importPubKey - AWS CloudHSM


The importPubKey command in key_mgmt_util imports a PEM format public key into an HSM. You can use it to import public keys that were generated outside of the HSM. You can also use the command to import keys that were exported from an HSM, such as those exported by the exportPubKey command.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).


importPubKey -h importPubKey -l <label> -f <key-file> [-sess] [-id <key-id>] [min_srv <minimum-number-of-servers>] [-timeout <number-of-seconds>]


This example shows how to use importPubKey to import a public key into an HSM.

Example : Import a public key

This command imports a public key from a file named public.pem with the label importedPublicKey. When the command succeeds, importPubKey returns a key handle for the imported key and a success message.

Command: importPubKey -l importedPublicKey -f public.pem Cfm3CreatePublicKey returned: 0x00 : HSM Return: SUCCESS Public Key Handle: 262230 Cluster Error Status Node id 2 and err state 0x00000000 : HSM Return: SUCCESS Node id 0 and err state 0x00000000 : HSM Return: SUCCESS Node id 1 and err state 0x00000000 : HSM Return: SUCCESS


This command takes the following parameters.


Displays command line help for the command.

Required: Yes


Specifies the user-defined public key label.

Required: Yes


Specifies the file name of the key to import.

Required: Yes


Designates the imported key as a session key.

Default: The imported key is held as a persistent (token) key in the cluster.

Required: No


Specifies the ID of the key to be imported.

Default: No ID value.

Required: No


Specifies the minimum number of HSMs to which the imported key is synchronized before the value of the -timeout parameter expires. If the key is not synchronized to the specified number of servers in the time allotted, it is not created.

AWS CloudHSM automatically synchronizes every key to every HSM in the cluster. To speed up your process, set the value of min_srv to less than the number of HSMs in the cluster and set a low timeout value. Note, however, that some requests might not generate a key.

Default: 1

Required: No


Specifies the number of seconds to wait for the key to sync across HSMs when the min-serv parameter is included. If no number is specified, the polling continues forever.

Default: No limit

Required: No

Related topics