Softcards

To delete a softcard, see Erase cards and softcards.

Create softcards

You must create a softcard before you create the keys that it is to protect.

A softcard is a file containing a logical token that cannot be loaded without a passphrase; its logical token must be loaded in order to authorize the loading of any key that is protected by the softcard. Softcard files are stored in the Key Management Data directory and have names of the form softcard_<hash> (where <hash> is the hash of the logical token share). Softcards belong to the Security World in which they are created.

A softcard’s passphrase is set when you generate it, and you can use a single softcard to protect multiple keys. Softcards are persistent; after a softcard is loaded, it remains valid for loading the keys it protects until its KeyID is destroyed.

It is possible to generate multiple softcards with the same name or passphrase. For this reason, the hash of each softcard is made unique (unrelated to the hash of its passphrase).
Softcards are not supported for use with the nCipherKM JCA/JCE CSP in Security Worlds that are compliant with FIPS 140 Level 3.
To use softcards with PKCS #11, you must have CKNFAST_LOADSHARING set to a nonzero value. When using pre-loaded softcards or other objects, the PKCS #11 library automatically sets CKNFAST_LOADSHARING=1 (load-sharing mode on) unless it has been explicitly set to 0 (load-sharing mode off).
As with OCSs, if debugging is enabled, a softcard’s passphrase hash is available in the debug output (as a parameter to a ReadShare command).

You can create softcards from either:

Create a softcard with ppmk

To create a new softcard using the ppmk command-line utility:

  1. Decide whether you want the new softcard’s passphrase to be replaceable or non-replaceable. To create a softcard with a replaceable passphrase, run the command:

    ppmk --new --recoverable <NAME>

    To create a softcard with a non-replaceable passphrase, run the command:

    ppmk --new --non-recoverable <NAME>

    In these commands, <NAME> specifies the name of the new softcard to be created.

  2. PCIe HSMs: If you are working within a FIPS 140 Level 3 compliant Security World, you must provide authorization to create new softcards. The ppmk utility prompts you to insert a card that contains this authorization. Insert any card from the ACS. If you insert an Administrator Card from another Security World, ppmk displays an error message and prompts you to insert a card with valid authorization.

    When ppmk has obtained the authorization from a valid card, or if no authorization is required, it prompts you to type a passphrase.

  3. When prompted, type a passphrase for the new softcard, and press Enter.

    A passphrase can be of any length and contain any characters that you can type except for tabs or carriage returns (because these keys are used to move between data fields).

  4. When prompted, type the passphrase again to confirm it, and press Enter.

    If the passphrases do not match, ppmk prompts you to input and confirm the passphrase again.

After you have confirmed the passphrase, ppmk completes creation of the new softcard.

Create softcards with KeySafe

To create a softcard with KeySafe:

  1. Start KeySafe. (For an introduction to KeySafe and information on starting the software, see Using KeySafe.)

  2. Click the Softcards menu button, or select Softcards from the Manage menu. KeySafe takes you to the List Softcards panel.

  3. Click Create New Softcard to open the Create Softcard panel.

  4. Choose parameters for the softcard:

    1. Enter a name for the softcard. You must provide a valid name for each softcard.

    2. Choose whether you want passphrase replacement to be enabled for the softcard.

      In a Security World with passphrase recovery enabled the Yes radio button is selected as default and the selection can be changed between Yes and No. In a Security World with passphrase recovery disabled the No button is selected, and cannot be changed to Yes.

  5. Click Commit.

    If you are creating the softcard in a FIPS 140 Level 3 Security World, insert an Administrator Card or an existing Operator Card when prompted.

    The Set Softcard Protection passphrase pane is displayed.

  6. Set a passphrase for the softcard by entering the same passphrase in both text fields.

    A passphrase can contain any characters you can type except for tabs or carriage returns (because these keys are used to move between data fields) and can be up to 1024 characters long. You can change a passphrase at any time. You must provide a passphrase for each card.

  7. After entering your desired passphrase in both text fields, click the OK button.

    KeySafe displays a dialog indicating that the softcard has been successfully created.

  8. Click the OK button.

    KeySafe returns you to the Create Softcard panel, where you can create another softcard or choose a different operation by clicking one of the menu buttons.

Create a softcard with the CNG wizard (Windows)

You can use the nShield CNG wizard to create a Softcard that is suitable for use with the nShield Cryptography API: Next Generation (CNG), as appropriate. You can only create an Softcard using the CNG wizard if you already have a Security World and have an ACS available for that Security World.

To create an Softcard using the CNG wizard, follow these steps:

  1. Ensure that you have created the Security World and that at least one HSM is in the operational state.

  2. Run the wizard by double-clicking its shortcut in the Windows Start menu: Start > Entrust nShield Security World.

  3. The wizard displays the welcome screen.

  4. Click the Next button. The wizard allows you to configure HSM Pool mode for CAPI/CNG.

    Do not enable HSM Pool mode when creating a Softcard because HSM Pool mode only supports module-protected keys.

  5. Click the Next button.

    The wizard determines what actions to take based on the state of the Security World and of the HSMs that are attached to your computer:

    • If the wizard cannot find the Security World, it prompts you to create a new Security World or to install cryptographic acceleration only.

      In such a case, you should:

      • Cancel the operation

      • Check that the environment variable NFAST_KMDATA is set correctly

      • Copy the local sub-directory from the Key Management Data directory of another computer in the same Security World or from a backup tape of this computer to the Key Management Data directory of this computer.

      • Run the wizard again.

    • If there is an existing Security World, the wizard gives you the option of using the existing Security World, creating a new Security World or installing cryptographic acceleration only.

      • In order to use the existing Security World, ensure that the Use the existing security world option is selected, and click the Next button.

      • If there are any hardware security modules in the pre-initialization state, the wizard adds them to the Security World; see Adding or restoring an HSM to the Security World.

  6. When at least one hardware security module is in the operational state, the wizard prompts you to select a method to protect private keys generated by the CSPs.

  7. Ensure that the Softcard option is enabled. Click the Next button. Then select the Create a new Softcard option, and enter the name and passphrase of the Softcard in the boxes provided.

  8. Click the Next button, and if you have a FIPS world, the wizard prompts you to insert a card created with the current Security World.

    This shows that your Security World is compliant with the roles and services of the FIPS 140 Level 3 standard. It is included for those customers who have a regulatory requirement for compliance.

    Under the constraints of level 3 of the FIPS 140 standard, Softcards cannot be created without authorization. To obtain authorization, insert any card from the ACS or any OCS belonging to the current Security World.

  9. On the Software Installation screen when you are informed You now have a valid security world and key protection mechanism, click the Back button if you want to create another Softcard, or if you want to change the default protection for new CNG keys to a different protection option. When you have created all the Softcards that you require, click the Next button on this screen to register the CNG providers. For more information, see Microsoft CNG Guide for nShield Security World v13.6.5.