# The key wrap command in CloudHSM CLI
<a name="cloudhsm_cli-key-wrap"></a>

The **key wrap** command in CloudHSM CLI exports an encrypted copy of a symmetric or asymmetric private key from the hardware security module (HSM) to a file. When you run **key wrap**, you specify two things: The key to export and the output file. The key to export is a key on the HSM that will encrypt (wrap) the key that you want to export.

The **key wrap** command does not remove the key from the HSM or prevent you from using it in cryptographic operations. You can export the same key multiple times. To import the encrypted key back into the HSM, use [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md). Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users with whom the key is shared can only use the key in cryptographic operations.

The **key wrap** command consists of the following subcommands:
+ [aes-gcm](cloudhsm_cli-key-wrap-aes-gcm.md)
+ [aes-no-pad](cloudhsm_cli-key-wrap-aes-no-pad.md)
+ [aes-pkcs5-pad](cloudhsm_cli-key-wrap-aes-pkcs5-pad.md)
+ [aes-zero-pad](cloudhsm_cli-key-wrap-aes-zero-pad.md)
+ [cloudhsm-aes-gcm](cloudhsm_cli-key-wrap-cloudhsm-aes-gcm.md)
+ [rsa-aes](cloudhsm_cli-key-wrap-rsa-aes.md)
+ [rsa-oaep](cloudhsm_cli-key-wrap-rsa-oaep.md)
+ [rsa-pkcs](cloudhsm_cli-key-wrap-rsa-pkcs.md)

# Wrap a key with AES-GCM using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-aes-gcm"></a>

Use the **key wrap aes-gcm** command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module (HSM) and the `AES-GCM` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap aes-gcm** command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping with the [Generate a symmetric AES key with CloudHSM CLI](cloudhsm_cli-key-generate-symmetric-aes.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-aes-gcm-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-aes-gcm-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-aes-gcm-syntax"></a>

```
aws-cloudhsm > help key wrap aes-gcm
Usage: key wrap aes-gcm [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --tag-length-bits <TAG_LENGTH_BITS>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
      --aad <AAD>
          Aes GCM Additional Authenticated Data (AAD) value, in hex
      --tag-length-bits <TAG_LENGTH_BITS>
          Aes GCM tag length in bits
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-aes-gcm-examples"></a>

This example shows how to use the **key wrap aes-gcm** command using an AES key.

**Example**  

```
aws-cloudhsm > key wrap aes-gcm --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example --tag-length-bits 64  --aad 0x10
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "iv": "0xf90613bb8e337ec0339aad21",
    "wrapped_key_data": "xvslgrtg8kHzrvekny97tLSIeokpPwV8"
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-aes-gcm-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<AAD>***  
AES GCM Additional Authenticated Data (AAD) value, in hex.   
Required: No

***<TAG\$1LENGTH\$1BITS>***  
AES GCM tag length in bits.  
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-aes-gcm-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with AES-NO-PAD using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-aes-no-pad"></a>

Use the **key wrap aes-no-pad** command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module (HSM) and the `AES-NO-PAD` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap aes-no-pad** command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping using the [Generate a symmetric AES key with CloudHSM CLI](cloudhsm_cli-key-generate-symmetric-aes.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-aes-no-pad-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-aes-no-pad-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-aes-no-pad-syntax"></a>

```
aws-cloudhsm > help key wrap aes-no-pad
Usage: key wrap aes-no-pad [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...]

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-aes-no-pad-examples"></a>

This example shows how to use the **key wrap aes-no-pad** command using an AES key with the `wrap` attribute value set to `true`.

**Example**  

```
aws-cloudhsm > key wrap aes-no-pad --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "wrapped_key_data": "eXK3PMAOnKM9y3YX6brbhtMoC060EOH9"
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-aes-no-pad-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-aes-no-pad-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with AES-PKCS5-PAD using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad"></a>

Use the **key wrap aes-pkcs5-pad** command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module (HSM) and the `AES-PKCS5-PAD` wrapping mechanism. The payload key's `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap aes-pkcs5-pad** command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping using the [Generate a symmetric AES key with CloudHSM CLI](cloudhsm_cli-key-generate-symmetric-aes.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-syntax"></a>

```
aws-cloudhsm > help key wrap aes-pkcs5-pad
Usage: key wrap aes-pkcs5-pad [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...]

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-examples"></a>

This example shows how to use the **key wrap aes-pkcs5-pad** command using an AES key with the `wrap` attribute value set to `true`.

**Example**  

```
aws-cloudhsm > key wrap aes-pkcs5-pad --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "wrapped_key_data": "MbuYNresfOKyGNnxKWen88nSfX+uUE/0qmGofSisicY="
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-aes-pkcs5-pad-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with AES-ZERO-PAD using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-aes-zero-pad"></a>

Use the **key wrap aes-zero-pad** command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module HSM) and the `AES-ZERO-PAD` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap aes-zero-pad** command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping using the [Generate a symmetric AES key with CloudHSM CLI](cloudhsm_cli-key-generate-symmetric-aes.md) command with the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-syntax"></a>

```
aws-cloudhsm > help key wrap aes-zero-pad
Usage: key wrap aes-zero-pad [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...]

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-examples"></a>

This example shows how to use the **key wrap aes-zero-pad ** command using an AES key with the `wrap` attribute value set to `true`.

**Example**  

```
aws-cloudhsm > key wrap aes-zero-pad --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "wrapped_key_data": "L1wVlL/YeBNVAw6Mpk3owFJZXBzDLONt"
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-aes-zero-pad-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with CLOUDHSM-AES-GCM using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm"></a>

Use the **key wrap cloudhsm-aes-gcm** command in CloudHSM CLI to wrap a payload key using an AES key on the hardware security module (HSM) and the `CLOUDHSM-AES-GCM` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap cloudhsm-aes-gcm** command, you must first have an AES key in your AWS CloudHSM cluster. You can generate an AES key for wrapping with the [Generate a symmetric AES key with CloudHSM CLI](cloudhsm_cli-key-generate-symmetric-aes.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-syntax"></a>

```
aws-cloudhsm > help key wrap cloudhsm-aes-gcm
Usage: key wrap cloudhsm-aes-gcm [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --tag-length-bits <TAG_LENGTH_BITS>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
      --aad <AAD>
          Aes GCM Additional Authenticated Data (AAD) value, in hex
      --tag-length-bits <TAG_LENGTH_BITS>
          Aes GCM tag length in bits
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-examples"></a>

This example shows how to use the **key wrap cloudhsm-aes-gcm** command using an AES key.

**Example**  

```
aws-cloudhsm > key wrap cloudhsm-aes-gcm --payload-filter attr.label=payload-key --wrapping-filter attr.label=aes-example --tag-length-bits 64 --aad 0x10
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000001c08ea",
    "wrapped_key_data": "6Rn8nkjEriDYlnP3P8nPkYQ8hplOEJ899zsrF+aTB0i/fIlZ"
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<AAD>***  
AES GCM Additional Authenticated Data (AAD) value, in hex.   
Required: No

***<TAG\$1LENGTH\$1BITS>***  
AES GCM tag length in bits.  
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-cloudhsm-aes-gcm-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with RSA-AES using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-rsa-aes"></a>

Use the **key wrap rsa-aes** command in CloudHSM CLI to wrap a payload key using an RSA public key on the hardware security module (HSM) and the RSA-AES wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap rsa-aes** command, you must first have an RSA key in your AWS CloudHSM cluster. You can generate an RSA key pair using the [The generate-asymmetric-pair category in CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-rsa-aes-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-rsa-aes-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-rsa-aes-syntax"></a>

```
aws-cloudhsm > help key wrap rsa-aes
Usage: key wrap rsa-aes [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --hash-function <HASH_FUNCTION> --mgf <MGF>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
      --hash-function <HASH_FUNCTION>
          Hash algorithm [possible values: sha1, sha224, sha256, sha384, sha512]
      --mgf <MGF>
          Mask Generation Function algorithm [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512]
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-rsa-aes-examples"></a>

This example shows how to use the **key wrap rsa-ae** command using an RSA public key with the `wrap` attribute value set to `true`.

**Example**  

```
aws-cloudhsm > key wrap rsa-aes --payload-filter attr.label=payload-key --wrapping-filter attr.label=rsa-public-key-example --hash-function sha256 --mgf mgf1-sha256
{
  "error_code": 0,
  "data": {
    "payload-key-reference": "0x00000000001c08f1",
    "wrapping-key-reference": "0x00000000007008da",
    "wrapped-key-data": "HrSE1DEyLjIeyGdPa9R+ebiqB5TIJGyamPker31ZebPwRA+NcerbAJO8DJ1lXPygZcI21vIFSZJuWMEiWpe1R9D/5WSYgxLVKex30xCFqebtEzxbKuv4DOmU4meSofqREYvtb3EoIKwjyxCMRQFgoyUCuP4y0f0eSv0k6rSJh4NuCsHptXZbtgNeRcR4botN7LlzkEIUcq4fVHaatCwd0J1QGKHKyRhkol+RL5WGXKe4nAboAkC5GO7veI5yHL1SaKlssSJtTL/CFpbSLsAFuYbv/NUCWwMY5mwyVTCSlw+HlgKK+5TH1MzBaSi8fpfyepLT8sHy2Q/VRl6ifb49p6m0KQFbRVvz/OWUd6l4d97BdgtaEz6ueg=="
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-wrap-rsa-aes-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<MGF>***  
Specifies the mask generation function.  
The mask generation function hash function must match the signing mechanism hash function.
Valid values  
+ mgf1-sha1
+ mgf1-sha224
+ mgf1-sha256
+ mgf1-sha384
+ mgf1-sha512
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-rsa-aes-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with RSA-OAEP using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-rsa-oaep"></a>

Use the **key wrap rsa-oaep** command in CloudHSM CLI to wrap a payload key using an RSA public key on the hardware security module (HSM) and the `RSA-OAEP` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap rsa-oaep** command, you must first have an RSA key in your AWS CloudHSM cluster. You can generate an RSA key pair using the [The generate-asymmetric-pair category in CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-unwrap-rsa-aes-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-unwrap-rsa-aes-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-unwrap-rsa-aes-syntax"></a>

```
aws-cloudhsm > help key wrap rsa-oaep
Usage: key wrap rsa-oaep [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...] --hash-function <HASH_FUNCTION> --mgf <MGF>

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
      --hash-function <HASH_FUNCTION>
          Hash algorithm [possible values: sha1, sha224, sha256, sha384, sha512]
      --mgf <MGF>
          Mask Generation Function algorithm [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512]
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-unwrap-rsa-aes-examples"></a>

This example shows how to use the **key wrap rsa-oaep** command using an RSA public key with the `wrap` attribute value set to `true`.

**Example**  

```
aws-cloudhsm > key wrap rsa-oaep --payload-filter attr.label=payload-key --wrapping-filter attr.label=rsa-public-key-example --hash-function sha256 --mgf mgf1-sha256
{
  "error_code": 0,
  "data": {
    "payload-key-reference": "0x00000000001c08f1",
    "wrapping-key-reference": "0x00000000007008da",
    "wrapped-key-data": "OjJe4msobPLz9TuSAdULEu17T5rMDWtSlLyBSkLbaZnYzzpdrhsbGLbwZJCtB/jGkDNdB4qyTAOQwEpggGf6v+Yx6JcesNeKKNU8XZal/YBoHC8noTGUSDI2qr+u2tDc84NPv6d+F2KOONXsSxMhmxzzNG/gzTVIJhOuy/B1yHjGP4mOXoDZf5+7f5M1CjxBmz4Vva/wrWHGCSG0yOaWblEvOiHAIt3UBdyKmU+/My4xjfJv7WGGu3DFUUIZ06TihRtKQhUYU1M9u6NPf9riJJfHsk6QCuSZ9yWThDT9as6i7e3htnyDhIhGWaoK8JU855cN/YNKAUqkNpC4FPL3iw=="
  }
}
```

## Arguments
<a name="cloudhsm_cli-key-unwrap-rsa-aes-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<MGF>***  
Specifies the mask generation function.  
The mask generation function hash function must match the signing mechanism hash function.
Valid values  
+ mgf1-sha1
+ mgf1-sha224
+ mgf1-sha256
+ mgf1-sha384
+ mgf1-sha512
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-unwrap-rsa-aes-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)

# Wrap a key with RSA-PKCS using CloudHSM CLI
<a name="cloudhsm_cli-key-wrap-rsa-pkcs"></a>

Use the **key wrap rsa-pkcs** command in CloudHSM CLI to wrap a payload key using an RSA public key on the hardware security module (HSM) and the `RSA-PKCS` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`.

Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations.

To use the **key wrap rsa-pkcs** command, you must first have an RSA key in your AWS CloudHSM cluster. You can generate an RSA key pair using the [The generate-asymmetric-pair category in CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair.md) command and the `wrap` attribute set to `true`.

## User type
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-userType"></a>

The following types of users can run this command.
+ Crypto users (CUs)

## Requirements
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-requirements"></a>
+ To run this command, you must be logged in as a CU.

## Syntax
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-syntax"></a>

```
aws-cloudhsm > help key wrap rsa-pkcs
Usage: key wrap rsa-pkcs [OPTIONS] --payload-filter [<PAYLOAD_FILTER>...] --wrapping-filter [<WRAPPING_FILTER>...]

Options:
      --cluster-id <CLUSTER_ID>
          Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
      --payload-filter [<PAYLOAD_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
      --wrapping-filter [<WRAPPING_FILTER>...]
          Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
      --path <PATH>
          Path to the binary file where the wrapped key data will be saved
      --wrapping-approval <WRAPPING_APPROVALR>
          File path of signed quorum token file to approve operation for wrapping key
      --payload-approval <PAYLOAD_APPROVALR>
          File path of signed quorum token file to approve operation for payload key
  -h, --help
          Print help
```

## Example
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-examples"></a>

This example shows how to use the **key wrap rsa-pkcs** command using an RSA public key.

**Example**  

```
aws-cloudhsm > key wrap rsa-pkcs --payload-filter attr.label=payload-key --wrapping-filter attr.label=rsa-public-key-example
{
  "error_code": 0,
  "data": {
    "payload_key_reference": "0x00000000001c08f1",
    "wrapping_key_reference": "0x00000000007008da",
    "wrapped_key_data": "am0Nc7+YE8FWs+5HvU7sIBcXVb24QA0l65nbNAD+1bK+e18BpSfnaI3P+r8Dp+pLu1ofoUy/vtzRjZoCiDofcz4EqCFnGl4GdcJ1/3W/5WRvMatCa2d7cx02swaeZcjKsermPXYRO1lGlfq6NskwMeeTkV8R7Rx9artFrs1y0DdIgIKVaiFHwnBIUMnlQrR2zRmMkfwU1jxMYmOYyD031F5VbnjSrhfMwkww2la7uf/c3XdFJ2+0Bo94c6og/yfPcpOOobJlITCoXhtMRepSdO4OggYq/6nUDuHCtJ86pPGnNahyr7+sAaSI3a5ECQLUjwaIARUCyoRh7EFK3qPXcg=="
  }
```

## Arguments
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-arguments"></a>

***<CLUSTER\$1ID>***  
The ID of the cluster to run this operation on.  
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)

***<PAYLOAD\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.  
Required: Yes

***<PATH>***  
Path to the binary file where the wrapped key data will be saved.  
Required: No

***<WRAPPING\$1FILTER>***  
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.   
Required: Yes

***<WRAPPING\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.

***<PAYLOAD\$1APPROVALR>***  
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1.

## Related topics
<a name="cloudhsm_cli-key-wrap-rsa-pkcs-seealso"></a>
+ [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md)
+ [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md)