Skip to main content

Smart Key Attributes

Securosys Smart Key Attributes enable true multi-authorization, rules and more for private key usage. For more information on Smart Key Attributes, please visit Smart Key Attributes (SKA) in HSM.

Attestation is used for signed attestations and timestamps, it requires an initialized Root Key Store. For more information see Setup and Install Root Key Store and Key Attestation.

Commands will require an established <HSM connection and credentials> parameter to be able to execute properly. For further assistance on how to prepare your <HSM connection and credentials> parameter, see HSM Connection and Access Credentials section.

Create Attestation Key

Before creating any SKA key, an attestation key is required (as well as an initialized Root Key Store). Use command CreateAttestationKey to create an attestation key:

java -jar primus-tools.jar CreateAttestationKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] [-size <size>] [-curve <curve>] [-type <type>]

List SKA Access

List smart key access information (SKA/EKA):

java -jar primus-tools.jar ListEkaAccess <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>]

Create SKA Key

Create smart (SKA/EKA) key:

java -jar primus-tools.jar CreateEkaKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -type <type> [-size <size>] [-curve <curve>] [-flags <flags>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Create Integrity Key

Create integrity key (for SKA use):

java -jar primus-tools.jar CreateIntegrityKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] /
-type <type> [-size <size>] [-curve <curve>] /
-flags [non]<flagname>[,[non]<flagname>,...] /
[-ckd] /
[-access <access>] /
  • possible key flags: sensitive,extractable,modifiable,copyable,preload,token,indestructible,private,public,blocked,neverextractable,nopublickey,alwayssensitive,externalobject,local,trusted,wrapwithtrusted,unique,encrypt,decrypt,sign,verify,wrap,unwrap,derive,integrity,attestation,timestamp,verifyrecover,signrecover

Get Attestation

Get key attributes (attested/signed):

java -jar primus-tools.jar GetAttestation <HSM connection and credentials> / 
-keyname <keyname> [-keypassword <keypassword>] -attestationkeyname <attestationkeyname> [-attestationkeypassword <attestationkeypassword>] [-ca <CA PEM file>] [-out <output file name base>]

Modify SKA

Modify smart key attributes (SKA/EKA):

java -jar primus-tools.jar ModifyEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -operationauthorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-modifydelay <modifydelay>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Set SKA Key Flag

Set a key flag on SKA/EKA key:

java -jar primus-tools.jar SetKeyFlagEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> -authorizationkeys <k>,<k>,... -integritykey <integritykey> -flag <flagname> [-value <flagvalue>] [-timestamp] [-ekadelay <ekadelay>]

Sign SKA

Sign test with SKA/EKA key:

java -jar primus-tools.jar SignEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> [-message <message>] -authorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-signdelay <signdelay>]