Export a private AWS CloudHSM key using KMU
Use the exportPrivateKey command in the AWS CloudHSM key_mgmt_util to export an asymmetric private key from a hardware security module (HSM) to a file. The HSM does not allow direct export of keys in cleartext. The command wraps the private key using an AES wrapping key you specify, decrypts the wrapped bytes, and copies the cleartext private key to a file.
The exportPrivateKey command does not remove the key from the HSM, change its key attributes, or prevent you from using the key in further cryptographic operations. You can export the same key multiple times.
You can only export private keys that have OBJ_ATTR_EXTRACTABLE
attribute value 1
.
You must specify an AES wrapping key that has OBJ_ATTR_WRAP
and OBJ_ATTR_DECRYPT
attributes value 1
.
To find a key's attributes, use the getAttribute command.
Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).
Syntax
exportPrivateKey -h exportPrivateKey -k
<private-key-handle
-w<wrapping-key-handle>
-out<key-file>
[-m<wrapping-mechanism>
] [-wk<wrapping-key-file>
]
Examples
This example shows how to use exportPrivateKey to export a private key out of an HSM.
Example : Export a private key
This command exports a private key with handle 15
using a wrapping
key with handle 16
to a PEM file called exportKey.pem
.
When the command succeeds, exportPrivateKey returns a success
message.
Command:
exportPrivateKey -k 15 -w 16 -out exportKey.pem
Cfm3WrapKey returned: 0x00 : HSM Return: SUCCESS Cfm3UnWrapHostKey returned: 0x00 : HSM Return: SUCCESS PEM formatted private key is written to exportKey.pem
Parameters
This command takes the following parameters.
-h
-
Displays command line help for the command.
Required: Yes
-k
-
Specifies the key handle of the private key to be exported.
Required: Yes
-w
-
Specifies the key handle of the wrapping key. This parameter is required. To find key handles, use the findKey command.
To determine whether a key can be used as a wrapping key, use getAttribute to get the value of the
OBJ_ATTR_WRAP
attribute (262). To create a wrapping key, use genSymKey to create an AES key (type 31).If you use the
-wk
parameter to specify an external unwrapping key, the-w
wrapping key is used to wrap, but not unwrap, the key during export.Required: Yes
-out
-
Specifies the name of the file to which the exported private key will be written.
Required: Yes
-m
-
Specifies the wrapping mechanism with which to wrap the private key being exported. The only valid value is
4
, which represents theNIST_AES_WRAP mechanism.
Default: 4 (
NIST_AES_WRAP
)Required: No
-wk
-
Specifies the key to be used to unwrap the key being exported. Enter the path and name of a file that contains a plaintext AES key.
When you include this parameter, exportPrivateKey uses the key in the
-w
file to wrap the key being exported and uses the key specified by the-wk
parameter to unwrap it.Default: Use the wrapping key specified in the
-w
parameter to both wrap and unwrap.Required: No