key wrap - AWS CloudHSM

key wrap

The key wrap command in CloudHSM CLI exports an encrypted copy of a symmetric or asymmetric private key from the HSM to a file. When you run key wrap, you specify two things: The key to export and the output file. The key to export is a key on the HSM that will encrypt (wrap) the key that you want to export.

The key wrap command does not remove the key from the HSM or prevent you from using it in cryptographic operations. You can export the same key multiple times. To import the encrypted key back into the HSM, use key unwrap. Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users with whom the key is shared can only use the key in cryptographic operations.

The key wrap command consists of the following subcommands: