some file

PSRD Management

PSRD (Pre-Shared Random Data) is the entropy source consumed by DSKE during key generation and recovery. Think of it as fuel — without PSRD, DSKE cannot generate or recover secrets, and the AES tunnel will not establish.

PSRD Lifecycle

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│ Security Hub │     │  Out-of-band │     │ DSKE Client  │
│  generates   │────►│  transfer    │────►│  ingests     │
│  PSRD file   │     │  (SSH, etc.) │     │  PSRD file   │
└──────────────┘     └──────────────┘     └──────────────┘
                                                 │
                                                 ▼
                                          ┌──────────────┐
                                          │  Registers   │
                                          │  with hub    │
                                          └──────────────┘
                                                 │
                                                 ▼
                                          ┌──────────────┐
                                          │  Consumed by │
                                          │  generate /  │
                                          │  recover ops │
                                          └──────────────┘

Ingesting PSRD

When you receive a PSRD file from a security hub administrator, ingest it on the client:

qufabric dske ingest-psrd /path/to/psrd-wrapped.json

This command:

  1. Parses the wrapped JSON file
  2. Extracts the PSRD data, hub endpoint, hub ID, and client ID
  3. Registers the client with the security hub
  4. Stores the registration in the local DSKE database

Each PSRD file is single-use. Once ingested, the same file cannot be used again. Each client peer must receive a unique PSRD file. If you try to re-ingest a file, the SDK will return a PsrdPreviouslyInserted error.

PSRD File Format

The wrapped PSRD file is a JSON document containing everything needed to register with a security hub:

{
  "version": 2,
  "security_hub_fqdn": "hub.example.com",
  "security_hub_id": "0a1b2c3d4e5f67890a1b2c3d4e5f6789",
  "security_hub_port": 27277,
  "dske_client_id": "7320cff5-6929-44f5-8106-46c5304c8047",
  "dske_client_username": "my-client-name",
  "psrd": "base64-encoded-psrd-data..."
}
FieldDescription
security_hub_fqdnHub's hostname for endpoint construction
security_hub_idHub's unique identifier
security_hub_portDSKE API port (default: 27277)
dske_client_idYour unique client ID on this hub
dske_client_usernameHuman-readable client name
psrdBase64-encoded entropy data

Monitoring PSRD Levels

Check your current PSRD status:

qufabric dske status

Example output:

DSKE Status: Enabled
Local Peer UUID: 625e104c8321934fd6533994f8967b7c

Registered Security Hubs:
  Hub ID                            Client ID                         Generate    Recover     Status
  0a1b2c3d4e5f67890a1b2c3d4e5f6789  fedcba9876543210fedcba9876543210  524288      524288      Enabled
  1234567890abcdef1234567890abcdef  abcdef1234567890abcdef1234567890  1048576     1048576     Enabled

The Generate and Recover columns show remaining PSRD bytes for each direction.

Warning Thresholds

The DSKE service automatically monitors PSRD levels:

LevelThresholdAction
Normal> 10 KiBNo action
Warning< 10 KiBLogged as warning, automatic refill attempted
Critical< 1 KiBLogged as error, key operations may fail

PSRD Consumption Rate

PSRD is consumed with every key generation and recovery operation:

FactorValue
Rotation intervalEvery 120 seconds per peer pair
Shares per rotation2 (one per hub, with shares_required=2)
Approximate consumption~4 KiB per rotation
Duration per PSRD file~8–16 hours of continuous operation

The actual consumption depends on the number of active peer pairs and the DSKE SDK's internal accounting.

Refilling PSRD

Automatic Refill

When PSRD levels drop below the warning threshold, the DSKE service automatically requests an online refill from the security hub:

# This happens automatically, but you can also trigger it manually:
qufabric dske refill-psrd <hub-id>

Manual Refill

If automatic refill is insufficient or the hub requires manual PSRD provisioning:

  1. Request a new PSRD file from the security hub administrator
  2. Ingest it: qufabric dske ingest-psrd /path/to/new-psrd.json

Managing Hubs

List Registered Hubs

qufabric dske list-hubs

Disable a Hub

Temporarily disable a hub (local only — the hub is not notified):

qufabric dske disable-hub <hub-id>

Re-enable a Hub

qufabric dske enable-hub <hub-id>

Remove a Hub

Permanently remove a hub registration (requires re-ingesting PSRD to re-register):

qufabric dske remove-hub <hub-id>

Troubleshooting

"NotEnoughPSRD" Error

PSRD is exhausted. Either:

  1. Check levels: qufabric dske status
  2. Request refill: qufabric dske refill-psrd <hub-id>
  3. Ingest fresh PSRD from the hub administrator

"ClientAuthenticationFailed" Error

The hub doesn't recognize your client credentials:

  1. Verify you were added as a client on the security hub
  2. Re-ingest a fresh PSRD file
  3. Ensure the hub endpoint is reachable

"SecurityHubCommunication" Error

Cannot reach the security hub:

  1. Verify the hub endpoint URL and port
  2. Check network connectivity to the hub
  3. Verify the hub service is running

"GeneralError" or "AddPSRDFailure" on Ingest

Possible causes:

  1. PSRD file was already ingested (one-time use)
  2. Hub has conflicting state for this client ID
  3. PSRD data is corrupted or truncated

Try a fresh PSRD file — never re-ingest the same file.

Security Best Practices

  1. Secure transfer: Always use encrypted channels (SSH, SFTP) when transferring PSRD files
  2. File permissions: Set PSRD files to 0600 before and after transfer
  3. Delete after use: Remove PSRD files from both hub and client after successful ingestion
  4. Monitor levels: Set up alerting on PSRD levels to avoid service interruption
  5. Regular rotation: Periodically provision fresh PSRD for long-running deployments