key generate-symmetric generic-secret
The key generate-asymmetric-pair command generates a symmetric Generic Secret key in your AWS CloudHSM cluster.
User type
The following types of users can run this command.
-
Crypto users (CUs)
Requirements
To run this command, you must be logged in as a CU.
Syntax
aws-cloudhsm >
key help generate-symmetric generic-secret
Generate a generic secret key Usage: key generate-symmetric generic-secret [OPTIONS] --label
<LABEL>
--key-length-bytes<KEY_LENGTH_BYTES>
Options: --cluster-id<CLUSTER_ID>
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --label<LABEL>
Label for the key --session Creates a session key that exists only in the current session. The key cannot be recovered after the session ends --key-length-bytes<KEY_LENGTH_BYTES>
Key length in bytes --attributes [<KEY_ATTRIBUTES>
...] Space separated list of key attributes to set for the generated generic secret key in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE -h, --help Print help
Examples
These examples show how to use the key generate-symmetric generic-secret command to create a generic secret key.
Example: Create a generic secret key
aws-cloudhsm >
key generate-symmetric generic-secret \ --label example-generic-secret \ --key-length-bytes 256
{ "error_code": 0, "data": { "key": { "key-reference": "0x00000000002e08fd", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "generic-secret", "label": "example-generic-secret", "id": "", "class": "secret-key", "encrypt": false, "decrypt": false, "token": false, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 256 } } } }
Example: Create a generic secret key with optional attributes
aws-cloudhsm >
key generate-symmetric generic-secret \ --label example-generic-secret \ --key-length-bytes 256 \ --attributes token=true encrypt=true
{ "error_code": 0, "data": { "key": { "key-reference": "0x00000000002e08fd", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "session" }, "attributes": { "key-type": "generic-secret", "label": "example-generic-secret", "id": "", "class": "secret-key", "encrypt": true, "decrypt": false, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 256 } } } }
Arguments
<CLUSTER_ID>
-
The ID of the cluster to run this operation on.
Required: If multiple clusters have been configured.
<KEY_ATTRIBUTES>
-
Specifies a space separated list of key attributes to set for the generated AES key in the form of
KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE
(for example,token=true
).For a list of supported key attributes, see Key attributes for CloudHSM CLI.
Required: No
<KEY-LENGTH-BYTES>
-
Specifies the key length in bytes.
Valid values:
1 to 800
Required: Yes
<LABEL>
-
Specifies a user defined label for the generic secret key. The maximum size allowable for
label
is 127 characters for Client SDK 5.11 and after. Client SDK 5.10 and before has a limit of 126 characters.Required: Yes
<SESSION>
-
Creates a key that exists only in the current session. The key cannot be recovered after the session ends.
Use this parameter when you need a key only briefly, such as a wrapping key that encrypts, and then quickly decrypts, another key. Do not use a session key to encrypt data that you might need to decrypt after the session ends.
By default, keys that are generated are persistent (token) keys. Passing in <SESSION> changes this, ensuring a key generated with this argument is a session (ephemeral) key.
Required: No