Cryptographic keys
A hardware security module (HSM) can be used to protect and manage your high-value cryptographic keys. An HSM provides stronger authentication for server applications.
Cryptographic keys are used to encrypt four types of data:
- Storage data. Storage data cryptographic keys are used for securing authenticator BLOBs. Each cryptographic application for each authenticator has its own BLOB. This BLOB contains authenticator configuration and other important information about the device.
- Sensitive data. Sensitive data keys are used for other data that is not protected by any of the other key types.
- Transport keys. Transport keys are used to decrypt DIGIPASS export file (DPX) data. Such files are protected by double-DPX encryption, which provides extra security to authenticator records prior to importing.
- Audit data. Audit data cryptographic keys are used for encrypting audit entries when secure auditing is enabled (see Secure auditing).
If you are using Entrust nShield HSM devices with OneSpan Authentication Server, the protection type for all sensitive data keys, storage data keys, and audit data keys must be set to module (as opposed to softcard or token). When you use the generatekey command, you can accomplish this by using the protect=module parameter.
Access to sensitive data, storage data, and audit data can be protected by the keys, which can be rotated at regular intervals, providing even greater security. To rotate the keys a job must be initiated from the Administration Web Interface. The job can be scheduled or run immediately.
When you copy, migrate, or back up encrypted database files, ensure that you also back up the encryption key (and/or the optional password key). Otherwise, you will not be able to read the data afterward, as it will be encrypted.
The key rotation process involves decrypting data with an old encryption key, then re-encrypting the data with a new encryption key. Rotating one sensitive data key affects all other sensitive data keys, while rotating a storage data key affects all other storage data keys.
Cryptographic key rotation can take some time. You can schedule a key rotation to run at a convenient time, then cancel it if not finished when system resources are needed again. If you restart the key rotation later, processed data will not be re-processed again.
With Thales ProtectServer HSM devices, each slot contains a token. Multiple cryptographic keys can be stored in each token (see Figure: Thales ProtectServer cryptographic keys allocated by token name and slot ID).