1

I am going through the Thales HSM manuals, and frankly the key acronyms are driving me crazy. I would like to understand the differences between the following keys, and how they relate to one another:

  • LMK
  • TMK/TPK/TAK/TEK
  • ZMK/ZPK/ZAK/ZEK
  • DEK
  • KEK

I know that in terms of "hierarchy" (if that's the right term to use), LMK > TMK/ZMK > TPK/ZPK...and that's it. Specifically, I would also like to know:

  1. Which key should I use if I'm looking for general purpose encryption/decryption? How about key wrapping?

  2. Can zone keys and terminal keys be used interchangeably (e.g TPK and ZPK)?

kai
  • 111
  • 1
  • 2

1 Answers1

1

LMK is Local Master Key which is the root key protecting all the other keys. This LMK is generated by 3 components and divided in to 3 smart cards. LMK is responsible for encrypting all the other keys. LMK is stored in plain in HSM secure area.

  1. Which key should I use if I'm looking for general purpose encryption/decryption? How about key wrapping?

For this, you can use TPK which will be used for encryption and decryption.

The process will be as below:

  1. Generate a TPK
  2. Encrypt TPK from TMK, this will create TWK
  3. TMK will be injected
  4. TWK will be defined in code level or in a profile
  5. When something needs to be encrypted, TWK will be decrypted with TMK to receive TPK, TPK will encrypt and vise versa
  1. Can zone keys and terminal keys be used interchangeably (e.g TPK and ZPK)?

Zone keys are designed to exchange keys between HSMs. You can wrap a TPK from ZPK and share.

Andrew T.
  • 563
  • 5
  • 14
VinRocka
  • 52
  • 2