Use hardware keys for symmetric encryption

Discuss this help topic in SecureBlackbox Forum

Besides files and database records, persistent symmetric keys can be stored on hardware cryptographic tokens. You can use such keys to encrypt or decrypt data with TElSymmetricCrypto in exactly the same way as you do with the in-memory keys. The only difference is in obtaining the corresponding TElSymmetricKeyMaterial object.

To obtain the key object from the device, perform the following steps. This procedure of obtaining a key object from the device is similar to accessing hardware-based certificates and private keys:

Create a TElPKCS11CertStorage object (SBPKCS11CertStorage namespace): TElPKCS11CertStorage storage = new TElPKCS11CertStorage();
Open the storage and a session, and (optionally) sign in: storage.DLLName = "mypkcs11.dll"; storage.Open(); TElPKCS11SessionInfo session = storage.OpenSession(0, true); session.Login(SBPKCS11Base.Unit.utUser, "1111");

Iterate over TElPKCS11CertStorage's Keys[] property looking for your symmetric key (the code below assumes there's just one symmetric key and looks for it):


TElSymmetricKeyMaterial km = null;
for (int i = 0; i < storage.KeyCount; i++)
{
  if (storage.get_Keys(i) is TElSymmetricKeyMaterial)
  {
    km = storage.get_Keys(i);
    break;
  }
}

Optionally set an IV and attach the key object to the crypto object as you do with in-memory keys: km.IV = iv; crypto.KeyMaterial = km;

That's it. Now you can proceed to encryption or decryption as usual.

How To articles related to low-level cryptography

Discuss this help topic in SecureBlackbox Forum