All Products
Search

This Product

    Key Management Service:importPrivateKey

    Document Center

    Key Management Service:importPrivateKey

    Last Updated:Nov 11, 2024

    This topic explains the process of importing a private key into HSM using the importPrivateKey command.

    Feature description

    • The importPrivateKey command enables the importation of an asymmetric private key from a file into HSM.

    • HSM requires encryption of keys before import; thus, the private key must be encrypted with AES and then decrypted within HSM.

    • To facilitate the exportPrivateKey and importPrivateKey commands, you can manage the backup or transfer of private keys.

    Important

    Ensure you have started the key_mgmt_tool and logged on to HSM as a CU before executing this command.

    Syntax

    Enter the parameters as per the following syntax. For descriptions of the parameters, refer to Parameters.

    importPrivateKey -l <label>
                 -f <key-file>
                 -w <wrapping-key-handle>
                 [-sess]
                 [-id <key-id>]
                 [-m_value <0...8>]
                 [min_srv <minimum-number-of-servers>]
                 [-timeout <number-of-seconds>]
                 [-u <user-ids>]
                 [-wk <wrapping-key-file>]
                 [-attest]
    Important

    It is crucial to input the parameters in the sequence outlined by the syntax.

    Example

    The following example demonstrates importing a private key from the keypair.pem file and assigning it the label rsa2048-imported. The AES key handle used for encryption is 6, and the output indicates that the private key handle in HSM is 17.

    Command:  importPrivateKey -f keypair.pem -l rsa2048-imported -w 6
BER encoded key length is 1218

       	Cfm3ImportWrapKey returned: 0x00 : HSM Return: SUCCESS

       	Cfm3CreateUnwrapTemplate2 returned: 0x00 : HSM Return: SUCCESS

       	Cfm3ImportUnWrapKey: 0x00 : HSM Return: SUCCESS

       	Private Key Imported.  Key Handle: 17

       	Cluster Status:
       	Node id 0 status: 0x00000000 : HSM Return: SUCCESS

    Parameters

    Parameter Name

    Description

    Required

    Valid Values

    -f

    Indicates the file name containing the key to be imported.

    Yes

    None

    -w

    Specifies the AES key handle used to encrypt the private key.

    Yes

    None

    -l

    Defines the label for the imported key.

    Yes

    None

    -id

    Assigns an ID to the imported key.

    No

    None

    -sess

    Marks the imported key as a session key.

    No

    None

    -nex

    Sets the key as non-exportable.

    No

    None

    -u

    Lists user IDs that have access to the imported key, separated by commas if multiple.

    No

    None

    -m_value

    Determines the maximum number of users who can utilize the imported key.

    No

    0 to 8

    -attest

    Conducts a firmware response integrity check.

    No

    None

    -min_srv

    • Sets the minimum number of servers required for key synchronization within the specified timeout period.

    • If the key fails to synchronize to the required number of servers within the timeout, it will not be created.

    No

    None

    -timeout

    • Specifies the synchronization timeout in seconds for the key to reach the minimum number of servers (refer to min_srv).

    • This parameter is applicable only when used in conjunction with the min_srv parameter.

    • Default setting: There is no timeout; the command will wait indefinitely until the key synchronizes with the minimum required servers.

    No

    None