Reference for CloudHSM CLI commands
CloudHSM CLI helps admins manage users in their AWS CloudHSM cluster. CloudHSM CLI can be run in two modes: Interactive Mode and Single Command Mode. For a quick start, see Getting started with AWS CloudHSM Command Line Interface (CLI).
To run most CloudHSM CLI commands, you must start the CloudHSM CLI and log in to the HSM. If you add or delete HSMs, update the configuration files for CloudHSM CLI. Otherwise, the changes that you make might not be effective for all HSMs in the cluster.
The following topics describe commands in CloudHSM CLI:
| Command | Description | User Type |
|---|---|---|
Activates an CloudHSM cluster and provides confirmation the cluster is new. This must be done before any other operations can be performed. |
Unactivated admin |
|
List the HSMs in your cluster. |
All 1, including unauthenticated users. Login is not required. |
|
Generates a signature using an EC private key and the ECDSA signing mechanism. |
Crypto users (CU) |
|
Generates a signature using an RSA private key and the RSA-PKCS signing mechanism. |
CU |
|
Generates a signature using an RSA private key and the RSA-PKCS-PSS signing mechanism. |
CU |
|
Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the ECDSA signing mechanism. Compares a signed file against a source file and determine whether the two are cryptographically related based on a given ecdsa public key and signing mechanism. |
CU |
|
Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the RSA-PKCS signing mechanism. Compares a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. |
CU |
|
Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the RSA-PKCS-PSS signing mechanism. Compares a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. |
CU |
|
Deletes a key from your AWS CloudHSM cluster. |
CU |
|
Generates a key file in your AWS CloudHSM cluster. |
CU |
|
Generates an asymmetric RSA key pair in your AWS CloudHSM cluster. |
CU |
|
Generates an asymmetric Elliptic-curve (EC) key pair in your AWS CloudHSM cluster. |
CU |
|
Generates a symmetric AES key in your AWS CloudHSM cluster. |
CU |
|
Generates a symmetric Generic Secret key in your AWS CloudHSM cluster. |
CU |
|
Imports a PEM format key into an HSM. You can use it to import public keys that were generated outside of the HSM. |
CU |
|
Finds all keys for the current user present in your AWS CloudHSM cluster. |
CU |
|
Replicate a key from a source cluster to a cloned destination cluster. |
CU |
|
Sets the attributes of keys in your AWS CloudHSM cluster. |
CUs can run this command, admins can set the trusted attribute. |
|
Shares a key with other CUs in your AWS CloudHSM cluster. |
CU |
|
Unshares a key with other CUs in your AWS CloudHSM cluster. |
CU |
|
Unwraps a payload key into the cluster using the AES wrapping key and the AES-GCM unwrapping mechanism. |
CU |
|
Unwraps a payload key into the cluster using the AES wrapping key and the AES-NO-PAD unwrapping mechanism. |
CU |
|
Unwraps a payload key using the AES wrapping key and the AES-PKCS5-PAD unwrapping mechanism. |
CU |
|
Unwraps a payload key into the cluster using the AES wrapping key and the AES-ZERO-PAD unwrapping mechanism. |
CU |
|
Unwraps a payload key into the cluster using the AES wrapping key and the CLOUDHSM-AES-GCM unwrapping mechanism. |
CU |
|
Unwraps a payload key using an RSA private key and the RSA-AES unwrapping mechanism. |
CU |
|
Unwraps a payload key using the RSA private key and the RSA-OAEP unwrapping mechanism. |
CU |
|
Unwraps a payload key using the RSA private key and the RSA-PKCS unwrapping mechanism. |
CU |
|
Wraps a payload key using an AES key on the HSM and the AES-GCM wrapping mechanism. |
CU |
|
Wraps a payload key using an AES key on the HSM and the AES-NO-PAD wrapping mechanism. |
CU |
|
Wraps a payload key using an AES key on the HSM and the AES-PKCS5-PAD wrapping mechanism. |
CU |
|
Wraps a payload key using an AES key on the HSM and the AES-ZERO-PAD wrapping mechanism. |
CU |
|
Wraps a payload key using an AES key on the HSM and the CLOUDHSM-AES-GCM wrapping mechanism. |
CUs |
|
Wraps a payload key using an RSA public key on the HSM and the RSA-AES wrapping mechanism. |
CU |
|
Wraps a payload key using an RSA public key on the HSM and the RSA-OAEP wrapping mechanism. |
CU |
|
Wraps a payload key using an RSA public key on the HSM and the RSA-PKCS wrapping mechanism. |
CU |
|
Log in to your AWS CloudHSM cluster. |
Admin, crypto user (CU), and appliance user (AU) |
|
Log out of your AWS CloudHSM cluster. |
Admin, CU, and appliance user (AU) |
|
Deletes one or more tokens for a quorum authorized service. |
Admin |
|
Generates a token for a quorum authorized service. |
Admin |
|
Lists all token-sign quorum tokens present in your CloudHSM cluster. |
All 1, including unauthenticated users. Login is not required. |
|
Lists the quorum values set in your CloudHSM cluster. |
All 1, including unauthenticated users. Login is not required. |
|
Obtains the token timeout period in seconds for all token types. |
Admin and crypto user |
|
Sets a new quorum value for a quorum authorized service. |
Admin |
|
Sets the token timeout period in seconds for each token type. |
Admin |
|
Changes a user's multi-factor authentication (MFA) strategy. |
Admin, CU |
|
Changes the passwords of users on the HSMs. Any user can change their own password. Admins can change anyone's password. |
Admin, CU |
|
Creates a user in your AWS CloudHSM cluster. |
Admin |
|
Deletes a user in your AWS CloudHSM cluster. |
Admin |
|
Lists the users in your AWS CloudHSM cluster. |
All 1, including unauthenticated users. Login is not required. |
|
Registers the quorum token-sign quorum strategy for a user. |
Admin |
Annotations
-
[1] All users includes all listed roles and users not logged in.
