Generating MKEK and HMAC Key on Utimaco HSM | Utimaco Integration Guides

Generate the MKEK using the p11tool2 GenerateKey command below.

›_ Console

# ./p11tool2 Slot=<slot_id> LoginUser=<CryptoUser_PIN> KeyAttr=CKA_LABEL="mkek_utimaco",CKA_VALUE_LEN=32,CKA_WRAP=true,CKA_UNWRAP=true,CKA_ENCRYPT=false,CKA_DECRYPT=false,CKA_EXTRACTABLE=false GenerateKey=AES

MKEK generation

Barbican can be used to generate an MKEK. However, using barbican-manage hsm gen_mkek causes a key property invalid in CC mode error when attempting to create the key. The reason for that is that when HSM is operated in CC mode (which is the case for CryptoServer CP5), a key can not be used for both encryption/decryption and wrapping/unwrapping. The command adds the CKA_ENCRYPT and CKA_DECRYPT usage flags to the key. To work around this issue, the key is created with custom attributes using the p11tool2 with CKA_ENCRYPT and CKY_DECRYPT set to false as the key is only required for wrapping/unwrapping.

Generate the HMAC using the barbican-manage hsm gen_hmac command.

›_ Console

# sudo -u stack -E barbican-manage hsm gen_hmac --library-path '/opt/utimaco/lib/libcs_pkcs11_R2.so' --passphrase <CryptoUser_PIN> --slot-id <slot_id> --label 'hmac_utimaco' --length 32

HMAC generation

Verify that the keys are generated on the Utimaco HSM using the p11tool2 ListObjects command.

›_ Console

#./p11tool2 slot=<slot_id> LoginUser=<Crypto_User_PIN> ListObjects

Listing HMAC and MKEK with p11tool2