use hsm with key_mgmt_tool - Key Management Service - Alibaba Cloud Documentation Center

After enabling the hsm_proxy HSM client, you can use the key_mgmt_tool to manage keys for CU users within HSM. The key_mgmt_tool is a command line utility that allows for the creation, deletion, and inspection of key attributes. This topic describes how to use the key_mgmt_tool.

Prerequisites

hsm_proxy HSM client is running. For more information, see Start the HSM client (hsm_proxy).

Download key_mgmt_tool

The key_mgmt_tool is bundled with the hsm_mgmt_tool in a single installation package. For more information, see Download the installation package.

Start and exit the tool

To start the key_mgmt_tool command line utility:

/opt/hsm/bin/key_mgmt_tool

To exit the key_mgmt_tool command line utility:

Command: exit

Obtain help

Execute the following command to display all available key_mgmt_tool commands:

Command: help

Execute the following command to obtain help for a specific key_mgmt_tool command:

Command: <command-name> -h

Command reference

The following table describes the commands in key_mgmt_tool.

Command	Description
aesWrapUnwrap	Encrypts and decrypts the key content in the file.
deleteKey	Removes a key from the HSM.
Error2String	Provides the corresponding hexadecimal error code from key_mgmt_tool.
exit	Exits the key_mgmt_tool.
exportPrivateKey	Exports a private key from an HSM instance to a disk file.
exportPubKey	Exports the public key from an HSM instance to a disk file.
exSymKey	Exports the plaintext of the symmetric key from an HSM instance to a file.
extractMaskedObject	Retrieves a key as a masked object file from an HSM instance.
findKey	Searches for keys using key attribute values.
findSingleKey	Verifies whether there are keys on an HSM instance.
genDSAKeyPair	Creates a DSA (Digital Signature Algorithm) key pair in an HSM instance.
genECCKeyPair	Generates an Elliptic Curve Cryptography (ECC) key pair in an HSM instance.
genRSAKeyPair	Generates RSA asymmetric key pairs in an HSM instance.
genSymKey	Generates a symmetric key in an HSM instance.
getAttribute	Generates the key attribute values from an HSM instance and write them to a file.
getCaviumPrivKey	Generates a private key in simulated PEM format and saves it to a file.
getCert	Retrieves the HSM instance's partition certificate and saves it in a file.
getKeyInfo	Retrieves the IDs of HSM users who can use the keys. If the key is controlled, the number of controlled users will be returned.
importPrivateKey	Imports a private key into an HSM instance.
importPubKey	Imports a public key into an HSM instance.
imSymKey	Imports a symmetric key in plaintext from a file to an HSM instance.
insertMaskedObject	Inserts a masked object into an HSM instance from a disk file.
IsValidKeyHandlefile	Determines if a given file contains a real private key or a fake PEM key.
listAttributes	Lists the attributes of HSM keys and their constant representations.
listUsers	Retrieves user types and IDs within an HSM instance, along with other user attributes.
loginHSM and logoutHSM	Logs on to or logs out from an HSM instance.
setAttribute	Converts a session key into a permanent key.
sign	Generates a signature for a file using your private keys.
unWrapKey	Imports the wrapped (encrypted) key from a file into your HSM instance.
verify	Verifies if the specified file is signed with the given key.
wrapKey	Exports the encrypted copy of the key from an HSM instance to a file.