The Master Backup Key (MBK) serves as a critical safeguard for encrypted data, ensuring recovery in case of key loss or corruption. This section outlines the steps to securely generate and store the MBK within the Hardware Security Module (HSM).
-
Generate an MBK.
#./csadm dev=<port>@<HSM IP> LogonSign=ADMIN,./key/ADMIN.key Key=mbk1.key#12345678,mbk2.key#12345678 MBKGenerateKey=AES,32,2,2,BIGIPMBK
-
Import the key shares of an MBK from the key files to slot #3.
#./csadm dev=<port>@<HSM IP> LogonSign=ADMIN,./key/ADMIN.key Key=mbk1.key#12345678,mbk2.key#12345678 MBKImportKey=3
-
List all MBKs currently stored on the device.
# ./csadm dev=<port>@<HSM IP> LogonSign=ADMIN,./key/ADMIN.key MBKListKeys
slot name len algo type k generation date key check value
---------------------------------------------------------------------------------------
3 BIGIPMBK 32 AES XOR 2 2025/08/17 08:35:28 091789ef535e4a6d:0a2fe9cee8fef467
7 AUTO-GEN 32 AES SHARE 1 2025/03/18 15:49:25 1c08733306225874:e40861094c0ff123