The MBK is the primary encryption key used by HSM to create and restore backups. The MBK is considered so critical to the life cycle of the HSM that an HSM must have an MBK loaded before it will even accept sensitive key material.
Login to CAT with the default ADMIN.
Then select the menu option Manage → Master Backup Key:
The Remote Master Backup Key (MBK) Management window defaults to the Generate tab. This tab allows the MBK to be backed up on smart cards. Each smart card will hold a portion of the key data using a secret sharing algorithm. While the smart cards provided with the HSM are capable of holding both an Administration credential and a share of the MBK, It is recommended not to mix MBK and admin credentials on the same smart card so as to keep the role of each individual smart card clear. For this step take out six (6) new smart cards to hold shares of the MBK. To restore the MBK on an HSM requires any combination of 2 cards from the 6 being made.
From this window, enter a label from the MBK in the MBK Name field. It can be anything, but the above example uses SAKAMBK.
Leave the radio button as m out of n.
Under m (Shares) leave the default value of 2. This value determines the minimum number of Shares required to reassemble the MBK.
Under n (Shares), select the value 6. This determines the number of shares to create.
Lastly, check the box for Automatic MBK Import.
Once finished, click Generate...:
The Master Backup Key (MBK): Share Storage window allows a choice between creating the MBK backup on smart cards or keyfiles. Leave the selection as MBK Smartcard Token and click OK.
The MBK smart card holder must then follow directions on the smart card reader. It will prompt for the MBK PIN for that smart card, which should be the default: 123456. Once CAT is done with this share, it will move on to the next share. Continue this process until all shares have been generated.
After completing MBK generation, close the Remote Master Backup (MBK) Management window. Then open it again with the menu option Manage → Master Backup Key. It must be closed and opened again to refresh the information in the Info tab; it is not automatically refreshed after generating an MBK.
Now select the Info tab:
The Info tab shows details about this MBK. The HSM is capable of storing multiple MBKs but there will only ever be one. View all the details of the MBK under the MBKs store in the CryptoServer panel. The most important value is the KeyCheck Value, which uniquely identifies this key. Record this value so it can be checked whenever the MBK is imported into a new HSM.