AWS CloudHSM
User Guide

key_mgmt_util Command Reference

The key_mgmt_util command line tool helps you to manage keys in the HSMs in your cluster, including creating, deleting, and finding keys and their attributes. It includes multiple commands, each of which is described in detail in this topic.

For a quick start, see Getting Started with key_mgmt_util. For help interpreting the key attributes, see the Key Attribute Reference. For information about the cloudhsm_mgmt_util command line tool, which includes commands to manage the HSM and users in your cluster, see cloudhsm_mgmt_util.

Before you run any key_mgmt_util command, you must start key_mgmt_util and login to the HSM as a crypto user (CU).

To list all key_mgmt_util commands, type:

Command: help

To get help for a particular key_mgmt_util command, type:

Command: <command-name> -h

To end your key_mgmt_util session, type:

Command: exit

The following topics describe commands in key_mgmt_util.

Note

Some commands in key_mgmt_util and cloudhsm_mgmt_util have the same names. However, the commands typically have different syntax, different output, and slightly different functionality.

Command Description

aesWrapUnwrap

Encrypts and decrypts the contents of a key in a file on disk.

deleteKey

Deletes a key from the HSMs.

Error2String

Gets the error that corresponds to a key_mgmt_util hexadecimal error code.

exSymKey

Exports a plaintext copy of a symmetric key from the HSMs to a file on disk.

findKey

Search for keys by key attribute value.

findSingleKey

Verifies that a key exists on all HSMs in the cluster.

genDSAKeyPair

Generates a Digital Signing Algorithm (DSA) key pair in your HSMs.

genECCKeyPair

Generates an Elliptic Curve Cryptography (ECC) key pair in your HSMs.

genPBEKey

(This command is not supported on the FIPS-validated HSMs.)

genRSAKeyPair

Generates an RSA asymmetric key pair in your HSMs.

genSymKey

Generates a symmetric key in your HSMs

getAttribute

Gets the attribute values for an AWS CloudHSM key and writes them to a file.

getKeyInfo

Gets the HSM user IDs of users who can use the key.

If the key is quorum controlled, it gets the number of users in the quorum.

imSymKey

Imports a plaintext copy of a symmetric key from a file into the HSM.

listAttributes

Lists the attributes of an AWS CloudHSM key and the constants that represent them.

listUsers

Gets the users in the HSMs, their user type and ID, and other attributes.

setAttribute

Converts a session key to a persistent key.

unWrapKey

Imports a wrapped (encrypted) key from a file into the HSMs.

wrapKey

Exports an encrypted copy of a key from the HSM to a file on disk