Hacker News new | past | comments | ask | show | jobs | submit login

You're describing backups. The base derivation keys still have to exist in an HSM to be used. No one is opening a safe and hand-typing the BDK each time they need to issue a PIN encryption key.



It is not a backup. Backups are made just in case.

In case of HSM keys, the HSM itself is built to loose those keys at the least pretense. It is also not possible to retrieve the keys.

So whenever you want to provision a new HSM or even just move it couple centimeters (it looses keys when you try to move it) you have to go to the components written on paper.

It is just like a password on a website -- you have to be entering it regularly. But once you enter the password you don't need to retype it for every HTTP request.

Key components = password HSM = browser Message with PIN block = HTTP request




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: