One of the steps of the HSM initialization is generating a new MBK, which can be used for creating backups, for using an external storage and for synchronizing HSM clusters. By default, MBK is an AES256 key, though it is also possible to generate a DES MBK by using the csadm tool for backward compatibility reasons.
It is required to generate an MBK for the HSM to become operational. Without an MBK no cryptographic operations can be run.
To generate an MBK:
-
Open the Crypto Administration Tool.
-
Achieve the permission level of at least 02000000.
-
Click Manage MBK to access the Remote Master Backup Key Management window and select the Generate tab.
-
Type the name of the MBK in the MBK Name section.
-
Select the backup mode of the MBK shares as either XOR or m out of n.
-
If m out of n was selected it is necessary to select the number of m (shares) and n (shares) by using the drop-down menus, set by default as 2 and 3.
-
-
In case that this MBK also needs to be imported at the same time into the HSM, select the Automatic MBK Import option.
-
Click Generate.
-
Select whether the MBK shares should be saved on smartcards or as keyfiles by selecting either the Smartcard Token or the Keyfile Token option.
-
If you chose to export the MBK shares on smartcards, follow the instructions on the smart card reader to export all of the m parts.
-