Every domain consists of three types of symmetric keys encrypted by the EDK:
Data encryption keys (DEKs)—AES cryptographic keys with the default size of 256 bits. These keys are used to encrypt data SAKA receives. The default can be changed to 128 or 192 bits through the DACTool.
Data HMAC keys (HMAC Keys or DHKs)—256-bit cryptographic keys used to generate hashed message authentication codes of unencrypted data. SAKA uses HMAC keys to determine the integrity of sensitive data before and after a cryptographic operation. SAKA supports four different key sizes and algorithms for generating an HMAC—the HmacSHA224, HmacSHA256, HmacSHA384 and the HmacSHA512. The default algorithm is HmacSHA256, but sites may change this through the DACTool.
Password HMAC keys (PWD keys, PWD HMAC keys)—256-bit cryptographic keys used to generate HMACs of user passwords in the internal database for subsequent matching. Just like the Data HMAC keys, the Password HMAC also supports the previously mentioned four algorithms.
Decrypting any symmetric key within an encryption domain requires the cryptographic hardware module to have been activated by the Key Custodians at startup. Until the hardware module is activated, no cryptographic key can be used, and thus, the cryptographic web services are unavailable to applications even if the application server is working and listening for requests. The only action SAKA will accept in that state is to receive activation commands from Key Custodians.