This topic explains the process of exporting symmetric keys from HSM using the exSymKey command.
Feature description
The exSymKey command enables the export of symmetric keys from HSM as plaintext to a disk file. For encrypted symmetric key export, refer to wrapKey.
Only the key's owner, the CU user who created it, is authorized to export it. Users with shared key access can utilize the key for encryption but are not permitted to export it.
Backup or migration of symmetric keys is facilitated through the use of exSymKey and imSymKey.
HSM prohibits the direct import of plaintext keys. Instead, exSymKey initially employs wrapKey to export the key file in an encrypted form, followed by AES decryption.
Ensure you have started the key_mgmt_tool and logged on to HSM as a CU identity before executing this command.
Syntax
Enter parameters as specified in the syntax below. For details on the parameters, see Parameters.
exSymKey -k <key-to-export>
-w <wrapping-key>
-out <key-file>
[-m 4]
[-wk <unwrapping-key-file> ]
Parameters must be entered in the order outlined in the syntax.
Example
Command: exSymKey -k 9 -w 6 -out /tmp/aes.key
Cfm3ExportWrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Cfm3ExportUnwrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Exported Symmetric Key written to file "/tmp/aes.key"Parameters
Parameter name | Description | Required | Valid values |
-k | Specifies the handle of the key to be exported. | Yes | Use findKey to locate the key handle. |
-w | Specifies the handle of the key used to encrypt the exported key. | Yes | Use findKey to locate the key handle. |
-out | Specifies the file name for storing the exported key. | Yes | No specific requirements |
-m | Specifies the encryption mechanism for the exported key. | No | 4 (NIST_AES_WRAP) |
-wk | Specifies the file for decrypting the exported key, including the path and file name containing the AES key. | No | Defaults to the encryption key specified by -w |