exportPrivateKey - AWS CloudHSM


The exportPrivateKey command in key_mgmt_util exports an asymmetric private key in an HSM to a file. You can use it to export private keys that you generate on the HSM. You can also use the command to export private keys that were imported into an HSM, such as those imported with the importPrivateKey command.

During the export process, exportPrivateKey uses an AES key that you select (the wrapping key) to wrap (encrypt) the private key. This way, the private key file maintains integrity during transit. For more information, see wrapKey.

The exportPrivateKey command copies the key material to a file that you specify. But it does not remove the key from the HSM, change its key attributes, or prevent you from using the key in further cryptographic operations. You can export the same key multiple times.

You can only export private keys that have OBJ_ATTR_EXTRACTABLE attribute value 1. To find a key's attributes, use the getAttribute command.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).


exportPrivateKey -h exportPrivateKey -k <private-key-handle -w <wrapping-key-handle> -out <key-file> [-m <wrapping-mechanism>] [-wk <wrapping-key-file>]


This example shows how to use exportPrivateKey to export a private key out of an HSM.

Example : Export a private key

This command exports a private key with handle 15 using a wrapping key with handle 16 to a PEM file called exportKey.pem. When the command succeeds, exportPrivateKey returns a success message.

Command: exportPrivateKey -k 15 -w 16 -out exportKey.pem Cfm3WrapKey returned: 0x00 : HSM Return: SUCCESS Cfm3UnWrapHostKey returned: 0x00 : HSM Return: SUCCESS PEM formatted private key is written to exportKey.pem


This command takes the following parameters.


Displays command line help for the command.

Required: Yes


Specifies the key handle of the private key to be exported.

Required: Yes


Specifies the key handle of the wrapping key. This parameter is required. To find key handles, use the findKey command.

To determine whether a key can be used as a wrapping key, use getAttribute to get the value of the OBJ_ATTR_WRAP attribute (262). To create a wrapping key, use genSymKey to create an AES key (type 31).

If you use the -wk parameter to specify an external unwrapping key, the -w wrapping key is used to wrap, but not unwrap, the key during export.

Required: Yes


Specifies the name of the file to which the exported private key will be written.

Required: Yes


Specifies the wrapping mechanism with which to wrap the private key being exported. The only valid value is 4, which represents the NIST_AES_WRAP mechanism.

Default: 4 (NIST_AES_WRAP)

Required: No


Specifies the key to be used to unwrap the key being exported. Enter the path and name of a file that contains a plaintext AES key.

When you include this parameter, exportPrivateKey uses the key in the -w file to wrap the key being exported and uses the key specified by the -wk parameter to unwrap it.

Default: Use the wrapping key specified in the -w parameter to both wrap and unwrap.

Required: No

Related topics