/
Remote Key Injection - Partner guide

PayXpert - User documentation

Remote Key Injection - Partner guide

This guide teaches PayXpert’s Terminal Fleet Manager partners how to remotely inject keys on their Sunmi payment terminals. Production keys are needed on the device in order for your merchants to start accepting payments with Payxpress.

Remote Key Injection (RKI) can be considered a preferred method over Local Key Injection (LKI) because you do not need to have the physical device in front of you in order to inject the keys. Also, it negates the need for the additional key encryption/injection hardware. Keys can be injected remotely in batches, which is easier than doing it one physical device at a time. Finally, the PCI PIN certification which is required for LKI is not necessary in the case of RKI.

Each key is unique on the individual POS devices but these keys are derived from the Base Derivation Key (BDK) that we will allocate to you as the maintainer.

Architecture

There are three architectural components of the Partner RKI solution:

  • An HSM provider which Sunmi uses to generate encrypted keys. The Initial transport key (ZMK) shared securely between PayXpert’s own HSM provider and Sunmi’s HSM is stored there. Sunmi has HSMs in both in China and in Europe.

  • An RKI Server: A Sunmi server that stores the keys and sends them to your devices

  • The Sunmi MDM portal: the UI by which you as a Terminal Fleet Manager will perform the actions to inject the keys stored on the RKI server

image-20250721-115922.png

How it works - Overview

First, you must add PayXpert as a “partner”. We will then accept your friend request, assigning your organization a Base Derivation Key (BDK), and you will then be associated with us and you will be able to inject keys and maintain your POS devices.

Then, you (as the manager of your fleet) must trigger a “key assignment” action via the online portal. This will check the request against the Base Derivation Key assigned to your organization, and if okay, the RKI Service will create derived keys and they’ll be available on the server for manipulation.

You can then deploy those keys (this is called a “Download Task”) by selecting which devices to inject them on:

image-20250724-121505.png
Keys have been assigned and the Download Task is running (keys being pushed to your stock)

Note that the Sunmi Key Injection App—specifically version 2.x.x, for the European Sunmi portal—must be installed on the device. Otherwise, it cannot properly receive the key. If using the Chinese Sunmi portal then this specific, higher version of Key Injection App is not required (you can just use version 1.x.x).

The correct key will enable Payxpress, if not installed already, to process payments on the devices when installed.

Once the POS has received the key, it will send an acknowledgment back to the RKI Server and you will be able to see in the UI that a valid key is live on the device. Note that it must be powered on and connected in order for this to work. It should also already have the latest firmware, so before injecting keys please be sure the device has both the Key Injection app and the correct ROM for that particular device.

image-20250724-121903.png

You can then ship the devices from your warehouse to your merchants' sites.

Add us as a “Partner”

Once you get access to the Sunmi portal, please add PayXpert as a “Partner”. To do this:

  1. Go to your Account page and click Add Partner.

    rki_22.png

     

  2. Add us using our Entity ID: U9CLTOI0GYB53.

  3. Please inform us when you have added us.

  4. We will authorize you for RKI, assigning you a Base Derivation Key from which individual keys can be created.

How to create a Device Group

For the purpose of saving time when injecting keys it is interesting to have Device Groups. This concept will let you perform the RKI actions of assigning a key and starting the “Download Task” action for as many devices as you desire instead of handling each device one by one. Therefore we explain how to create a Device Group before we will explain how to handle an RKI.

It is useful to group devices before injecting keys onto them. To create a group of devices:

  1. Go to the Device tab and click the button to create a + Device Group:

    rki_7.png

     

  2. Enter a name (and description) for this group:

    rki_8.png

     

  3. Now you can assign devices to the group. Hover over the name of the new group and click the Add + button that appears:

    rki_9.png

  4. In the window that appears you can add single or multiple devices to your group. Search for the Serial Number (manually, as shown below) or use the Sunmi template (download it first if needed) listing the SNs of your devices in order to batch add them into the group.

    rki_10.png

  5. The device(s) are listed with their status. Click the Import button to assign the listed devices to this group.

    rki_11.png

You now have a group of devices that you can inject keys on with one RKI.

How to remotely inject keys on a device or group of devices

Injecting keys on a device(s) is performed in two sets of actions: 1. assigning a master key, 2. creating a Download Task. The RKI Service will then know 1. which Base Derivation Key (BDK) to use to create the derived keys and 2. that it has to push this/these new (derived) key(s) it creates onto a specific device (or Device Group).

To do both of these, and therefore to inject the keys:

  1. Go to the key management page within the Sunmi portal that you are currently using:

    1. China: https://partner.sunmi.com/finance/KeyManagement

    2. EU: https://partner.eu.sunmi.com/finance/KeyManagement

      rki_1.png
      The initial page for working with keys

      There you will see that the BDK key (the ‘key source’) has been authorized for you. From this key, which is stored by Sunmi, but which PayXpert has authorized for you, you will be able to trigger the creation (“assignment”) of derived keys for your devices.

  2. Now go to the Key Assignment tab. By default the Sunmi portal shows you all your devices, even if they already have been assigned a key. The device’s group (if any) is not shown. Here, you can assign a key to a single device or to a whole group.

    • (If assigning a key to a single device) There are 2 ways to assign a key to a single device:

      • By selecting the device:

        1. Find the device on which you want to inject a key. Click Assign key.

          rki_2.png

           

        2. In the window that appears, assign the master key by which the key for this device will be derived:

          rki_3.png

           

      • Manually (for a single device):

        1. Click the Assign Key button:

          rki_4.png

           

        2. Select the single device by its Serial Number (SN) and select the Base Derivation Key (BDK) from which the RKI Service will derive a new, unique key for this device.

          rki_5.png

           

    • (If assigning a key to a group of devices) This is more practical if you manage several devices

      1. Click the Assign Key button:

        rki_4.png

         

      2. Select the Device Group by its name and select the master key by which the RKI Service will derive individual keys for all these devices in this group:

        rki_6.png

         

  3. Your device (or Device Group) now has a key assignment. Now you need to create a “Download Task”, which is the real trigger for the RKI Service to use the Assigned master key to push a derived key onto that device (or device group) in the background.

    To create a Download Task:

    1. Go to the Device Group (or single device). The device (or devices) should currently read “ready” (not locked), “assigned” (for the key) and should have “no task” currently associated with it/them.

      rki_13.png

       

    2. Select all SNs in the group (or select an individual SN). Click the Create Download Task button.

      rki_12.png

       

  4. A window appears showing you a preview of the Download Task.

    rki_14.png

     

  5. Click Create Task to confirm the key injection.

© PayXpert Services Ltd, 2025