Supported Attributes - AWS CloudHSM

Supported Attributes

A key object can be a public, private, or secret key. Actions permitted on a key object are specified through attributes. Attributes are defined when the key object is created. When you use the PKCS #11 library, we assign default values as specified by the PKCS #11 standard.

AWS CloudHSM does not support all attributes listed in the PKCS #11 specification. We are compliant with the specification for all attributes we support. These attributes are listed in the respective tables.

Cryptographic functions such as C_CreateObject, C_GenerateKey, C_GenerateKeyPair, C_UnwrapKey, and C_DeriveKey that create, modify, or copy objects take an attribute template as one of their parameters. For more information about passing an attribute template during object creation, see Generate keys through PKCS #11 library sample.

Note

Client SDK 5 does not offer parity support with Client SDK 3. Look for call outs throughout this portion of the guide to identify what Client SDK 5 supports. For more information, see .

Interpreting the PKCS #11 Library Attributes Table

The PKCS #11 library table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with AWS CloudHSM.

Legend:

  • ✔ indicates that CloudHSM supports the attribute for the specific key type.

  • ✖ indicates that CloudHSM does not support the attribute for the specific key type.

  • R indicates that the attribute value is set to read-only for the specific key type .

  • S indicates that the attribute cannot be read by the GetAttributeValue as it is sensitive.

  • An empty cell in the Default Value column indicates that there is no specific default value assigned to the attribute.

Attribute

Key Type

Default Value

 

EC private

EC public

RSA private

RSA public

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

 

CKA_VERIFY

False

CKA_VERIFY_RECOVER

4

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

2

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

2

 

CKA_EC_PARAMS

2

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

 

Attribute

Key Type

Default Value

 

AES

DES3

Generic Secret

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

True

CKA_SIGN_RECOVER

 

CKA_VERIFY

True

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

2

2

 

CKA_CHECK_VALUE

R

R

R

 

Attribute

Key Type

Default Value

 

EC private

EC public

RSA private

RSA public

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

2

2

2

2

CKA_KEY_TYPE

2

2

2

2

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

False

CKA_VERIFY

False

CKA_VERIFY_RECOVER

4

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

R

R

R

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

R

R

 

CKA_MODULUS

2

2

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

2

 

CKA_PUBLIC_EXPONENT

2

2

 

CKA_EC_PARAMS

2

2

 

CKA_EC_POINT

2

 

CKA_VALUE

2

2

2

2

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

R

R

R

 

Attribute

Key Type

Default Value

 

EC private

RSA private

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

2

2

CKA_KEY_TYPE

2

2

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

False

CKA_VERIFY

False

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_UNWRAP

False

CKA_SENSITIVE

True

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

R

R

 

CKA_ALWAYS_SENSITIVE

R

R

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

R

 

Attribute

Key Type

Default Value

 

AES

DES3

Generic Secret

 

CKA_CLASS

2

2

2

CKA_KEY_TYPE

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

True

CKA_DESTROYABLE

1

1

1

True

CKA_SIGN

False

CKA_SIGN_RECOVER

 

CKA_VERIFY

False

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_UNWRAP

False

CKA_SENSITIVE

True

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

 

CKA_ALWAYS_SENSITIVE

R

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

2

2

 

CKA_CHECK_VALUE

R

R

R

 

Attribute

Key Type

 

EC private

EC public

RSA private

RSA public

AES

DES3

Generic Secret

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

CKA_TOKEN

CKA_PRIVATE

1

1

1

1

1

1

1

CKA_ENCRYPT

CKA_DECRYPT

CKA_DERIVE

CKA_MODIFIABLE

CKA_DESTROYABLE

CKA_SIGN

CKA_SIGN_RECOVER

CKA_VERIFY

CKA_VERIFY_RECOVER

CKA_WRAP

CKA_WRAP_TEMPLATE

CKA_TRUSTED

CKA_WRAP_WITH_TRUSTED

CKA_UNWRAP

CKA_UNWRAP_TEMPLATE

CKA_SENSITIVE

CKA_EXTRACTABLE

CKA_NEVER_EXTRACTABLE

CKA_ALWAYS_SENSITIVE

R

R;

R

R

R

R

R

CKA_MODULUS

CKA_MODULUS_BITS

CKA_PRIME_1

S

CKA_PRIME_2

S

CKA_COEFFICIENT

S

CKA_EXPONENT_1

S

CKA_EXPONENT_2

S

CKA_PRIVATE_EXPONENT

S

CKA_PUBLIC_EXPONENT

CKA_EC_PARAMS

CKA_EC_POINT

CKA_VALUE

S

2

2

2

CKA_VALUE_LEN

CKA_CHECK_VALUE

Attribute

Key Type

Default Value

 

RSA private

RSA public

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_VERIFY

False

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

2

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

2

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

 

Attribute

Key Type

Default Value

 

AES

Generic Secret

 

CKA_CLASS

CKA_KEY_TYPE

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

True

CKA_TOKEN

False

CKA_PRIVATE

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

True

CKA_SIGN_RECOVER

 

CKA_VERIFY

True

CKA_VERIFY_RECOVER

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

 

CKA_MODULUS

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

 

CKA_PUBLIC_EXPONENT

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

 

CKA_VALUE_LEN

2

2

 

CKA_CHECK_VALUE

R

R

 

Attribute

Key Type

Default Value

 

RSA private

RSA public

AES

Generic Secret

 

CKA_CLASS

2

2

2

2

CKA_KEY_TYPE

2

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1

1

1

1

True

CKA_DESTROYABLE

True

CKA_SIGN

False

CKA_SIGN_RECOVER

3

False

CKA_VERIFY

False

CKA_VERIFY_RECOVER

4

 

CKA_WRAP

False

CKA_WRAP_TEMPLATE

 

CKA_TRUSTED

False

CKA_WRAP_WITH_TRUSTED

False

CKA_UNWRAP

False

CKA_UNWRAP_TEMPLATE

 

CKA_SENSITIVE

True

CKA_ALWAYS_SENSITIVE

R

R

R

 

CKA_EXTRACTABLE

True

CKA_NEVER_EXTRACTABLE

R

R

R

 

CKA_MODULUS

2

2

 

CKA_MODULUS_BITS

 

CKA_PRIME_1

 

CKA_PRIME_2

 

CKA_COEFFICIENT

 

CKA_EXPONENT_1

 

CKA_EXPONENT_2

 

CKA_PRIVATE_EXPONENT

2

 

CKA_PUBLIC_EXPONENT

2

2

 

CKA_EC_PARAMS

 

CKA_EC_POINT

 

CKA_VALUE

2

2

 

CKA_VALUE_LEN

 

CKA_CHECK_VALUE

R

R

R

R

 

Attribute

Key Type

Default Value

 

RSA private

AES

Generic Secret

 

CKA_CLASS

2

2

2

CKA_KEY_TYPE

2

2

2

CKA_LABEL

CKA_ID

CKA_LOCAL

R

R

R

False

CKA_TOKEN

False

CKA_PRIVATE

1

1

1

True

CKA_ENCRYPT

False

CKA_DECRYPT

False

CKA_DERIVE

False

CKA_MODIFIABLE

1