Display details of HSM-protected RSA keys

Recently had a need to demonstrate for an auditor that a given key encryption key in a Thales HSM environment was RSA and was 4096-bits.  The correct command to do this is the nfkmverify command.  You give it a module number, ‘enquiry’ will give you the valid module numbers for your environment, the appname, and the key name / identifier.  In our case, using OpenSSL CHIL-based keys, they’re all app type hwcrhk.  To get a list of your HSM-protected keys, and their app names, use the “nfkminfo -k” command.

To sum all that up in a step by step:

  1. Get your key and app names:
    # nfkminfo -k
    Key list - 1 keys
    AppName hwcrhk Ident rsa-myAppKey20180404
  2. ‘verify’ your key with nfkmverify:
    # nfkmverify -m 1 hwcrhk rsa-myAppKey20180404
    ** [Application key hwcrhk rsa-myAppKey20180404] **
     [Not named]
     Useable by HOST applications
     MODULE-ONLY protection
     Recovery ENABLED
     Type RSAPrivate 4096 bits
     Key may be used for: ANY private-key crypto operation
     Generating module ESN 1234-1234-1234 NOT ATTACHED to this host
     nCore hash abcd1234....
    Verification successful, confirm details above. 1 key verified.

Leave a Reply

Your email address will not be published. Required fields are marked *