deleting NVRAM-stored keys with PKCS#11
You can use the nShield PKCS #11 library to generate keys stored in nonvolatile memory (up to a maximum of 12 keys) if you have set the CKNFAST_NVRAM_KEY_STORAGE
environment variable.
Generating NVRAM-stored keys
To generate NVRAM-stored keys with the nShield PKCS #11 library:
-
Load (or reload) the ACS using the
preload
command-line utility. Open a command-line window and give the command:preload --admin=NV pause
-
After loading the ACS, remove the Administrator Cards from the module.
-
Ensure that the
CKNFAST_NVRAM_KEY_STORAGE
environment variable is set. If this variable is not set, the keys generated are not stored in NVRAM. -
Open a second command-line window, and give the command:
preload --cardset-name=<name> <pkcs11app>
where
<name>
is the cardset name and<pkcs11app>
is the name of your PKCS #11 application. -
Generate the NVRAM-stored keys that you need (up to a maximum of 12 keys) as normal.
-
Stop or close
<pkcs11app>
. -
Return to the command-line window you opened in step 1 and terminate the
preload --admin=NV pause
process.Do not allow the preload --admin=NV pause
process to run continuously. Run this process only when generating or deleting NVRAM-stored keys. As usual, remove the Administrator Cards when they are not in use and store them safely. -
Unset the
CKNFAST_NVRAM_KEY_STORAGE
environment variable. -
Restart
<pkcs11app>
.You can use the newly generated NVRAM-stored keys in the same way as other PKCS #11 keys. You can also generate any number of standard keys (not stored in NVRAM) in the usual way.
Deleting NVRAM-stored keys
To delete NVRAM-stored keys with the nShield PKCS #11 library:
-
Load (or reload) the ACS using the
preload
command-line utility. Open a command-line window and give the command:preload --admin=NV pause
-
After loading the ACS, remove the Administrator Cards from the module. Ensure that the
CKNFAST_NVRAM_KEY_STORAGE
environment variable is set.If you attempt to delete NVRAM-stored keys without the CKNFAST_NVRAM_KEY_STORAGE
environment variable set, only the key blob stored on hard disk is deleted. The keys remain in NVRAM on the module. Use thenvram-sw
command-line utility to fully remove the NVRAM-stored keys. For more information, see nvram-sw. -
Open a second command-line window, and give the command:
preload --cardset-name=<name> -M <pkcs11app>
where
<name>
is the cardset name and<pkcs11app>
is the name of the PKCS #11 application that you use to delete the keys. -
Delete the NVRAM-stored keys as you would delete normal keys.
-
Stop or close
<pkcs11app>
. -
Return to the command-line window you opened in step 1 and terminate the
preload --admin=NV pause
process.Do not allow the preload --admin=NV pause
to run continuously. Run this process only when generating or deleting NVRAM-stored keys. As usual, remove the Administrator Cards when they are not in use and store them safely. -
Unset the
CKNFAST_NVRAM_KEY_STORAGE
environment variable.