Skip to main content

TSB System Keys

The TSB automatically creates a number of keys on your HSM partition. This page explains what these keys are and what they are used for.

Key labelPurpose
approver-mgmt-backup-key-rsa-wrappingUsed for encrypting the approver keys that are managed by this TSB, before backing them up in the database.
This is an SKA key. By default, its policy is empty. You may manually assign a policy to better protect this key. However, you will need to manage the approver keys of this SKA key externally (otherwise there is a circular dependency).
attestation-keyUsed for signing key attestations. Has the "attestation" key attribute set.
rfc-timestamp-keyUsed for signing trusted timestamps following RFC 3161. Uses the new "timestamp" key attribute.
timestamp-keyUsed for signing timestamps in SKA workflows that use timelocks or timeouts. Uses the old "integrity" key attribute.
danger

Do not delete these keys manually! The TSB needs these keys to operate.

If you have accidentally deleted these keys, the TSB automatically tries to create new keys. If key invalidation is disabled on your partition, this should succeed immediately. If key invalidation is enabled, the TSB's attempt to recreate the keys will fail, because the key labels are still present (albeit marked as deleted). In this case, the HSM administrator (SO or PSO) can help you reactivate the keys.

Get started withCloudHSM for free.
Other questions?Ask Sales.
Feedback
Need help?