Generating and deleting NVRAM-stored keys with PKCS#11

You can use the nShield PKCS #11 library to generate keys stored in nonvolatile memory (up to a maximum of 12 keys) if you have set the CKNFAST_NVRAM_KEY_STORAGE environment variable.

Generating NVRAM-stored keys

To generate NVRAM-stored keys with the nShield PKCS #11 library:

  1. Load (or reload) the ACS using the preload command-line utility. Open a command-line window and give the command:

    preload --admin=NV pause
  2. After loading the ACS, remove the Administrator Cards from the module.

  3. Ensure that the CKNFAST_NVRAM_KEY_STORAGE environment variable is set. If this variable is not set, the keys generated are not stored in NVRAM.

  4. Open a second command-line window, and give the command:

    preload --cardset-name=<name> <pkcs11app>

    where <name> is the cardset name and <pkcs11app> is the name of your PKCS #11 application.

  5. Generate the NVRAM-stored keys that you need (up to a maximum of 12 keys) as normal.

  6. Stop or close <pkcs11app>.

  7. Return to the command-line window you opened in step 1 and terminate the preload --admin=NV pause process.

    Do not allow the preload --admin=NV pause process to run continuously. Run this process only when generating or deleting NVRAM-stored keys. As usual, remove the Administrator Cards when they are not in use and store them safely.
  8. Unset the CKNFAST_NVRAM_KEY_STORAGE environment variable.

  9. Restart <pkcs11app>.

    You can use the newly generated NVRAM-stored keys in the same way as other PKCS #11 keys. You can also generate any number of standard keys (not stored in NVRAM) in the usual way.

Deleting NVRAM-stored keys

To delete NVRAM-stored keys with the nShield PKCS #11 library:

  1. Load (or reload) the ACS using the preload command-line utility. Open a command-line window and give the command:

    preload --admin=NV pause
  2. After loading the ACS, remove the Administrator Cards from the module. Ensure that the CKNFAST_NVRAM_KEY_STORAGE environment variable is set.

    If you attempt to delete NVRAM-stored keys without the CKNFAST_NVRAM_KEY_STORAGE environment variable set, only the key blob stored on hard disk is deleted. The keys remain in NVRAM on the module. Use the nvram-sw command-line utility to fully remove the NVRAM-stored keys. For more information, see nvram-sw.
  3. Open a second command-line window, and give the command:

    preload --cardset-name=<name> -M <pkcs11app>

    where <name> is the cardset name and <pkcs11app> is the name of the PKCS #11 application that you use to delete the keys.

  4. Delete the NVRAM-stored keys as you would delete normal keys.

  5. Stop or close <pkcs11app>.

  6. Return to the command-line window you opened in step 1 and terminate the preload --admin=NV pause process.

    Do not allow the preload --admin=NV pause to run continuously. Run this process only when generating or deleting NVRAM-stored keys. As usual, remove the Administrator Cards when they are not in use and store them safely.
  7. Unset the CKNFAST_NVRAM_KEY_STORAGE environment variable.