AWS CloudHSM
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

key_mgmt_util Command Reference

The key_mgmt_util command line tool helps you to manage keys in the HSMs in your cluster, including creating, deleting, and finding keys and their attributes. It includes multiple commands, each of which is described in detail in this topic.

For a quick start, see Getting Started with key_mgmt_util. For help interpreting the key attributes, see the Key Attribute Reference. For information about the cloudhsm_mgmt_util command line tool, which includes commands to manage the HSM and users in your cluster, see cloudhsm_mgmt_util.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

To list all key_mgmt_util commands, type:

Command: help

To get help for a particular key_mgmt_util command, type:

Command: <command-name> -h

To end your key_mgmt_util session, type:

Command: exit

The following topics describe commands in key_mgmt_util.

Note

Some commands in key_mgmt_util and cloudhsm_mgmt_util have the same names. However, the commands typically have different syntax, different output, and slightly different functionality.

Command Description

aesWrapUnwrap

Encrypts and decrypts the contents of a key in a file.

deleteKey

Deletes a key from the HSMs.

Error2String

Gets the error that corresponds to a key_mgmt_util hexadecimal error code.

exit

Exits the key_mgmt_util.

exportPrivateKey

Exports a copy of a private key from an to a file on disk.

exportPubKey

Exports a copy of a public key from an HSM to a file.

exSymKey

Exports a plaintext copy of a symmetric key from the HSMs to a file.

extractMaskedObject

Extracts a key from an HSM as a masked object file.

findKey

Search for keys by key attribute value.

findSingleKey

Verifies that a key exists on all HSMs in the cluster.

genDSAKeyPair

Generates a Digital Signing Algorithm (DSA) key pair in your HSMs.

genECCKeyPair

Generates an Elliptic Curve Cryptography (ECC) key pair in your HSMs.

genPBEKey

(This command is not supported on the FIPS-validated HSMs.)

genRSAKeyPair

Generates an RSA asymmetric key pair in your HSMs.

genSymKey

Generates a symmetric key in your HSMs

getAttribute

Gets the attribute values for an AWS CloudHSM key and writes them to a file.

getCaviumPrivKey

Creates a fake PEM-format version of a private key and exports it to a file.

getCert

Retrieves an HSM's partitions certificates and saves them to a file.

getKeyInfo

Gets the HSM user IDs of users who can use the key.

If the key is quorum controlled, it gets the number of users in the quorum.

help

Displays help information about the commands available in key_mgmt_util.

importPrivateKey

Imports a private key into an HSM.

importPubKey

Imports a public key into an HSM.

imSymKey

Imports a plaintext copy of a symmetric key from a file into the HSM.

insertMaskedObject

Inserts a masked object from a file on disk into an HSM contained by related cluster to the object's origin cluster. Related clusters are any clusters generated from a backup of the origin cluster.

IsValidKeyHandlefile

Determines whether or not a given file contains a real private key or a fake PEM key.

listAttributes

Lists the attributes of an AWS CloudHSM key and the constants that represent them.

listUsers

Gets the users in the HSMs, their user type and ID, and other attributes.

loginHSM and logoutHSM

Log in and out of the HSMs in a cluster.

setAttribute

Converts a session key to a persistent key.

sign

Generate a signature for a file using a chosen private key.

unWrapKey

Imports a wrapped (encrypted) key from a file into the HSMs.

verify

Verifies whether a given key was used to sign a given file.

wrapKey

Exports an encrypted copy of a key from the HSM to a file.