Key labels and key-storage management

Use these verbs to manage AES, DES, PKA, and CMB (combined) key storage.

The CCA software manages key storage as an indexed repository of key records. Access key storage using a key label with verbs that have a key-label or key-identifier parameter.

An independent key-storage system can be used to manage records for AES key records, DES key records, and PKA key records:
AES key storage
Holds external, internal, and null AES or HMAC key tokens
DES key storage
Holds external, internal, and null DES key tokens
PKA key storage
Holds external, internal, and null PKA (ECC, QSA, and RSA) key tokens, and both internal and external public and private PKA key tokens
CMB (combined) key storage
Holds external, internal, and null AES, HMAC, DES, and PKA (ECC, QSA, and RSA) key tokens.

Private RSA keys are generated and optionally retained within the coprocessor using the PKA Key Generate verb. Depending on the other uses for coprocessor storage, between 75 and 150 keys can normally be retained within the coprocessor.

Key storage must be initialized before any records are created. Before a key token can be stored in key storage, a key-storage record must be created using the AES Key Record Create, DES Key Record Create, PKA Key Record Create, or Combined Key Record Create verb.

Use the AES Key Record Delete, DES Key Record Delete, PKA Key Record Delete, or Combined Key Record Delete verb to delete a key token from a key record, or to entirely delete the key record from key storage.

Use the AES Key Record List, DES Key Record List, PKA Key Record List, or Combined Key Record List verb to determine the existence of key records in key storage. These list verbs create a key-record-list file with information about select key records. The wildcard character, represented by an asterisk (*), is used to obtain information about multiple key records. The file can be read using conventional workstation-data-management services.

Individual key tokens can be read using the AES Key Record Read, DES Key Record Read, PKA Key Record Read, and Combined Key Record Read verbs or can be written using the AES Key Record Write, DES Key Record Write, PKA Key Record Write, and Combined Key Record Write verbs.