exportPrivateKey - AWS CloudHSM


The exportPrivateKey command in key_mgmt_util exports an asymmetric private key from an HSM to a file. The HSM does not allow direct export of keys in cleartext. The command wraps the private key using an AES wrapping key you specify, decrypts the wrapped bytes, and copies the cleartext private key to a file.

The exportPrivateKey command does not remove the key from the HSM, change its key attributes, or prevent you from using the key in further cryptographic operations. You can export the same key multiple times.

You can only export private keys that have OBJ_ATTR_EXTRACTABLE attribute value 1. You must specify an AES wrapping key that has OBJ_ATTR_WRAP and OBJ_ATTR_DECRYPT attributes value 1. To find a key's attributes, use the getAttribute command.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).


exportPrivateKey -h exportPrivateKey -k <private-key-handle -w <wrapping-key-handle> -out <key-file> [-m <wrapping-mechanism>] [-wk <wrapping-key-file>]


This example shows how to use exportPrivateKey to export a private key out of an HSM.

Example : Export a private key

This command exports a private key with handle 15 using a wrapping key with handle 16 to a PEM file called exportKey.pem. When the command succeeds, exportPrivateKey returns a success message.

Command: exportPrivateKey -k 15 -w 16 -out exportKey.pem Cfm3WrapKey returned: 0x00 : HSM Return: SUCCESS Cfm3UnWrapHostKey returned: 0x00 : HSM Return: SUCCESS PEM formatted private key is written to exportKey.pem


This command takes the following parameters.


Displays command line help for the command.

Required: Yes


Specifies the key handle of the private key to be exported.

Required: Yes


Specifies the key handle of the wrapping key. This parameter is required. To find key handles, use the findKey command.

To determine whether a key can be used as a wrapping key, use getAttribute to get the value of the OBJ_ATTR_WRAP attribute (262). To create a wrapping key, use genSymKey to create an AES key (type 31).

If you use the -wk parameter to specify an external unwrapping key, the -w wrapping key is used to wrap, but not unwrap, the key during export.

Required: Yes


Specifies the name of the file to which the exported private key will be written.

Required: Yes


Specifies the wrapping mechanism with which to wrap the private key being exported. The only valid value is 4, which represents the NIST_AES_WRAP mechanism.

Default: 4 (NIST_AES_WRAP)

Required: No


Specifies the key to be used to unwrap the key being exported. Enter the path and name of a file that contains a plaintext AES key.

When you include this parameter, exportPrivateKey uses the key in the -w file to wrap the key being exported and uses the key specified by the -wk parameter to unwrap it.

Default: Use the wrapping key specified in the -w parameter to both wrap and unwrap.

Required: No

Related topics