This topic explains the use of the aesWrapUnwrap command for encrypting and decrypting data files on HSM.
Feature description
The aesWrapUnwrap command encrypts or decrypts file contents on disk, primarily using the encryption key. It is suitable for data files up to 4 KB (4096 bytes) and leverages AES on HSM for encryption and decryption, outputting the results to a separate file on disk.
Ensure you initiate key_mgmt_tool and log on to HSM as CU before executing this command.
Syntax
Enter parameters as per the following syntax. For detailed parameter information, see Parameters.
aesWrapUnwrap -m <wrap-unwrap mode>
-f <file-to-wrap-unwrap>
-w <wrapping-key-handle>
[-i <wrapping-IV>]
[-out <output-file>]Parameters must be entered in the order specified by the syntax.
Examples
-
To encrypt the message file messageFile using the key with handle 6:
Command: aesWrapUnwrap -f messageFile -w 6 -m 1 -out messageFile.wrapped result data: D4 B6 FF 25 6F 57 41 51 CF D5 C6 29 EF 21 FA E3 result written to file messageFile.wrapped Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESS -
To decrypt the message file messageFile using the key with handle 6:
Command: aesWrapUnwrap -m 0 -f messageFile.wrapped -w 6 -out messageFile.unwrapped result data: 61 61 61 61 61 61 0A result written to file messageFile.unwrapped Cfm3UnWrapHostKey returned: 0x00 : HSM Return: SUCCESS
Parameters
Parameter name |
Description |
Required |
Valid values |
-m |
Mode specification. |
Yes |
|
-f |
File to be operated on. |
Yes |
No Specific Requirements |
-w |
Key handle for encryption/decryption. |
Yes |
No Specific Requirements |
-i |
Initial vector for the algorithm, default is 0xA6A6A6A6A6A6A6A6. |
No |
No Specific Requirements |
-out |
Output file name. |
No |
Defaults: wrapped_key (encryption), unwrapped_key (decryption). |