key unwrap rsa-aes
The key unwrap rsa-aes command unwraps a payload key using an RSA private key and the RSA-AES unwrapping mechanism.
Unwrapped keys can be used in the same ways as the keys generated by AWS CloudHSM. To indicate that they were not generated locally, their local attribute is set to false.
To use the key unwrap rsa-aes, you must have the RSA private key of the RSA public wrapping key in your AWS CloudHSM cluster, and its unwrap attribute must be set to true.
User type
The following types of users can run this command.
-
Crypto users (CUs)
Requirements
-
To run this command, you must be logged in as a CU.
Syntax
aws-cloudhsm >help key unwrap rsa-aesUsage: key unwrap rsa-aes [OPTIONS] --filter [<FILTER>...] --hash-function<HASH_FUNCTION>--mgf<MGF>--key-type-class<KEY_TYPE_CLASS>--label<LABEL><--data-path<DATA_PATH>|--data<DATA>> Options: --cluster-id<CLUSTER_ID>Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --filter [<FILTER>...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a key to unwrap with --data-path<DATA_PATH>Path to the binary file containing the wrapped key data --data<DATA>Base64 encoded wrapped key data --attributes [<UNWRAPPED_KEY_ATTRIBUTES>...] Space separated list of key attributes in the form of KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE for the unwrapped key --hash-function<HASH_FUNCTION>Hash algorithm [possible values: sha1, sha224, sha256, sha384, sha512] --mgf<MGF>Mask Generation Function algorithm [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512] --key-type-class<KEY_TYPE_CLASS>Key type and class of wrapped key [possible values: aes, des3, ec-private, generic-secret, rsa-private] --label<LABEL>Label for the unwrapped key --session Creates a session key that exists only in the current session. The key cannot be recovered after the session ends -h, --help Print help
Example
These examples show how to use the key unwrap rsa-aes command using the RSA private key with the unwrap attribute value set to true.
Example: Unwrap a payload key from Base64 encoded wrapped key data
aws-cloudhsm >key unwrap rsa-aes --key-type-class aes --label aes-unwrapped --filter attr.label=rsa-private-key-example --hash-function sha256 --mgf mgf1-sha256 --data HrSE1DEyLjIeyGdPa9R+ebiqB5TIJGyamPker31ZebPwRA+NcerbAJO8DJ1lXPygZcI21vIFSZJuWMEiWpe1R9D/5WSYgxLVKex30xCFqebtEzxbKuv4DOmU4meSofqREYvtb3EoIKwjyxCMRQFgoyUCuP4y0f0eSv0k6rSJh4NuCsHptXZbtgNeRcR4botN7LlzkEIUcq4fVHaatCwd0J1QGKHKyRhkol+RL5WGXKe4nAboAkC5GO7veI5yHL1SaKlssSJtTL/CFpbSLsAFuYbv/NUCWwMY5mwyVTCSlw+HlgKK+5TH1MzBaSi8fpfyepLT8sHy2Q/VRl6ifb49p6m0KQFbRVvz/OWUd6l4d97BdgtaEz6ueg=={ "error_code": 0, "data": { "key": { "key-reference": "0x00000000001808e2", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "aes-unwrapped", "id": "0x", "check-value": "0x8d9099", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": false, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 16 } } } }
Example: Unwrap a payload key provided through a data path
aws-cloudhsm >key unwrap rsa-aes --key-type-class aes --label aes-unwrapped --filter attr.label=rsa-private-key-example --hash-function sha256 --mgf mgf1-sha256 --data-path payload-key.pem{ "error_code": 0, "data": { "key": { "key-reference": "0x00000000001808e2", "key-info": { "key-owners": [ { "username": "cu1", "key-coverage": "full" } ], "shared-users": [], "cluster-coverage": "full" }, "attributes": { "key-type": "aes", "label": "aes-unwrapped", "id": "0x", "check-value": "0x8d9099", "class": "secret-key", "encrypt": false, "decrypt": false, "token": true, "always-sensitive": false, "derive": false, "destroyable": true, "extractable": true, "local": false, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": false, "verify": true, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 16 } } } }
Arguments
<CLUSTER_ID>-
The ID of the cluster to run this operation on.
Required: If multiple clusters have been configured.
<FILTER>-
Key reference (for example,
key-reference=0xabc) or space separated list of key attributes in the form ofattr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUEto select a key to unwrap with.Required: Yes
<DATA_PATH>-
Path to the binary file containing the wrapped key data.
Required: Yes (unless provided through Base64 encoded data)
<DATA>-
Base64 encoded wrapped key data.
Required: Yes (unless provided through data path)
<ATTRIBUTES>-
Space separated list of key attributes in the form of
KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUEfor the wrapped key.Required: No
<KEY_TYPE_CLASS>-
Key type and class of wrapped key [possible values:
aes,des3,ec-private,generic-secret,rsa-private].Required: Yes
<HASH_FUNCTION>-
Specifies the hash function.
Valid values:
sha1
sha224
sha256
sha384
sha512
Required: Yes
<MGF>-
Specifies the mask generation function.
Note
The mask generation function hash function must match the signing mechanism hash function.
Valid values:
mgf1-sha1
mgf1-sha224
mgf1-sha256
mgf1-sha384
mgf1-sha512
Required: Yes
<LABEL>-
Label for the unwrapped key.
Required: Yes
<SESSION>-
Creates a session key that exists only in the current session. The key cannot be recovered after the session ends.
Required: No
Related topics
