本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
取消共用金鑰
此命key unshare令會取消與 AWS CloudHSM 叢集中其他 CU 的金鑰共用。
只有建立金鑰並因此擁有金鑰的加密使用者才能取消共用金鑰。共用金鑰的使用者可以在密碼編譯操作中使用此金鑰,但無法刪除、匯出、共用金錀或取消共用金錀。此外,這些使用者無法變更金錀屬性。
使用者類型
下列類型的使用者可以執行此命令。
-
加密使用者 (CU)
要求
若要執行此命令,必須以 CU 的身分登入。
語法
aws-cloudhsm >help key unshareUnshare a key in the HSM cluster with another user Usage: key unshare --filter [<FILTER>...] --username<USERNAME>--role<ROLE>Options: --cluster-id<CLUSTER_ID>Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --filter [<FILTER>...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key for unsharing --username<USERNAME>A username with which the key will be unshared --role<ROLE>Role the user has in the cluster Possible values: - crypto-user: A CryptoUser has the ability to manage and use keys - admin: An Admin has the ability to manage user accounts -h, --help Print help (see a summary with '-h')
範例:取消與另一個加密使用者共用金鑰
下列範例顯示如何使用 key unshare 命令取消與加密使用者 alice 共用的金鑰。
-
執行 key list 命令並篩選出您想取消與
alice共用的金錀。aws-cloudhsm >key list --filter attr.label="rsa_key_to_share" attr.class=private-key --verbose{ "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "cu3", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu1", "key-coverage": "full" }, { "username": "cu4", "key-coverage": "full" }, { "username": "cu5", "key-coverage": "full" }, { "username": "cu6", "key-coverage": "full" }, { "username": "cu7", "key-coverage": "full" }, { "username": "alice", "key-coverage": "full" } ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa_key_to_share", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } } -
確認
alice在shared-users輸出中,並運行下列 key unshare 命令以取消與alice共用的金錀。aws-cloudhsm >key unshare --filter attr.label="rsa_key_to_share" attr.class=private-key --username alice --role crypto-user{ "error_code": 0, "data": { "message": "Key unshared successfully" } } -
再次執行
key list命令以確認已取消與alice共用該金錀。aws-cloudhsm >key list --filter attr.label="rsa_key_to_share" attr.class=private-key --verbose{ "error_code": 0, "data": { "matched_keys": [ { "key-reference": "0x00000000001c0686", "key-info": { "key-owners": [ { "username": "cu3", "key-coverage": "full" } ], "shared-users": [ { "username": "cu2", "key-coverage": "full" }, { "username": "cu1", "key-coverage": "full" }, { "username": "cu4", "key-coverage": "full" }, { "username": "cu5", "key-coverage": "full" }, { "username": "cu6", "key-coverage": "full" }, { "username": "cu7", "key-coverage": "full" }, ], "cluster-coverage": "full" }, "attributes": { "key-type": "rsa", "label": "rsa_key_to_share", "id": "", "check-value": "0xae8ff0", "class": "private-key", "encrypt": false, "decrypt": true, "token": true, "always-sensitive": true, "derive": false, "destroyable": true, "extractable": true, "local": true, "modifiable": true, "never-extractable": false, "private": true, "sensitive": true, "sign": true, "trusted": false, "unwrap": true, "verify": false, "wrap": false, "wrap-with-trusted": false, "key-length-bytes": 1219, "public-exponent": "0x010001", "modulus": "0xa8855cba933cec0c21a4df0450ec31675c024f3e65b2b215a53d2bda6dcd191f75729150b59b4d86df58254c8f518f7d000cc04d8e958e7502c7c33098e28da4d94378ef34fb57d1cc7e042d9119bd79be0df728421a980a397095157da24cf3cc2b6dab12225d33fdca11f0c6ed1a5127f12488cda9a556814b39b06cd8373ff5d371db2212887853621b8510faa7b0779fbdec447e1f1d19f343acb02b22526487a31f6c704f8f003cb4f7013136f90cc17c2c20e414dc1fc7bcfb392d59c767900319679fc3307388633485657ce2e1a3deab0f985b0747ef4ed339de78147d1985d14fdd8634219321e49e3f5715e79c298f18658504bab04086bfbdcd3b", "modulus-size-bits": 2048 } } ], "total_key_count": 1, "returned_key_count": 1 } }
引數
<CLUSTER_ID>-
執行此作業的叢集識別碼。
必要:如果已設定多個叢集。
<FILTER>-
鍵引用(例如,
key-reference=0xabc)或空格分隔的鍵屬性列表,attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE以的形式選擇要刪除的匹配鍵。如需支援的金鑰屬性清單,請參閱 CloudHSM CLI 的金鑰屬性。
必要:是
<USERNAME>-
為使用者指定易記的名稱。長度上限為 31 個字元。允許的唯一特殊字元是底線 (_)。在此命令中,使用者名稱不區分大小寫,使用者名稱始終以小寫顯示。
必要:是
<ROLE>-
指定指派給此使用者的角色。此為必要參數。若要取得使用者的角色,請使用使用者清單命令。如需 HSM 上使用者類型的詳細資訊,請參閱 了解 HSM 使用者。
必要:是
相關主題
