Recently had a need to demonstrate for an auditor that a given key encryption key in a Thales HSM environment was RSA and was 4096-bits. The correct command to do this is the nfkmverify command. You give it a module number, ‘enquiry’ will give you the valid module numbers for your environment, the appname, and the key name / identifier. In our case, using OpenSSL CHIL-based keys, they’re all app type hwcrhk. To get a list of your HSM-protected keys, and their app names, use the “nfkminfo -k” command.
To sum all that up in a step by step:
- Get your key and app names:
# nfkminfo -k Key list - 1 keys AppName hwcrhk Ident rsa-myAppKey20180404
- ‘verify’ your key with nfkmverify:
# nfkmverify -m 1 hwcrhk rsa-myAppKey20180404 ** [Application key hwcrhk rsa-myAppKey20180404] ** [Not named] Useable by HOST applications MODULE-ONLY protection Recovery ENABLED Type RSAPrivate 4096 bits Key may be used for: ANY private-key crypto operation Generating module ESN 1234-1234-1234 NOT ATTACHED to this host nCore hash abcd1234.... Verification successful, confirm details above. 1 key verified.