Thanks. My assumption is that the metadata contains information that will enable knot to get the HSM to access the correct private key when this key is needed, right? 

This aside, do you guys have any documents where the KASP database is described in detail?

On Thu, Aug 5, 2021 at 2:10 PM libor.peltan <libor.peltan@nic.cz> wrote:

Hi Luveh,

I agree the quoted sentence from the documentation is pretty brief, and thus inaccurate.

The KASP database always contains just the public keys and some key metadata.

The private keys are stored in a keystore, i.e. PEM files or (Soft)HSM according to configuration.

This is also true for new keys generated with keymgr.

Thanks anyway for your question,

Libor

Dne 05. 08. 21 v 21:50 Luveh Keraph napsal(a):
Tha man page for keymgr says that the keymgr generate command (quote) Generates new DNSSEC key and stores it in KASP database. (unquote)

What is exactly stored in the KASP database? 

The reason I am asking is because the actual cryptographic key will be available in the clear only when using the default key store. When using an HSM (or event softhsm) only the HSM will have access to the key in the clear.  So, what is it that gets stored in the KASP database when an HSM is used for generating keys?