Menu
AWS CloudHSM
User Guide

cloudhsm_mgmt_util Command Reference

The cloudhsm_mgmt_util command line tool helps Crypto Officers (PCOs and COs) manage users in the HSMs. It also includes commands that allow Crypto Users (CUs) to share keys, and get and set key attributes. These commands complement the primary key management commands in the key_mgmt_util command line tool.

For a quick start, see Getting Started with cloudhsm_mgmt_util.

Before you run any cloudhsm_mgmt_util command, you must start cloudhsm_mgmt_util, enable end-to-end encryption, and log in to the HSM. Be sure that the user type of the account that you use to log in can run the commands you plan to use.

To list all cloudhsm_mgmt_util commands, type:

aws-cloudhsm> help

To get the syntax for a cloudhsm_mgmt_util command, type:

aws-cloudhsm> help <command-name>

To run a command, type the command name, or enough of the name to distinguish it from the names of other cloudhsm_mgmt_util commands.

For example, to get a list of users on the HSMs, type listUsers or listU.

aws-cloudhsm> listUsers

To end your cloudhsm_mgmt_util session, type:

aws-cloudhsm> quit

For help interpreting the key attributes, see the Key Attribute Reference.

The following topics describe commands in cloudhsm_mgmt_util.

Note

Some commands in key_mgmt_util and cloudhsm_mgmt_util have the same names. However, the commands typically have different syntax, different output, and slightly different functionality.

Command Description User Type

changePswd

Changes the passwords of users on the HSMs. Any user can change their own password. COs can change anyone's password.

CO

createUser

Creates users of all types on the HSMs.

CO

deleteUser

Deletes users of all types from the HSMs.

CO

findAllKeys

Gets the keys that a user owns or shares. Also gets a hash of the key ownership and sharing data for all keys on each HSM.

CO, AU

getAttribute

Gets an attribute value for an AWS CloudHSM key and writes it to a file or stdout.

CU

getHSMInfo

Gets information about the hardware on which an HSM is running.

All. Login is not required.

getKeyInfo

Gets owners, shared users, and the quorum authentication status of a key.

All. Login is not required.

info

Gets information about an HSM, including the IP address, host name, port, and current user.

All. Login is not required.

listUsers

Gets the users in each of the HSMs, their user type and ID, and other attributes.

All. Login is not required.

setAttribute

Changes the values of the label, encrypt, decrypt, wrap, and unwrap attributes of an existing key.

CU

shareKey

Shares an existing key with other users.

CU