The key wrap command in CloudHSM CLI

The key wrap command in CloudHSM CLI exports an encrypted copy of a symmetric or asymmetric private key from the hardware security module (HSM) to a file. When you run key wrap, you specify two things: The key to export and the output file. The key to export is a key on the HSM that will encrypt (wrap) the key that you want to export.

The key wrap command does not remove the key from the HSM or prevent you from using it in cryptographic operations. You can export the same key multiple times. To import the encrypted key back into the HSM, use The key unwrap command in CloudHSM CLI. Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users with whom the key is shared can only use the key in cryptographic operations.

The key wrap command consists of the following subcommands:

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

rsa-pkcs

aes-gcm