Supported key attributes for the PKCS #11 library
A key object can be a public, private, or secret key. Actions permitted on a key object are specified through attributes. Attributes are defined when the key object is created. When you use the PKCS #11 library, we assign default values as specified by the PKCS #11 standard.
AWS CloudHSM does not support all attributes listed in the PKCS #11 specification. We are compliant with the specification for all attributes we support. These attributes are listed in the respective tables.
Cryptographic functions such as C_CreateObject
, C_GenerateKey
,
C_GenerateKeyPair
, C_UnwrapKey
, and C_DeriveKey
that
create, modify, or copy objects take an attribute template as one of their parameters. For
more information about passing an attribute template during object creation, see Generate keys through PKCS #11 library
Interpreting the PKCS #11 library attributes table
The PKCS #11 library table contains a list of attributes that differ by key types. It indicates whether a given attribute is supported for a particular key type when using a specific cryptographic function with AWS CloudHSM.
Legend:
-
✔ indicates that CloudHSM supports the attribute for the specific key type.
-
✖ indicates that CloudHSM does not support the attribute for the specific key type.
-
R indicates that the attribute value is set to read-only for the specific key type .
-
S indicates that the attribute cannot be read by the
GetAttributeValue
as it is sensitive. -
An empty cell in the Default Value column indicates that there is no specific default value assigned to the attribute.
Attribute |
Key Type |
Default Value |
|||
---|---|---|---|---|---|
|
EC private |
EC public |
RSA private |
RSA public |
|
|
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
|
|
R |
R |
R |
R |
True |
|
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✖ |
✔ |
✖ |
✔ |
False |
|
✔ |
✖ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✔ |
✔ |
True |
|
✔ |
✖ |
✔ |
✖ |
False |
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✔ |
✖ |
✔ |
False |
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✔ |
✖ |
✔ |
False |
|
✖ |
✔ |
✖ |
✔ |
|
|
✖ |
✔ |
✖ |
✔ |
False |
|
✔ |
✖ |
✔ |
✖ |
False |
|
✔ |
✖ |
✔ |
✖ |
False |
|
✔ |
✖ |
✔ |
✖ |
|
|
✔1 |
✖ |
✔1 |
✖ |
True |
|
R |
✖ |
R |
✖ |
|
|
✔ |
✖ |
✔ |
✖ |
True |
|
R |
✖ |
R |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✔2 |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✔2 |
|
|
✖ |
✔2 |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
|
|
R |
R |
R |
R |
|
Attribute |
Key Type |
Default Value |
||
---|---|---|---|---|
|
AES |
DES3 |
Generic Secret |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
R |
R |
R |
True |
|
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✔ |
True |
|
✔ |
✔ |
✔ |
True |
|
✖ |
✖ |
✖ |
|
|
✔ |
✔ |
✔ |
True |
|
✖ |
✖ |
✖ |
|
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✖ |
|
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
False |
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✖ |
|
|
✔ |
✔ |
✔ |
True |
|
✖ |
✖ |
✖ |
|
|
✔ |
✔ |
✔ |
True |
|
R |
R |
R |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✔2 |
✖ |
✔2 |
|
|
R |
R |
R |
|
Attribute |
Key Type |
Default Value |
||||||
---|---|---|---|---|---|---|---|---|
|
EC private |
EC public |
RSA private |
RSA public |
AES |
DES3 |
Generic Secret |
|
|
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
|
|
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
|
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
|
R |
R |
R |
R |
R |
R |
R |
False |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✖ |
✖ |
✖ |
✔ |
✔ |
✔ |
✖ |
False |
|
✖ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
True |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
False |
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✔ |
✔ |
✔ |
✖ |
False |
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✖ |
|
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✖ |
False |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
False |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
|
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
True |
|
R |
✖ |
R |
✖ |
R |
R |
R |
|
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
True |
|
R |
✖ |
R |
✖ |
R |
R |
R |
|
|
✖ |
✖ |
✔2 |
✔2 |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔2 |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔2 |
✔2 |
✖ |
✖ |
✖ |
|
|
✔2 |
✔2 |
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✔2 |
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✔2 |
✖ |
✖ |
✖ |
✔2 |
✔2 |
✔2 |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
R |
R |
R |
R |
R |
R |
R |
|
Attribute |
Key Type |
Default Value |
||||
---|---|---|---|---|---|---|
|
EC private |
RSA private |
AES |
DES3 |
Generic Secret |
|
|
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
|
|
✔2 |
✔2 |
✔2 |
✔2 |
✔2 |
|
|
✔ |
✔ |
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
✔ |
✔ |
|
|
R |
R |
R |
R |
R |
False |
|
✔ |
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✖ |
✖ |
✔ |
✔ |
✖ |
False |
|
✖ |
✔ |
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✔ |
✔ |
✔ |
True |
|
✔ |
✔ |
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
✖ |
✖ |
False |
|
✖ |
✖ |
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✔ |
✔ |
✖ |
False |
|
✖ |
✔ |
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
✔ |
✔ |
True |
|
✔ |
✔ |
✔ |
✔ |
✔ |
True |
|
R |
R |
R |
R |
R |
|
|
R |
R |
R |
R |
R |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
✖ |
✖ |
|
|
R |
R |
R |
R |
R |
|
Attribute |
Key Type |
Default Value |
||
---|---|---|---|---|
|
AES |
DES3 |
Generic Secret |
|
|
✔2 |
✔2 |
✔2 |
|
|
✔2 |
✔2 |
✔2 |
|
|
✔ |
✔ |
✔ |
|
|
✔ |
✔ |
✔ |
|
|
R |
R |
R |
True |
|
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✔ |
False |
|
✔1 |
✔1 |
✔1 |
True |
|
✔1 |
✔1 |
✔1 |
True |
|
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
|
|
✔ |
✔ |
✔ |
False |
|
✖ |
✖ |
✖ |
|
|
✔ |
✔ |
✖ |
False |
|
✔ |
✔ |
✖ |
False |
|
R |
R |
R |
True |
|
✔ |
✔ |
✔ |
True |
|
R |
R |
R |
|
|
R |
R |
R |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✖ |
✖ |
✖ |
|
|
✔2 |
✖ |
✔2 |
|
|
R |
R |
R |
|
Attribute |
Key Type |
||||||
---|---|---|---|---|---|---|---|
|
EC private |
EC public |
RSA private |
RSA public |
AES |
DES3 |
Generic Secret |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
✔1 |
|
✖ |
✖ |
✖ |
✔ |
✔ |
✔ |
✖ |
|
✖ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✔ |
|
✖ |
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
✖ |
✔ |
✔ |
✔ |
✖ |
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✖ |
|
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
✖ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✖ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
✔ |
✖ |
✔ |
✖ |
✔ |
✔ |
✔ |
|
R |
R |
R |
R |
R |
R |
R |
|
✖ |
✖ |
✔ |
✔ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
✖ |
✔ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
S |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✖ |
✔ |
✔ |
✖ |
✖ |
✖ |
|
✔ |
✔ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
✖ |
✔ |
✖ |
✖ |
✖ |
✖ |
✖ |
|
S |
✖ |
✖ |
✖ |
✔ |
✔ |
✔ |
|
✖ |
✖ |
✖ |
✖ |
✔ |
✖ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✖ |
Attribute annotations
-
[1] This attribute is partially supported by the firmware and must be explicitly set only to the default value.
-
[2] Mandatory attribute.
Modifying attributes
Some attributes of an object can be modified after the object has been created, whereas some cannot. To modify attributes, use the setAttribute command from cloudhsm_mgmt_util. You can also derive a list of attributes and the constants that represent them by using the listAttribute command from cloudhsm_mgmt_util.
The following list displays attributes that are allowed for modification after object creation:
-
CKA_LABEL
-
CKA_TOKEN
Note
Modification is allowed only for changing a session key to a token key. Use the setAttribute command from key_mgmt_util to change the attribute value.
-
CKA_ENCRYPT
-
CKA_DECRYPT
-
CKA_SIGN
-
CKA_VERIFY
-
CKA_WRAP
-
CKA_UNWRAP
-
CKA_LABEL
-
CKA_SENSITIVE
-
CKA_DERIVE
Note
This attribute supports key derivation. It must be
False
for all public keys and cannot be set toTrue
. For secret and EC private keys, it can be set toTrue
orFalse
. -
CKA_TRUSTED
Note
This attribute can be set to
True
orFalse
by Crypto Officer (CO) only. -
CKA_WRAP_WITH_TRUSTED
Note
Apply this attribute to an exportable data key to specify that you can only wrap this key with keys marked as
CKA_TRUSTED
. Once you setCKA_WRAP_WITH_TRUSTED
to true, the attribute becomes read-only and you cannot change or remove the attribute.
Interpreting error codes
Specifying in the template an attribute that is not supported by a specific key results in an error. The following table contains error codes that are generated when you violate specifications:
Error Code | Description |
---|---|
CKR_TEMPLATE_INCONSISTENT |
You receive this error when you specify an attribute in the attribute template, where the attribute complies with the PKCS #11 specification, but is not supported by CloudHSM. |
CKR_ATTRIBUTE_TYPE_INVALID |
You receive this error when you retrieve value for an attribute, which complies with the PKCS #11 specification, but is not supported by CloudHSM. |
CKR_ATTRIBUTE_INCOMPLETE |
You receive this error when you do not specify the mandatory attribute in the attribute template. |
CKR_ATTRIBUTE_READ_ONLY |
You receive this error when you specify a read-only attribute in the attribute template. |