Hi,
You are not first :)
I will try to explain (but my English not so good to be clear enough :( ).
HSM never works with plain keys, all the keys it processing, are encrypted under other, called Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you can not get real LMK key value, respectively, you can not get the real working key plain value. All the keys you are using with HSM are cryptograms. LMK is your personal KEK which is not accessible to other parties (what means it is secure KEK). These keys you should keep in database to use with your own HSM.
Sometimes, you need to transmit keys to other parties, eg, Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case you should use another KEK called ZMK. It is transport key which is used ONLY for other key exchange. You are unable to use ZMK encrypted keys with your HSM. First, you MUST import the key under your LMK to make it managanbe.
RESULT:
1) You should use keys under LMK
2) Keys under ZMK are only used to be transmitted to other parties.
If I was not clear enough pls do not hesitate to ask, will try to find another explanation.
Regards,
Juris
You are not first :)
I will try to explain (but my English not so good to be clear enough :( ).
HSM never works with plain keys, all the keys it processing, are encrypted under other, called Key Encryption Key (KEK), keys. The LMK is KEK which is securely stored in the secure environment, HSM. The main idea of HSM is, that you can not get real LMK key value, respectively, you can not get the real working key plain value. All the keys you are using with HSM are cryptograms. LMK is your personal KEK which is not accessible to other parties (what means it is secure KEK). These keys you should keep in database to use with your own HSM.
Sometimes, you need to transmit keys to other parties, eg, Visa or MasterCard to exchange some encrypted data like PIN-blocks. In that case you should use another KEK called ZMK. It is transport key which is used ONLY for other key exchange. You are unable to use ZMK encrypted keys with your HSM. First, you MUST import the key under your LMK to make it managanbe.
RESULT:
1) You should use keys under LMK
2) Keys under ZMK are only used to be transmitted to other parties.
If I was not clear enough pls do not hesitate to ask, will try to find another explanation.
Regards,
Juris