This section assumes that the HSM has already been pared for accepting a sensitive key material by being cleared and reloaded.
Working from a clean HSM, there are two primary steps to restore an HSM to production readiness. The first step is to load the MBK on the HSM from MBK smart card backups. After the MBK is loaded, then encrypted backups can be loaded into the HSM.
-
Login to CAT with the default ADMIN.
-
Click the menu option Manage → Master Backup Key.
-
Change to the Import tab:
-
Leave MBK Type as AES (32 bytes) and m (shares) as 2.
-
Click Import:
-
The Master Backup Key (MBK): Share Import window allows importing the MBK backup from a choice between smart cards or keyfiles. Leave the selection as MBK Smartcard Token and click OK.
-
Use any two MBK smart cards from the six MBK cards originally created. The chosen MBK smart card holder must then follow directions on the smart card reader.
-
Once CAT is done with this share, it will move on to the second share. Import the second share to finish the process.
-
After finishing the MBK import, Close the Remote Master Backup (MBK) Management window. Open it again with the menu option Manage → Master Backup Key. It must be closed and opened again to refresh the information in the Info tab (it is not automatically refreshed after generating an MBK).
-
Now select the Info tab:
-
The Info tab shows details about this MBK. Verify the MBK KeyCheck Value is the same as when it was first generated.