I have generated a BDK Type3 key for DUKPT in Thales HSM. I have sent this BDK which is encrypted under the LMK of the HSM to the terminal manufacturer to generate the IPEK key and inject it into the terminal.
When I receive the encrypted data I have the KSN and now I need the BDK again to decrypt it.I am not storing the BDK anywhere in my HOST application.How can I get the BDK again for decryption.Is it stored somewhere in the HSM.If there are multiple BDKs how do I find the right one used for this particular terminal?
The BDK (Base Derivation Key) should be kept in the HSM so it's available when you need to decrypt. During decrypt you would pass the KSN (Key Serial Number) as input to the HSM, and the HSM would then recreate the DUKPT key used by the terminal for encryption from the BDK.