This topic explains the process of using the extractMaskedObject command to retrieve keys from HSM and save them as masked objects.
Feature description
-
The extractMaskedObject command is designed to retrieve keys from HSM and store them as masked objects within a file. These masked objects, also known as clone objects, include keys that are non-extractable (i.e., keys with an OBJ_ATTR_EXTRACTABLE value of 0).
-
Masked objects created by extractMaskedObject can be re-imported exclusively into the originating HSM cluster or its clone using the insertMaskedObject command, facilitating key duplication.
Ensure you have initiated the key_mgmt_tool and logged on to HSM with a CU identity before executing this command.
Syntax
Enter the parameters as outlined in the syntax below. For detailed parameter descriptions, see Parameters.
extractMaskedObject -o <object-handle> -out <object-file>It is crucial to input the parameters in the sequence specified by the syntax.
Example
Command: extractMaskedObject -o 9 -out /tmp/masked.obj
Object was masked and written to file "/tmp/masked.obj"
Cfm3ExtractMaskedObject returned: 0x00 : HSM Return: SUCCESSParameters
Parameter Name |
Description |
Required |
Valid Values |
-o |
Indicates the key handle to be retrieved as a masked object. |
Yes |
Utilize findKey to locate the key handle. |
-out | Designates the file name for storing the masked object. | Yes | No Special Requirements |