Wrap a key with CLOUDHSM-AES-GCM using CloudHSM CLI - AWS CloudHSM
User typeRequirementsSyntaxExampleArgumentsRelated topics

Wrap a key with CLOUDHSM-AES-GCM using CloudHSM CLI

Use the key wrap cloudhsm-aes-gcm command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module (HSM) and the CLOUDHSM-AES-GCM wrapping mechanism. The payload key’s extractable attribute must be set to true.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the key wrap cloudhsm-aes-gcm command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping with the Generate a symmetric AES key with CloudHSM CLI command and the wrap attribute set to true.

User type

The following types of users can run this command.

  • Crypto users (CUs)

Requirements

  • To run this command, you must be logged in as a CU.

Syntax

aws-cloudhsm > help key wrap cloudhsm-aes-gcm
Usage: key wrap cloudhsm-aes-gcm [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --tag-length-bits <TAG_LENGTH_BITS>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --aad <AAD>
          Aes GCM Additional Authenticated Data (AAD) value, in hex
      --tag-length-bits <TAG_LENGTH_BITS>
          Aes GCM tag length in bits
  -h, --help
          Print help

Example

This example shows how to use the key wrap cloudhsm-aes-gcm command using an AES key.

aws-cloudhsm > key wrap cloudhsm-aes-gcm --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example --tag-length-bits 64 --aad 0x10
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "wrapped_key_data": "6Rn8nkjEriDYlnP3P8nPkYQ8hplOEJ899zsrF+aTB0i/fIlZ"
  }
}

Arguments

<CLUSTER_ID>

The ID of the cluster to run this operation on.

Required: If multiple clusters have been configured.

<PAYLOAD_FILTER>

Key reference (for example, key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key.

Required: Yes

<PATH>

Path to the binary file where the wrapped key data will be saved.

Required: No

<WRAPPING_FILTER>

Key reference (for example, key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key.

Required: Yes

<AAD>

AES GCM Additional Authenticated Data (AAD) value, in hex.

Required: No

<TAG_LENGTH_BITS>

AES GCM tag length in bits.

Required: Yes

Related topics