Menu
AWS CloudHSM
User Guide

Key Attribute Reference

The key_mgmt_util commands use constants to represent the attributes of keys in an HSM. This topic can help you to identify the attributes, find the constants that represent them in commands, and understand their values.

You set the attributes of a key when you create it. To change the token attribute, which indicates whether a key is persistent or exists only in the session, use the setAttribute command in key_mgmt_util. To change the label, wrap, unwrap, encrypt, or decrypt attributes, use the setAttribute command in cloudhsm_mgmt_util.

To get a list of attributes and their constants, use listAttributes. To get the attribute values for a key, use getAttribute.

The following table lists the key attributes, their constants, and their valid values.

Attribute Constant Values

OBJ_ATTR_CLASS

0

2: Public key in a public–private key pair.

3: Private key in a public–private key pair.

4: Secret (symmetric) key.

OBJ_ATTR_TOKEN

1

0: False. Session key.

1: True. Persistent key.

OBJ_ATTR_PRIVATE

2

0: False.

1: True. Private key in a public–private key pair.

OBJ_ATTR_LABEL

3

User-defined string. It does not have to be unique in the cluster.

OBJ_ATTR_KEY_TYPE

256

0: RSA.

1: DSA.

3: EC.

16: Generic secret.

18: RC4.

21: Triple DES (3DES).

31: AES.

OBJ_ATTR_ID

258

User-defined string. Must be unique in the cluster. The default is an empty string.

OBJ_ATTR_SENSITIVE

259

0: False. Public key in a public–private key pair.

1: True.

OBJ_ATTR_ENCRYPT

260

0: False.

1: True. The key can be used to encrypt data.

OBJ_ATTR_DECRYPT

261

0: False.

1: True. The key can be used to decrypt data.

OBJ_ATTR_WRAP

262

0: False.

1: True. The key can be used to encrypt keys.

OBJ_ATTR_UNWRAP

263

0: False.

1: True. The key can be used to decrypt keys.

OBJ_ATTR_SIGN

264

0: False.

1: True. The key can be used for signing (private keys).

OBJ_ATTR_VERIFY

266

0: False.

1: True. The key can be used for verification (public keys).

OBJ_ATTR_MODULUS

288

The modulus that was used to generate an RSA key pair.

For other key types, this attribute does not exist.

OBJ_ATTR_MODULUS_BITS

289

The length of the modulus used to generate an RSA key pair.

For other key types, this attribute does not exist.

OBJ_ATTR_PUBLIC_EXPONENT

290

The public exponent used to generate an RSA key pair.

For other key types, this attribute does not exist.

OBJ_ATTR_VALUE_LEN

353

Key length in bits.

OBJ_ATTR_EXTRACTABLE

354

0: False.

1: True. The key can be exported from the HSMs.

OBJ_ATTR_LOCAL

355

0. False. The key was imported into the HSMs.

1. True.

OBJ_ATTR_KCV

371

Key check value of the key. For more information, see Additional Details.

OBJ_ATTR_ALL

512

Represents all attributes.

Additional Details

Key check value (kcv)

The key check value (KCV) is an 8-byte hash or checksum of a key. The HSM calculates a KCV when it generates the key. You can also calculate a KCV outside of the HSM, such as after you export a key. You can then compare the KCV values to confirm the identity and integrity of the key. To get the KCV of a key, use getAttribute.

AWS CloudHSM uses the following standard method to generate a key check value:

  • Symmetric keys: First 8 bytes of the result of encrypting 16 zero-filled bytes with the key.

  • Asymmetric key pairs: First 8 bytes of the modulus hash.

On this page: