Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Wrap a key with RSA-OAEP using CloudHSM CLI

Focus mode
Wrap a key with RSA-OAEP using CloudHSM CLI - AWS CloudHSM

Use the key wrap rsa-oaep command in CloudHSM CLI to wrap a payload key using an RSA public key on the hardware security module (HSM) and the RSA-OAEP wrapping mechanism. The payload key’s extractable attribute must be set to true.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the key wrap rsa-oaep command, you must first have an RSA key in your AWS CloudHSM cluster. You can generate an RSA key pair using the The generate-asymmetric-pair category in CloudHSM CLI command and the wrap attribute set to true.

User type

The following types of users can run this command.

  • Crypto users (CUs)

Requirements

  • To run this command, you must be logged in as a CU.

Syntax

aws-cloudhsm > help key wrap rsa-oaep Usage: key wrap rsa-oaep [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --hash-function <HASH_FUNCTION> --mgf <MGF> Options: --cluster-id <CLUSTER_ID> Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error --payload-filter [<PAYLOAD_FILTER>...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key --wrapping-filter [<WRAPPING_FILTER>...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key --path <PATH> Path to the binary file where the wrapped key data will be saved --wrapping-approval <WRAPPING_APPROVALR> File path of signed quorum token file to approve operation for wrapping key --payload-approval <PAYLOAD_APPROVALR> File path of signed quorum token file to approve operation for payload key --hash-function <HASH_FUNCTION> Hash algorithm [possible values: sha1, sha224, sha256, sha384, sha512] --mgf <MGF> Mask Generation Function algorithm [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512] -h, --help Print help

Example

This example shows how to use the key wrap rsa-oaep command using an RSA public key with the wrap attribute value set to true.

aws-cloudhsm > key wrap rsa-oaep --payload-filter attr.label=payload-key --wrapping-filter attr.label=rsa-public-key-example --hash-function sha256 --mgf mgf1-sha256 { "error_code": 0, "data": { "payload-key-reference": "0x00000000001c08f1", "wrapping-key-reference": "0x00000000007008da", "wrapped-key-data": "OjJe4msobPLz9TuSAdULEu17T5rMDWtSlLyBSkLbaZnYzzpdrhsbGLbwZJCtB/jGkDNdB4qyTAOQwEpggGf6v+Yx6JcesNeKKNU8XZal/YBoHC8noTGUSDI2qr+u2tDc84NPv6d+F2KOONXsSxMhmxzzNG/gzTVIJhOuy/B1yHjGP4mOXoDZf5+7f5M1CjxBmz4Vva/wrWHGCSG0yOaWblEvOiHAIt3UBdyKmU+/My4xjfJv7WGGu3DFUUIZ06TihRtKQhUYU1M9u6NPf9riJJfHsk6QCuSZ9yWThDT9as6i7e3htnyDhIhGWaoK8JU855cN/YNKAUqkNpC4FPL3iw==" } }

Arguments

<CLUSTER_ID>

The ID of the cluster to run this operation on.

Required: If multiple clusters have been configured.

<PAYLOAD_FILTER>

Key reference (for example, key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key.

Required: Yes

<PATH>

Path to the binary file where the wrapped key data will be saved.

Required: No

<WRAPPING_FILTER>

Key reference (for example, key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key.

Required: Yes

<MGF>

Specifies the mask generation function.

Note

The mask generation function hash function must match the signing mechanism hash function.

Valid values

  • mgf1-sha1

  • mgf1-sha224

  • mgf1-sha256

  • mgf1-sha384

  • mgf1-sha512

Required: Yes

<WRAPPING_APPROVALR>

Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

<PAYLOAD_APPROVALR>

Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

Related topics

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.