Key generation steps

Use the keygen program to generate master keys and usage key triplets.

Key generation is conducted outside of IBM® Safer Payments with the keygen tool.

The process involves the following steps:

  1. You must generate master keys.
  2. The master keys are stored at a safe place and are never used by the IBM Safer Payments software.
  3. The master keys are used to generate usage keys and an empty no-fly list.
  4. Only usage keys and the no-fly list are used by the IBM Safer Payments software.
  5. If you want to obtain a PA-DSS certification at a future date, keep in mind that any storage media that is used to store or distribute keys is in scope of PA-DSS requirement 2.5.2.
  6. When the storage media is no longer required, it must be securely wiped or destroyed. For more information, see Running a secure wipe tool.
  7. You must protect and store all keys securely.

Prerequisites

Use a separate PC that is not connected to the internet to generate keys. To not block a complete PC for the occasional key generation process, you can use a PC that is started from an OS boot CD. The advantage is that even if you disconnect the PC temporarily from the internet, no malware logged your data.
Note: You can use RHEL/CentOS 64-bit OS.

Obtain key generator

The keygen program is provided as part of a IBM Safer Payments installation and is located in /usr/bin/keygen. Its integrity is checked when you download the installation image. For more information, see Downloading the installation image.

Copy the contents to a portable memory location such as a memory card or USB stick.