On machines using HSM, SAKA generates a single 521-bit EC asymmetric key pair—called the HSM Root Key (HRK)—within the HSM during its initialization. The HRK is stored inside the HSM, but unlike the TPM, can leave the HSM when encrypted. This feature is used to clone the key from the Primary SAKA to others at a site. The HRK is used to encrypt other objects—usually cryptographic keys. All such encrypted objects are stored within the HSM's internal Database and can only be decrypted with the proper authorization. The software libraries interacting with the HSM handles such details.
SAKA instances using the HSM require two (2) HSM Administrators to be present to perform HRK key management functions—generation, export, import, etc. Their Personal Identification Numbers (PINs) to the HSM ensure that the knowledge to access all keys—including the symmetric encryption keys that encrypt sensitive data—is split across multiple Administrators. The three (3) Key Custodians use the KC SetPIN Tool to activate the HSM from remote locations; see 11—KAM-KCSetPINTool for more details on KCSetPINTool.