Make sure the full path is correct and includes quotes (“”). The symmetric key input entered is not supported, or not in uppercase letters.Įrror: A-Symmetric Algorithm not found (case-sensitive)Įrror creating a directory for CD, RC: X, errno: X -Path not foundĮrror creating a directory for CD, RC: X, errno: X - Directory already existsĮrror: You must indicate exactly one RNG optionĮxactly one RNG option must be selected using HSM or demo keys.ĭLL was not found. ErrorĮrror: Symmetric Algorithm not found (case-sensitive) The following table lists general errors and their descriptions. To create a set of keys using openSSL for a non-production environment using pseudo random number generation, enter the following command: To create a set of keys using PKCS11-supported HSM integration, enter the following command: The PIN should be added when required by the HSM vendor.Īcceptable values: DLL full path, PIN code (when required)ĬyberArk provides the following parameter usage: The name of the random number generator PKCS#11-compliant DLL, and its PIN. Generate Demo keys with an internal pseudo random number generator. The full path name to the folder of the generated keys. Use the RSA-2048 algorithm to follow security best practices. The copies of the keys require a high level of protection such as a locked safe. The Master folder should be kept separately from the Vault server, as it is not required for daily Vault operations. The copies should be kept in separate physical locations. If the private recovery key is lost, it may be difficult or impossible to restore some or all of the data stored in the Vault in case of emergency.ĬyberArk recommends making two copies of both folders created by the PAKeyGen utility, Operator and Master. If the server key is lost, the Vault server will not start. Therefore, make sure this data is permanently deleted.Īll other authorized copies of the keys must be protected physically, and a procedure must be set up to ensure that only authorized people can access the keys. Key files deleted using standard utilities can be recovered easily. PAKeyGen and other utilities used throughout this procedure may leave key data in temporary files or in page files. The PAKeyGen utility supports hardware random number generators that use the PKCS#11 interface.Īll traces of the key generation procedure must be destroyed. To create strong keys, a true random number generator must be used. For this reason, it is essential to generate strong, hard-to-guess keys, and protect them with controlled access. If an unauthorized party compromises either the server key or the private recovery key, they may be able to decrypt all the information that is stored on the Vault server, or in a backup location. The security of the Vault relies heavily on the strength, protection, and controlled accessibility of the keys. The Master folder should be securely stored in a physical safe. The Operator folder is required to start the Vault server, as it holds the server key that is the anchor to the Vault’s encryption chain. This folder contains the server key, the public recovery key, and the private recovery key. This folder contains the server key and the public recovery key. These keys are located in two separate folders: The server key is a 256-bit symmetric key and the recovery keys are a 2048-bit asymmetric key pair. The CyberArk Key Generator utility (PAKeyGen) enables you to create a set of two unique encryption keys: This topic describes the CyberArk Key Generator (PAKeyGen) utility, and how to generate, configure, and troubleshoot the utility.įor information about system requirements, see CyberArk Key Generator utility.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |