Initializing Internal Keys
An internal key must be generated before a user application calls an API in libsdf.so to access the internal key. To ease internal key management, this module provides a key management tool to help users create, delete, modify, query, import, and export keys, and restore factory settings.
In addition, the key management tool allows for internal key trustlist configuration to enhance security, which ensures that only applications in the trustlist can access internal keys.
- Copy libsdf.so in BoostKit-ccos_1.1.zip to the system library path.
cp -rf libsdf.so /lib64/
- Copy tee-key_manage in BoostKit-ccos_1.1.zip to any directory on the server host, add the execute permission, and use the sudo command to access the tool home page.
sudo cp /lib64/libboundcheck.so /lib64/libsecurec.so sudo chmod +x tee_key_manage sudo ./tee_key_manage
- Press the up or down arrow key to move the arrow to the desired option, and press Enter.
- Creating a key: For example, choose , and enter the key index and password.
When you create an internal key, the tool checks the password complexity. The password must contain more than eight characters, including at least two types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
- Querying a key: For example, choose , and enter the key index.
- Changing the user key password: Choose Modify Key Password, and enter the key index, old password, and new password as prompted.
The new password must be different from the old password.
- Deleting a key: For example, choose , and enter the key index.
- Exporting a key: For example, choose , and enter the key index and salt value.
You need to enter the salt value for key encryption. Upon successful execution, the .bin file of the key with the corresponding index is generated in the current tee_key_manage execution path.
- Files for exporting a user key: 000xxxxx.bin (encryption key) and 800xxxxx.bin (signature key), where xxxxx indicates the index value.
- File for exporting a KEK: 003xxxxx.bin
- Importing a key: For example, choose , and enter the key index and salt value.
Before importing a key, ensure that the .bin files of exported keys exist in the current path. You can import the key successfully only when index value in the .bin file name is the same as the entered index value, and the entered salt value is the same as that during export.
- Adding the key access permission for a CA: Choose Add Access Right, and enter the key index, password, CA path, and user name.
- To ensure the security of keys in the cryptographic module, a trustlist is configured, which lists the paths of applications that can access the keys. Only applications in the trustlist can call SDF_GetPrivateKeyAccessRight to access internal keys. The path, whether relative or absolute, must be the same as that entered in the command.
- If an attacker fails to access an internal key through an application whose path is included in the trustlist after entering incorrect passwords for 100 consecutive times, the key access permission for the path will be deleted.
- If the number of consecutive failures reaches 500, the cryptographic module is considered to be under attack and is unavailable. In this case, restore the cryptographic module to its factory settings to clear all keys before using the module again.
- Deleting the key access permission for a CA: Choose Delete Access Right, and enter the key index, password, CA path, and user name.
- Restoring factory settings: Choose Factory Reset. The process is time-consuming. Wait patiently.
- Creating a key: For example, choose , and enter the key index and password.