# Key attributes for CloudHSM CLI
This topic describes how to use CloudHSM CLI to set key attributes. A key attribute in CloudHSM CLI can define a key’s type, how a key can function, or how a key is labeled. Some attributes define unique characteristics (a key’s type, for example). Other attributes can be set to true or false—changing them either activates or deactivates a part of the key’s functionality.
For examples showing how to use key attributes, see the commands listed under the parent command [The key category in CloudHSM CLI](cloudhsm_cli-key.md).
The following topics provide additional detail about key attributes in CloudHSM CLI.
**Topics**
+ [Supported attributes](cloudhsm_cli-key-attributes-table.md)
+ [Check value](chsm-cli-key-attribute-details.md)
+ [Related topics](chsm_cli-key-attributes-seealso.md)
# Supported attributes for CloudHSM CLI
As a best practice, only set values for attributes you wish to make restrictive. If you don’t specify a value, CloudHSM CLI uses the default value specified in the table below.
The following table lists the key attributes, possible values, defaults, and related notes for CloudHSM CLI. An empty cell in the **Value** column indicates that there is no specific default value assigned to the attribute.
****
| CloudHSM CLI attribute | Value | Modifiable with [key set-attribute](cloudhsm_cli-key-set-attribute.md) | Settable at key creation |
| --- | --- | --- | --- |
| always-sensitive | The value is `True` if `sensitive` has always been set to `True` and has never changed. | No | No |
| check-value | The check value of the key. For more information, see [Additional Details](chsm-cli-key-attribute-details.md). | No | No |
| class | Possible values: `secret-key`, `public-key`, and `private-key`. | No | Yes |
| curve | Elliptic curve used to generate the EC key pair. Valid Values: `secp224r1`, `secp256r1`, `prime256v1`, `secp384r1`, `secp256k1`, `secp521r1`, and `ed25519` `ed25519` is only supported on hsm2m.medium instances in non-FIPS mode. | No | Settable with EC, not settable with RSA |
| decrypt | Default: `False` | Yes | Yes |
| derive | Default: `False` | Derive can be set on hsm2m.medium instances. It cannot be set for RSA keys on hsm1.medium instances. | Yes |
| destroyable | Default: `True` | Yes | Yes |
| ec-point | For EC keys, DER-encoding of ANSI X9.62 ECPoint value "Q" in a hexadecimal format. For other key types, this attribute does not exist. | No | No |
| encrypt | Default: `False` | Yes | Yes |
| extractable | Default: `True` | No | Yes |
| id | Default: Empty | id can be set on hsm2m.medium instances. It cannot be set on hsm1.medium instances. | Yes |
| key-length-bytes | Required for generating an AES key.Valid values: `16`, `24`, and `32` bytes. | No | No |
| key-type | Possible values: `aes`, `rsa`, and `ec` | No | Yes |
| label | Default: Empty | Yes | Yes |
| local | Default: `True` for keys generated in the HSM, `False` for keys imported into the HSM. | No | No |
| modifiable | Default: `True` | Can be changed from true to false, but not from false to true. | Yes |
| modulus | The modulus that was used to generate an RSA key pair. For other key types, this attribute does not exist. | No | No |
| modulus-size-bits | Required for generating an RSA key pair.Minimum value is `2048`. | No | Settable with RSA, not settable with EC |
| never-extractable | The value is `True` if extractable has never been set to `False`. The value is `False` if extractable has ever been set to `True`. | No | No |
| private | Default: `True` | No | Yes |
| public-exponent | Required for generating an RSA key pair.Valid values: The value must be an odd number greater than or equal to `65537`. | No | Settable with RSA, not settable with EC |
| sensitive | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | No | Settable with private keys, not settable with public keys. |
| sign | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | Yes | Yes |
| token | Default: `True` | Can be changed from false to true, but not from true to false. | Yes |
| trusted | Default: `False` | Only admin users can set this parameter. | No |
| unwrap | Default: False | Yes | Yes, except for public keys. |
| unwrap-template | Values should use the attribute template applied to any key unwrapped using this wrapping key. | Yes | No |
| verify | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | Yes | Yes |
| wrap | Default: False | Yes | Yes, except for private keys. |
| wrap-template | Values should use the attribute template to match the key wrapped using this wrapping key. | Yes | No |
| wrap-with-trusted | Default: `False` | Yes | Yes |
# Check value in CloudHSM CLI
The *check value* in CloudHSM CLI is a 3-byte hash or checksum of a key that is generated when the HSM imports or generates a key. You can also calculate a check value outside of the HSM, such as after you export a key. You can then compare the check value values to confirm the identity and integrity of the key. To get the check value of a key, use [key list](cloudhsm_cli-key-list.md) with the verbose flag.
AWS CloudHSM uses the following standard methods to generate a check value:
+ **Symmetric keys**: First 3 bytes of the result of encrypting a zero-block with the key.
+ **Asymmetric key pairs**: First 3 bytes of the SHA-1 hash of the public key.
+ **HMAC keys**: KCV for HMAC keys is not supported at this time.
# Related topics for CloudHSM CLI
See the following topics for more information about CloudHSM CLI.
+ [The key category in CloudHSM CLI](cloudhsm_cli-key.md)
+ [Reference for CloudHSM CLI commands](cloudhsm_cli-reference.md)