Key generation steps

This section describes the key generation procedure step-by-step.

Key generation is conducted outside of Safer Payments with the keygen tool.

In summary

  1. You must generate master keys.
  2. The master keys are stored at a safe place and are never used by the Safer Payments software.
  3. The master keys are used to generate usage keys and an empty no-fly list.
  4. Only usage keys and the no-fly list are used by the Safer Payments software.
  5. If you want to obtain a PA-DSS certification at a future date, keep in mind that any storage media that is used to store or distribute keys is in scope of PA-DSS requirement 2.5.2.
  6. When the storage media is not required anymore, it must be securely wiped, or destroyed. See Using a secure wipe tool for details.
  7. You must protect and store all keys securely.

Prerequisites

Use a separate PC that is not connected to the internet to generate keys. To not block a complete PC for the occasional key generation process, you can use a PC that is started from an OS boot CD. This has the advantage that even if you disconnect the PC temporarily from the internet, no malware could have logged any of your data.
Note: You can use RHEL/CentOS 64-bit OS.

Obtain key generator

Keygen is provided as part of a Safer Payments installation and is located in /usr/bin/keygen. Its integrity is checked when you download and verify the installation image.

Copy the contents to a portable memory location. This can be a memory card or USB stick.