All Products
Search

This Product

    Key Management Service:wrapKey

    Document Center

    Key Management Service:wrapKey

    Last Updated:Nov 11, 2024

    This topic explains the process of using the wrapKey command to export encrypted keys from HSM.

    Feature description

    • The wrapKey command allows for the export of an encrypted copy of a symmetric key or private key from HSM into a file.

    • Only the key's owner, the CU user who generated the key, is authorized to export it. Users with shared access can utilize the key for encryption operations but are not permitted to export it.

    • For re-importing an encrypted key into HSM, refer to unWrapKey. To export a key in plain text from HSM, use exSymKey or exportPrivateKey, as appropriate.

    Important

    Ensure you have initiated the key_mgmt_tool and logged on to HSM as a CU identity before executing this command.

    Syntax

    Enter the parameters as per the syntax provided below. For detailed parameter descriptions, see Parameters.

    wrapKey -k <exported-key-handle>
        -w <wrapping-key-handle>
        -out <output-file>
        [-m <wrapping-mechanism>]
        [-t <hash-type>]
        [-noheader]
        [-i <wrapping IV>]  
        [-iv_file <IV file>]
        [-tag_size <num_tag_bytes>>]
    Important

    Parameters must be entered in the order outlined in the syntax.

    Example

    The following example demonstrates how to export an RSA asymmetric key (key handle 8) encrypted with an AES key (key handle 6) from HSM to a file.

    Command:  wrapKey -k 8 -w 6 -out aes-encrypted.key -m 4

       	Cfm2WrapKey5 returned: 0x00 : HSM Return: SUCCESS

       	Key Wrapped.

       	Wrapped Key written to file "aes-encrypted.key" length 1516
    Important

    Parameters must be entered in the order outlined in the syntax.

    Parameters

    Parameter Name

    Description

    Required

    Valid Values

    -k

    Identifies the handle of the key to be exported.

    Yes

    No Special Requirements

    -w

    Specifies the handle of the encryption key.

    Yes

    No Special Requirements

    -out

    Defines the path and name of the output file.

    Yes

    No Special Requirements

    -m

    Determines the encryption mechanism for the exported key.

    Yes

    • 4: AES_KEY_WRAP_PAD_PKCS5

    • 5: NIST_AES_WRAP_NO_PAD

    • 6: NIST_AES_WRAP_PAD

    • 7: RSA_AES

    • 8: RSA_OAEP

    • 9: NIST_TDEA_WRAP

    • 10: AES_GCM

    • 11: CLOUDHSM_AES_GCM

    -t

    Specifies the hash algorithm to be used.

    • 2: SHA1

    • 3: SHA-256

    • 4: SHA-384

    • 5: SHA-512

    • 6: SHA224 (valid for RSA_AES and RSA_OAEP)

    -noheader

    Omits the header containing specific key properties.

    No

    No Special Requirements

    -i

    Defines the initialization vector.

    Note

    Applicable only when used with the -noheader parameter for CLOUDHSM_AES_KEY_WRAP and NIST_AES_WRAP mechanisms.

    No

    No Special Requirements

    -iv_file

    Indicates the file containing the initialization vector.

    Note

    Applicable only when used with the -noheader parameter for the AES_GCM mechanism.

    No

    No Special Requirements

    -tag_size

    Determines the block size for the operation.

    Note

    Applicable only when used with the -noheader parameter for AES_GCM and CLOUDHSM_AES_GCM mechanisms.

    No

    Minimum value is 8.