Supported attributes for CloudHSM CLI

As a best practice, only set values for attributes you wish to make restrictive. If you don’t specify a value, CloudHSM CLI uses the default value specified in the table below.

The following table lists the key attributes, possible values, defaults, and related notes for CloudHSM CLI. An empty cell in the Value column indicates that there is no specific default value assigned to the attribute.

CloudHSM CLI attribute	Value	Modifiable with key set-attribute	Settable at key creation
`always-sensitive`	The value is `True` if `sensitive` has always been set to `True` and has never changed.	No	No
`check-value`	The check value of the key. For more information, see Additional Details.	No	No
`class`	Possible values: `secret-key`, `public-key`, and `private-key`.	No	Yes
`curve`	Elliptic curve used to generate the EC key pair. Valid Values: `secp224r1`, `secp256r1`, `prime256v1`, `secp384r1`, `secp256k1`, and `secp521r1`	No	Settable with EC, not settable with RSA
`decrypt`	Default: `False`	Yes	Yes
`derive`	Default: `False`	Derive can be set on hsm2m.medium instances. It cannot be set for RSA keys on hsm1.medium instances.	Yes
`destroyable`	Default: `True`	Yes	Yes
`ec-point`	For EC keys, DER-encoding of ANSI X9.62 ECPoint value "Q" in a hexadecimal format. For other key types, this attribute does not exist.	No	No
`encrypt`	Default: `False`	Yes	Yes
`extractable`	Default: `True`	No	Yes
`id`	Default: Empty	id can be set on hsm2m.medium instances. It cannot be set on hsm1.medium instances.	Yes
`key-length-bytes`	Required for generating an AES key. Valid values: `16`, `24`, and `32` bytes.	No	No
`key-type`	Possible values: `aes`, `rsa`, and `ec`	No	Yes
`label`	Default: Empty	Yes	Yes
`local`	Default: `True` for keys generated in the HSM, `False` for keys imported into the HSM.	No	No
`modifiable`	Default: `True`	Can be changed from true to false, but not from false to true.	Yes
`modulus`	The modulus that was used to generate an RSA key pair. For other key types, this attribute does not exist.	No	No
`modulus-size-bits`	Required for generating an RSA key pair. Minimum value is `2048`.	No	Settable with RSA, not settable with EC
`never-extractable`	The value is `True` if extractable has never been set to `False`. The value is `False` if extractable has ever been set to `True`.	No	No
`private`	Default: `True`	No	Yes
`public-exponent`	Required for generating an RSA key pair. Valid values: The value must be an odd number greater than or equal to `65537`.	No	Settable with RSA, not settable with EC
`sensitive`	Default: The value is `True` for AES keys and EC and RSA private keys. The value is `False` for EC and RSA public keys.	No	Settable with private keys, not settable with public keys.
`sign`	Default: The value is `True` for AES keys. The value is `False` for RSA and EC keys.	Yes	Yes
`token`	Default: `True`	Can be changed from false to true, but not from true to false.	Yes
`trusted`	Default: `False`	Only admin users can set this parameter.	No
`unwrap`	Default: `False`	Yes	Yes, except for public keys.
`unwrap-template`	Values should use the attribute template applied to any key unwrapped using this wrapping key.	Yes	No
`verify`	Default: The value is `True` for AES keys. The value is `False` for RSA and EC keys.	Yes	Yes
`wrap`	Default: `False`	Yes	Yes, except for private keys.
`wrap-template`	Values should use the attribute template to match the key wrapped using this wrapping key.	Yes	No
`wrap-with-trusted`	Default: `False`	Yes	Yes

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Key attributes

Check value