BSNk Polymorhic Decryption Keys

How to find out which key you received using MyConnectis BSNk Key retrieval

When you have received BSNk key material from Connectis Technical Support or via the automatic Connectis Identity Broker endpoint, it is not directly clear which keys are for which purpose. There are three possible keys that are obtained from BSNk that are used in polymorphic decryption of pseudo ids and identifiers. These are:

  • The closing key (EC)

  • Pseudo Id key (EP)

  • Identity key (EI)

Here are steps to identify which keys you receive from BSNk:

1.From BSNk you will receive a Base64 encoded stream of keys. For each Base64 encoded string first save it in a file. Then base64 decode the contents using:

base64 -d {file} > out.p7

The base64 decoded output is the p7 file which contains an encrypted key in binary format.

2. Have your private key ready. The file should begin with


with the base64 encoded private key contents and end with


Let's name this file dv-private-key.pem.

3. Decrypt the encrypted key using

openssl cms -decrypt -in out.p7 -inkey dv-private-key.pem -inform DER -out key-file.pem

4. Open the output key-file.pem. The contents will look like

SchemeVersion: 1
SchemeKeyVersion: 1
Type: EP Closing
Recipient: OIN of the customer
RecipientKeySetVersion: Version identifying the recipient and their active key set.
Base64 encoded private key

Here in the metadata section you can see what type of key it is. The types are

  • EP Closing --> closing key

  • EP Decryption --> Pseudo Id key

  • EI Decryption --> Identity key