Import a Master Key

Perform this operation to import into your Principal HSM The first or main HSM. If you require multiple HSMs with the same master keys, use HSM manufacturer tools to duplicate the keys in the other HSM. a master key generated by another entity (for example, card manufacturer). For security reasons, the master key is encrypted with a transport key.

Important: Before you import a master key, you must have received the master keys that are encrypted with a transport key. The transport key is stored in your Principal HSM. The master keys to import depend on your credential management system.

  1. Insert or properly connect the Principal HSM.

  2. From the main menu, type 3 (Import Master Keys).

    Text Description automatically generated

  3. Enter the master key label (for example, MKS_ENC).

  4. To continue, press ENTER.

    For an AES key:

    1. Enter ‘y’ to confirm that you want to import an AES key. For a 3DES Key, enter “n”.

    2. Confirm the AES key length (256-bit or 128-bit). For 128-bit length key, enter “n”.

    3. (If applicable) Confirm if the key has been encrypted with CBC mode encryption. For ECB mode encryption, enter “n”.

    4. (If applicable) Confirm if the key will be extractable. For non-extractable key, enter “n”.

    For a DES key:

    1. Enter ‘n’ to confirm that you want to import a DES key. For an AES key, enter “y”.

    2. Confirm if you want to import a triple length 3DES key (24 bytes). For a 2TDEA key (16 bytes), enter “n”.

    3. (If applicable) Confirm if the key will be extractable. For non-extractable key, enter “n”.

  5. Enter the transport key label for that master key that you previously generated or imported.

  6. Confirm if the transport key is an AES key. For DES key, enter “n”.

    The following command prompt is displayed (without the key components entered).

  7. Enter the hexadecimal string you received from the entity that generated the master key (for example, 1542, A568, BEF8).

    Warning! If you enter the wrong master key, you will not be able to access the smart cards that you received from the card manufacturer.

  8. Confirm that you have entered the string correctly.

    • Press N if you want to re-enter a value.

    • Press Y to continue.

  9. Choose to continue importing keys or to end the session.

    • Enter Y to import another master key.

    • Enter N to end the Import Master Key session.

  10. Press ENTER to return to the main menu.