Smart Key Attributes

Securosys Smart Key Attributes (SKA) enable multi-authorization and policy rules for private key usage.

Create Attestation Key

SKA requires an attestation key for signing attestation statements and timestamps. The attestation key in turn requires the Root Key Store to be initialized on the HSM. Then, to create the attestation key:

java -jar primus-tools.jar CreateAttestationKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] [-size <size>] [-curve <curve>] [-type <type>]

List SKA Access

java -jar primus-tools.jar ListEkaAccess <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>]

Create SKA Key

java -jar primus-tools.jar CreateEkaKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -type <type> [-size <size>] [-curve <curve>] [-flags <flags>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Create Integrity Key

An integrity key is needed to sign timestamps for using SKA keys protected by timeouts or timelocks.

java -jar primus-tools.jar CreateIntegrityKey <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] /
-type <type> [-size <size>] [-curve <curve>] /
-flags [non]<flagname>[,[non]<flagname>,...] /
[-ckd] /
[-access <access>] /

Possible key flags: sensitive,extractable,modifiable,copyable,preload,token,indestructible,private,public,blocked,neverextractable,nopublickey,alwayssensitive,externalobject,local,trusted,wrapwithtrusted,unique,encrypt,decrypt,sign,verify,wrap,unwrap,derive,integrity,attestation,timestamp,verifyrecover,signrecover

Get Attestation of Key Attributes

java -jar primus-tools.jar GetAttestation <HSM connection and credentials> / 
-keyname <keyname> [-keypassword <keypassword>] -attestationkeyname <attestationkeyname> [-attestationkeypassword <attestationkeypassword>] [-ca <CA PEM file>] [-out <output file name base>]

Modify SKA Key

java -jar primus-tools.jar ModifyEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -operationauthorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-modifydelay <modifydelay>] -authorizationkeys <k>,<k>,... -quorum <quorum> [-ekadelay <minutes>] [-ekalimit <minutes>] [-authorizationkeysblock <k>,<k>,...] [-quorumblock <quorum>] [-ekadelayblock <minutes>] [-ekalimitblock <minutes>] [-authorizationkeysunblock <k>,<k>,...] [-quorumunblock <quorum>] [-ekadelayunblock <minutes>] [-ekalimitunblock <minutes>] [-authorizationkeysmodify <k>,<k>,...] [-quorummodify <quorum>] [-ekadelaymodify <minutes>] [-ekalimitmodify <minutes>]

Set SKA Key Flag

java -jar primus-tools.jar SetKeyFlagEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> -authorizationkeys <k>,<k>,... -integritykey <integritykey> -flag <flagname> [-value <flagvalue>] [-timestamp] [-ekadelay <ekadelay>]

Sign with SKA Key

java -jar primus-tools.jar SignEka <HSM connection and credentials> /
-keyname <keyname> [-keypassword <keypassword>] -algorithm <algorithm> [-message <message>] -authorizationkeys <k>,<k>,... -integritykey <integritykey> [-timestamp] [-signdelay <signdelay>]

Get started withCloudHSM for free.

Need help?Contact Support.

Other questions?Ask Sales.

Create Attestation Key​

List SKA Access​

Create SKA Key​

Create Integrity Key​

Get Attestation of Key Attributes​

Modify SKA Key​

Set SKA Key Flag​

Sign with SKA Key​