Display details of HSM-protected RSA keys

Posted on

Recently had a need to demonstrate for an auditor that a given key encryption key in a Thales HSM environment was RSA and was 4096-bits.  The correct command to do this is the nfkmverify command.  You give it a module number, ‘enquiry’ will give you the valid module numbers for your environment, the appname, and the key name / identifier.  In our case, using OpenSSL CHIL-based keys, they’re all app type hwcrhk.  To get a list of your HSM-protected keys, and their app names, use the “nfkminfo -k” command.

To sum all that up in a step by step:

  1. Get your key and app names: 
    # nfkminfo -k

Key list - 1 keys
AppName hwcrhk Ident rsa-myAppKey20180404
  2. ‘verify’ your key with nfkmverify: 
    # nfkmverify -m 1 hwcrhk rsa-myAppKey20180404

** [Application key hwcrhk rsa-myAppKey20180404] **
 [Not named]
 Useable by HOST applications
 MODULE-ONLY protection
 Recovery ENABLED
 Type RSAPrivate 4096 bits
 Key may be used for: ANY private-key crypto operation
 Generating module ESN 1234-1234-1234 NOT ATTACHED to this host
 nCore hash abcd1234....

Verification successful, confirm details above. 1 key verified.

Leave a Reply

Your email address will not be published. Required fields are marked *