Skip to main content

Key Management and Accessibility

Key Scope Machine Key

Administrator rights are required to access keys in the key scope machine key 1, i.e. when the IsMachineKey flag is set.

Key Accessibility (HSM Internal Key Naming)

As network attached HSM, the Primus HSM CNG/KSP Provider has to deal with keys used for different key scopes from different Windows machines organized in workgroups or domains, and from different user accounts.

Accessibility of the different key spaces is managed using a key prefix, which is described below.

The Primus CNG/KSP provider uses internally the following key naming scheme:

<keyPrefix>__<keyName>
  • <keyPrefix> a value based on Security Identifier (SID) and Relative Identifier (RID) of the machine or user account, depending on the key scope (machine or user key), the account type, and if the machine is standalone or domain-joined
  • <keyName>corresponds to the key name passed via the CNG/KSP API

The following table shows the assigned <keyPrefix>, depending on key scope, user account and domain membership:

Key ScopeAccount typeStandalone MachineDomain-joined Machine
MachineFlag IsMachineKey set,
any account		LocalMachineSIDLocalMachineSID
UserDomain User Account 2n.a.DomainSID-UserRID
Local User AccountLocalMachineSID-UserRIDLocalMachineSID-UserRID
Special System Accounts, e.g.
System/LocalSystem
NT Authority/LocalService
NetworkService		Well-known SID 3, e.g.
S-1-5-18
S-1-5-19
S-1-5-20		DomainSID-MachineRID 4

Application programmers using Primus CNG/KSP should carefully consider above table regarding key accessibility from different user accounts and machines.

Key Inaccessibility Risks

The following procedures can make specific keys inaccessible for an application:

  • Domain changes, such as:
    • joining the machine to a network domain
    • removing the machine from a network domain
    • moving the machine from one domain to another domain
  • any other SID changes

Footnotes

  1. CNG V1.30.0 and later. Before that, the machine keys were accessible by all users.

  2. In case of identical domain and local user accounts, the domain account is preferred. Microsoft CNG versions before V1.21.4, the local user account was preferred.

  3. Not supported by Microsoft CNG versions V1.21.4 ... 1.31, as system accounts can only use machine key scope

  4. Microsoft CNG version before V1.21.4, these accounts used the well-known SID as on standalone machines.