Home / Documentation / Key Management Tools

Key Management Tools

Generate, validate, wrap, share, and verify cryptographic keys used across payment systems — from raw 3DES key generation and parity enforcement to TR-31 / Thales key blocks, vendor HSM-specific calculators, keyshare splitting, and X.509 certificate workflows.

Introduction

Key Management Tools cluster around four jobs:

  • Build keys — generate and combine raw key material.
  • Wrap keys — bind a key to its usage / algorithm via TR-31 or Thales key blocks.
  • Distribute keys — split into shares for multi-custodian loading and validate the resulting halves.
  • Compute key check values — for vendor HSMs and operational sign-off.

SSL / X.509 certificate handling is also grouped here for projects that need terminal or host-to-host TLS.

DEA Keys (DES / 3DES Utility)

A multi-tab tool focused on raw 3DES key material.

Tabs

  • Key Generator — Generate cryptographically random DES, 2-key 3DES, or 3-key 3DES keys.
  • Key Combination — XOR multiple key components together to reconstruct a key from shares.
  • Parity Enforcement — Adjust the LSB of each byte so each byte has odd parity (DES requirement).
  • Key Validation — Check parity, detect weak keys, and compute KCV (Key Check Value) using 00 00 00 00 00 00 00 00.

Walk-through: Combine three components

  1. Open DEA Keys → Key Combination.
  2. Enter each component (32 hex chars each for 2-key 3DES).
  3. Click Combine. The tool XORs all components.
  4. Switch to Parity Enforcement if your spec requires odd parity, then Key Validation to confirm KCV.

Keyshare Generator

Splits a single key into n shares such that all n are required to reconstruct the key (XOR-based component scheme). Useful for multi-custodian key loading.

Inputs

  • Master Key — Hex key to split.
  • Number of Shares — 2 or 3 typical for compliance.

Output

  • Random components for shares 1 to n−1.
  • Final component computed so XOR of all components = the master key.
  • KCV of each share for safe transport verification.
Custody

Components must be transported and stored separately under the control of different custodians. Recombining shares brings them under the control of a single trustee, so do this only inside the HSM during loading.

TR-31 Key Block

ASC X9.143 (formerly TR-31) defines a key block format that binds a key to its allowable usage, algorithm, mode, and exportability. A TR-31 block is opaque to anything outside the issuing HSM but lets two HSMs exchange keys without losing metadata.

Tabs

  • Wrap — Build a key block from a clear key under a Key Block Protection Key (KBPK).
  • Unwrap — Decode a key block, validate its MAC, and reveal the contents.

Inputs (Wrap)

  • KBPK — 32 / 48 hex chars (3DES) or 64 hex (AES).
  • Clear Key — Key to wrap.
  • Key Usage — Two-character code (e.g. P0 = PIN encryption, M0 = MAC, K0 = Key Encryption Key).
  • AlgorithmD = DES, T = TDES, A = AES, etc.
  • Mode of UseE = encrypt, D = decrypt, B = both, N = no restriction.
  • Key Version Number — Two characters.
  • ExportabilityE = exportable, S = sensitive (no clear export), N = no export.

Output

An ASCII key block string starting with the version (A, B, C, D) plus encrypted key, MAC, and optional optional blocks.

A0072P0TE00E0000ABC...   (D variant TR-31 block)

Thales Key Block

The Thales-specific key block format used by PayShield HSMs. Similar in concept to TR-31 but with Thales’ own header and key usage codes.

Workflow

  • Pick a Thales Key Type — ZMK, ZPK, TMK, BDK, ZEK, etc.
  • Provide the LMK Variant applicable to that key type.
  • Provide the clear key material.
  • The tool returns the encrypted key under LMK along with its KCV.
Tip

Use this when you have a clear key and want to import it under the HSM Simulator’s LMK without typing it through the console.

Thales Key Calculator

Vendor-aware calculations matching Thales PayShield host commands.

Operations

  • Key Generation — Equivalent to A0 (Generate a Key) host command.
  • Key Translation — Equivalent to A6 (Translate a Key from One ZMK to Another).
  • KCV Computation — Match Thales-style 6-digit KCVs for operational sign-off.
  • Variant Application — Apply LMK and ZMK variants used during key wrapping.

Futurex Key Calculator

Computes keys in Futurex Excrypt / VirtuCrypt key block format.

  • Wrap clear keys under a Futurex KEK.
  • Compute KCVs in Futurex’s expected representation.
  • Generate keys with the right MFK header for import.

Atalla Key Calculator

Atalla / Utimaco AKB-style key block helpers, including AKB header construction and KCV verification.

Safenet Key Calculator

Safenet / Thales Luna key calculations for legacy and modern formats.

SSL / X.509 Certificate Tool

An end-to-end certificate workflow tool for terminal-host TLS.

Tabs

  • Keys — Generate RSA key pairs (2048 / 3072 / 4096-bit) or read existing keys.
  • CSRs — Build a Certificate Signing Request from a key and DN parameters (CN, OU, O, L, S, C).
  • Read CSR — Parse and display the contents of an existing CSR.
  • Self-Signed — Issue a self-signed certificate from a key + DN, with configurable validity.
  • Read Certificate — Parse and display an X.509 certificate, including extensions.

Inputs

  • Common Name (CN)
  • Organisation (O), Org. Unit (OU)
  • Locality (L), State (S), Country (C)
  • Validity (Days)
  • Key Size — 2048 / 3072 / 4096.

Outputs are displayed as PEM and as parsed fields side-by-side, with a copy button per artifact.

Tips

  • Always verify the KCV after combining shares or unwrapping a key block. A wrong KCV almost always means a typo in one share.
  • For TR-31, watch out for case sensitivity in the header — the key usage and mode codes are uppercase.
  • If your HSM rejects an imported key, compare the version byte (A vs B vs C vs D) — older HSMs may only accept specific versions.
  • For SSL, generate the key first, then the CSR, then the cert — the tool will pre-fill DN parameters from a previous CSR if you stay on the same session.