Create a key

1. Key Management & Key List

Key4C offers the capability to generate and manage KEK (Key Encryption Key) for encrypting DEK (Data Encryption Key), which in turn encrypts Secrets, ensuring enhanced security. This functionality is essential for strengthening Secrets security in Kubernetes environments.

① From the left-hand menu, select [Key Management].

② On the right-hand screen, you will see [Key List] and [Create Key] buttons.

Key List

  • Label : A user-defined identifier entered during key creation.

  • KCV : A value for verifying key integrity (Key Check Value)

  • Algorithm : The algorithm selected when creating the key.

  • Key_ID : The unique ID automatically assigned to each key.

  • Created Date : The date the key was generated.

Click the [Create Key] button to go to the key creation screen.

If multiple keys share the same Label, they are distinguished by Key_ID. It is recommended to use a unique Label for each key whenever possible.

2. Key Creation

This is the screen for generating KEK (Key Encryption Key). Keys can be securely generated based on HSM, and the generation method can be adjusted according to user selection.

Algorithm

  • Only AES symmetric keys can be generated.

Key Generation Type

  • Auto Generation (Random): The key is generated directly inside the HSM and never leaves it. This is the most secure and recommended method.

  • Manual Generation (Import): A key generated externally can be uploaded as a component file and stored securely. Useful for key sharding or externally controlled environments.

Auto Generation is the default and recommended option for optimal security.

Label

  • A user-defined identifier to help distinguish each key. (Example : AES_128)

It is recommended to use a unique Label to avoid confusion.

Key Length (bits)

  • Available when AES is selected.

  • Supported lengths : 128, 192, 256

2-1. Auto Generation

① Select the Algorithm and set the Generation Type to Auto.

② Enter a Label to identify the key.

③ Choose the Key Length (for AES)

④ Click the [Create] button to generate the key. The key will be added to the Key List.

Keys generated using Auto Generation are never exposed outside the HSM and cannot be extracted.

2-2. Manual Generation

① Select the Algorithm and set the Generation Type to Manual.

② Enter a Label to identify the key.

③ Select the key length.

④ Select the KCV calculation type.

Detailed description of KCV calculation types

Users can manually input key Component values to directly generate a Combined Key. This feature is useful when you need to directly construct a key using Component values provided externally during key exchange.

  • [ALL] : 0x00 Calculate KCV by setting each byte of symmetric key length to 0x00 for all keys, then encrypting

  • [ALL] : 0x01 Calculate KCV by setting each byte of symmetric key length to 0x01 for all keys, then encrypting

  • [DES/TDES/SEED] : 0x00, [AES/ARIA] : 0x01 Method used for GSMA cooperation, applicable only to AES/ARIA keys

  • [DES/TDES/SEED] : 0x00, [AES] : CMAC Uses CMAC, which is NIST's standard algorithm. Mainly used in financial services sector"

The generated KCV value differs based on the KCV method, so it's essential to choose the appropriate method for your specific use case.

⑤ Generate a Combined key.

Detailed description of Combined key generation

  • Enter the key Component value in the Component1 input field. (Hex String format)

  • For each Component, click the [KCV Check] button to individually verify the KCV value of that Component. If the KCV value doesn't match, there may be an issue with the key combination, so it should be rechecked. You can click the [Reset] button to clear the Component input field and re-enter the values.

  • If needed, click the [Add Component] button to add up to 3 Component values. You can generate a key by combining a minimum of 1 and maximum of 3 Component values.

  • Once all Component inputs are completed, click the [Combine] button to generate a Combined key from the entered Components. If the key is created successfully, a 'Success' indication will appear, and you can verify the KCV value."

  • Integrity can be verified through KCV comparison between Components.

  • If the KCV values don't match, there may be an issue with the key combination, so it should be rechecked.

⑥ When you click the [Generate] button, the Combined key is securely stored and added to the key list.

3. Key Details

You can check the detailed information of the generated key.

Key Information

  • Label : The identifier entered by the user when creating the key.

  • KCV : KCV value of the generated key

  • Algorithm : The algorithm selected at the time of key creation. (Only AES generation is possible)

  • Key_ID : A unique ID automatically assigned to the key.

  • Length (bits) : The key length selected when using the AES algorithm.

  • Created Date : The date the key was generated.

The private key is never exposed outside the HSM. It is securely stored and used only within the HSM.

Private keys can never be extracted or exposed externally due to security policy.

Delete Key

  • If a key is no longer needed, click the [Delete Key] button at the top right of the screen to remove it.

Deleting a key will immediately stop all functions that rely on it.