All Products
Search

This Product

    Key Management Service:imSymKey

    Document Center

    Key Management Service:imSymKey

    Last Updated:Nov 12, 2024

    This topic explains how to use the imSymKey command to import symmetric keys into HSM.

    Feature description

    • The imSymKey command enables the importation of key files stored in plaintext into HSM. For encrypted key files, refer to unWrapKey.

    • Utilizing exSymKey and imSymKey, you can facilitate the backup or migration of symmetric keys.

    • For importing symmetric keys, use the imSymKey command. To import public keys, see importPubKey, and for private keys, refer to importPrivateKey.

    • HSM prohibits the direct import of keys in plaintext. Initially, imSymKey encrypts the import file with AES, followed by invoking unWrapKey to facilitate the import of the encrypted file into HSM.

    Important

    Ensure you have started key_mgmt_tool and logged on to HSM as CU before executing this command.

    Syntax

    Enter the parameters as per the syntax provided below. For detailed parameter descriptions, see Parameters.

    imSymKey -f <key-file>
         -w <wrapping-key-handle>  
         -t <key-type>
         -l <label>
         [-id <key-ID>]
         [-sess]
         [-wk <wrapping-key-file> ]
         [-attest]
         [-min_srv <minimum-number-of-servers>]
         [-timeout <number-of-seconds> ]
         [-u <user-ids>]
    Important

    Parameters must be entered in the sequence outlined in the syntax.

    Example

    • Generate a random 256-bit AES symmetric key using OpenSSL and save it to the aes256.key file.

      openssl rand -out aes256.key 32

    • The imSymKey command imports the AES key from the aes256.key file into HSM.

    • Command:  imSymKey -f aes256.key -w 6 -t 31 -l importedaes

       	Cfm3ImportWrapKey returned: 0x00 : HSM Return: SUCCESS

       	Cfm3CreateUnwrapTemplate2 returned: 0x00 : HSM Return: SUCCESS

       	Cfm3ImportUnWrapKey returned: 0x00 : HSM Return: SUCCESS

       	Symmetric Key Imported.  Key Handle: 19

       	Cluster Status:
       	Node id 0 status: 0x00000000 : HSM Return: SUCCESS

    Parameters

    Parameter Name

    Description

    Required

    Valid Values

    -f

    Specifies the file name containing the import key.

    Yes

    No specific requirements

    -w

    Specifies the AES key handle used to encrypt the import key.

    Yes

    No specific requirements

    -t

    Indicates the type of the import key.

    Yes

    • 21: Triple DES (3DES).

    • 31: AES

    -l

    Specifies the label for the import key.

    Yes

    No specific requirements

    -id

    Specifies the ID for the import key.

    No

    No specific requirements

    -sess

    Designates the import key as a session key.

    No

    No specific requirements

    -wk

    Specifies the file for decrypting the import key, including the path and file name of the AES key.

    No

    Defaults to the encryption key specified by -w

    -attest

    Conducts an integrity check on the firmware response.

    No

    No specific requirements

    -min_srv

    • Sets the minimum number of servers required to be synchronized within the allocated time (refer to timeout).

    • If the key fails to synchronize to the specified number of servers within the allocated time, it will not be created.

    No

    No specific requirements

    -timeout

    • Defines the time (in seconds) for the key to synchronize to the specified number of servers (refer to min_srv).

    • This parameter is applicable only when the min_srv parameter is also used.

    • Default: No timeout, the command waits indefinitely until the key is synchronized to the minimum number of servers.

    No

    No specific requirements

    -u

    Lists the user IDs authorized to share the import key, separated by commas for multiple users.

    No

    No specific requirements