Key attributes for CloudHSM CLI
This topic describes how to use CloudHSM CLI to set key attributes. A key attribute in CloudHSM CLI can define a key’s type, how a key can function, or how a key is labeled. Some attributes define unique characteristics (a key’s type, for example). Other attributes can be set to true or false—changing them either activates or deactivates a part of the key’s functionality.
For examples showing how to use key attributes, see the commands listed under the parent command key.
Supported attributes
As a best practice, only set values for attributes you wish to make restrictive. If you don’t specify a value, CloudHSM CLI uses the default value specified in the table below.
The following table lists the key attributes, possible values, defaults, and related notes. An empty cell in the Value column indicates that there is no specific default value assigned to the attribute.
CloudHSM CLI attribute | Value | Modifiable with key set-attribute | Settable at key creation |
---|---|---|---|
always-sensitive |
The value is |
No | No |
check-value |
The check value of the key. For more information, see Additional Details. | No | No |
class |
Possible values: |
No | Yes |
curve |
Elliptic curve used to generate the EC key pair. Valid Values: |
No | Settable with EC, not settable with RSA |
decrypt |
Default: |
Yes | Yes |
derive |
Default: |
Yes | Yes |
destroyable |
Default: |
Yes | Yes |
ec-point |
For EC keys, DER-encoding of ANSI X9.62 ECPoint value "Q" in a hexadecimal format. For other key types, this attribute does not exist. |
No | No |
encrypt |
Default: |
Yes | Yes |
extractable |
Default: |
No | Yes |
id |
Default: Empty | No | Yes |
key-length-bytes |
Required for generating an AES key. Valid values: |
No | No |
key-type |
Possible values: |
No | Yes |
label |
Default: Empty | Yes | Yes |
local |
Default: |
No | No |
modifiable |
Default: |
No | No |
modulus |
The modulus that was used to generate an RSA key pair. For other key types, this attribute does not exist. | No | No |
modulus-size-bits |
Required for generating an RSA key pair. Minimum value is |
No | Settable with RSA, not settable with EC |
never-extractable |
The value is The value is |
No | No |
private |
Default: |
No | Yes |
public-exponent |
Required for generating an RSA key pair. Valid values: The value must be an odd number greater than or equal to |
No | Settable with RSA, not settable with EC |
sensitive |
Default:
|
No | Settable with private keys, not settable with public keys. |
sign |
Default:
|
Yes | Yes |
token |
Default: |
No | Yes |
trusted |
Default: |
Yes | No |
unwrap |
Default: False |
Yes | Yes |
unwrap-template |
Values should use the attribute template applied to any key unwrapped using this wrapping key. | Yes | No |
verify |
Default:
|
Yes | Yes |
wrap |
Default: False |
Yes | Yes |
wrap-template |
Values should use the attribute template to match the key wrapped using this wrapping key. | Yes | No |
wrap-with-trusted |
Default: |
Yes | Yes |
Additional Details
- Check value
-
The check value is a 3-byte hash or checksum of a key that is generated when the HSM imports or generates a key. You can also calculate a check value outside of the HSM, such as after you export a key. You can then compare the check value values to confirm the identity and integrity of the key. To get the check value of a key, use key list with the verbose flag.
AWS CloudHSM uses the following standard methods to generate a check value:
-
Symmetric keys: First 3 bytes of the result of encrypting a zero-block with the key.
-
Asymmetric key pairs: First 3 bytes of the SHA-1 hash of the public key.
-
HMAC keys: KCV for HMAC keys is not supported at this time.
-