# AWS CloudHSM Command Line Interface (CLI)
**CloudHSM CLI** helps admins manage users and crypto users manage keys in their cluster in AWS CloudHSM. The CLI includes tools that can be used to create, delete and list users, change user passwords, update user multi-factor authentication (MFA). It also includes commands that generate, delete, import, and export keys, get and set attributes, find keys, and perform cryptographic operations.
For defined list of CloudHSM CLI users, see [HSM user management with CloudHSM CLI](manage-hsm-users-chsm-cli.md). For a defined list of key attributes for CloudHSM CLI, see [Key attributes for CloudHSM CLI](cloudhsm_cli-key-attributes.md). For information on how to use CloudHSM CLI to manage keys, see [Key management with CloudHSM CLI](manage-keys-chsm-cli.md).
For a quick start, see [Getting started with AWS CloudHSM Command Line Interface (CLI)](cloudhsm_cli-getting-started.md). For detailed information about the CloudHSM CLI commands and examples of using the commands, see [Reference for CloudHSM CLI commands](cloudhsm_cli-reference.md).
**Topics**
+ [Supported platforms](cloudhsm-cli-support.md)
+ [Getting started](cloudhsm_cli-getting-started.md)
+ [Command modes](cloudhsm_cli-modes.md)
+ [Key attributes](cloudhsm_cli-key-attributes.md)
+ [Advanced configurations](cloudhsm_cli-configs.md)
+ [Reference](cloudhsm_cli-reference.md)
# AWS CloudHSM Command Line Interface (CLI) supported platforms
This topic describes the Linux and Windows platforms that the AWS CloudHSM CLI supports.
## Linux support
| Supported platforms | X86\$164 Architecture | ARM architecture |
| --- | --- | --- |
| Amazon Linux 2 | Yes | Yes |
| Amazon Linux 2023 | Yes | Yes |
| Red Hat Enterprise Linux 8 (8.3\$1) | Yes | Yes |
| Red Hat Enterprise Linux 9 (9.2\$1) | Yes | Yes |
| Red Hat Enterprise Linux 10 (10.0\$1) | Yes | Yes |
| Ubuntu 22.04 LTS | Yes | Yes |
| Ubuntu 24.04 LTS | Yes | Yes |
+ SDK 5.16 was the last release to provide Ubuntu 20.04 LTS platform support. For more information, see the [Ubuntu website](https://ubuntu.com/blog/ubuntu-20-04-lts-end-of-life-standard-support-is-coming-to-an-end-heres-how-to-prepare).
+ SDK 5.12 was the last release to provide CentOS 7 (7.8\$1) platform support. For more information, see the [CentOS website](https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/).
+ SDK 5.12 was the last release to provide Red Hat Enterprise Linux 7 (7.8\$1) platform support. For more information, see the [Red Hat website](https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux/rhel-7-end-of-maintenance).
+ SDK 5.4.2 was the last release to provide CentOS 8 platform support. For more information, see the [CentOS website](https://www.centos.org/centos-linux-eol/).
## Windows support
+ Microsoft Windows Server 2016
+ Microsoft Windows Server 2019
+ Microsoft Windows Server 2022
+ Microsoft Windows Server 2025
# Getting started with AWS CloudHSM Command Line Interface (CLI)
With the CloudHSM CLI Command Line Interface (CLI), you can manage users in your AWS CloudHSM cluster. Use this topic to get started with basic hardware security module (HSM) user management tasks, such as creating users, listing users, and connecting CloudHSM CLI to the cluster.
**Topics**
+ [Install the CloudHSM CLI](w2aac23c15c13b7.md)
+ [Use the CloudHSM CLI](cloudhsm_cli-getting-started-use.md)
# Install the CloudHSM CLI
Use the following commands to download and install the CloudHSM CLI for AWS CloudHSM.
------
#### [ Amazon Linux 2023 ]
Amazon Linux 2023 on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-latest.amzn2023.x86_64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.amzn2023.x86_64.rpm
```
Amazon Linux 2023 on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Amzn2023/cloudhsm-cli-latest.amzn2023.aarch64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.amzn2023.aarch64.rpm
```
------
#### [ Amazon Linux 2 ]
Amazon Linux 2 on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-cli-latest.el7.x86_64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el7.x86_64.rpm
```
Amazon Linux 2 on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-cli-latest.el7.aarch64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el7.aarch64.rpm
```
------
#### [ RHEL 10 (10.0\$1) ]
RHEL 10 on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL10/cloudhsm-cli-latest.el10.x86_64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el10.x86_64.rpm
```
RHEL 10 on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL10/cloudhsm-cli-latest.el10.aarch64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el10.aarch64.rpm
```
------
#### [ RHEL 9 (9.2\$1) ]
RHEL 9 on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL9/cloudhsm-cli-latest.el9.x86_64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el9.x86_64.rpm
```
RHEL 9 on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL9/cloudhsm-cli-latest.el9.aarch64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el9.aarch64.rpm
```
------
#### [ RHEL 8 (8.3\$1) ]
RHEL 8 on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL8/cloudhsm-cli-latest.el8.x86_64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el8.x86_64.rpm
```
RHEL 8 on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL8/cloudhsm-cli-latest.el8.aarch64.rpm
```
```
$ sudo yum install ./cloudhsm-cli-latest.el8.aarch64.rpm
```
------
#### [ Ubuntu 24.04 LTS ]
Ubuntu 24.04 LTS on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Noble/cloudhsm-cli_latest_u24.04_amd64.deb
```
```
$ sudo apt install ./cloudhsm-cli_latest_u24.04_amd64.deb
```
Ubuntu 24.04 LTS on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Noble/cloudhsm-cli_latest_u24.04_arm64.deb
```
```
$ sudo apt install ./cloudhsm-cli_latest_u24.04_arm64.deb
```
------
#### [ Ubuntu 22.04 LTS ]
Ubuntu 22.04 LTS on x86\$164 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_amd64.deb
```
```
$ sudo apt install ./cloudhsm-cli_latest_u22.04_amd64.deb
```
Ubuntu 22.04 LTS on ARM64 architecture:
```
$ wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Jammy/cloudhsm-cli_latest_u22.04_arm64.deb
```
```
$ sudo apt install ./cloudhsm-cli_latest_u22.04_arm64.deb
```
------
#### [ Windows Server 2022 ]
For Windows Server 2022 on x86\$164 architecture, open PowerShell as an administrator and run the following command:
```
PS C:\> wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Windows/AWSCloudHSMCLI-latest.msi -Outfile C:\AWSCloudHSMCLI-latest.msi
```
```
PS C:\> Start-Process msiexec.exe -ArgumentList '/i C:\AWSCloudHSMCLI-latest.msi /quiet /norestart /log C:\client-install.txt' -Wait
```
------
#### [ Windows Server 2019 ]
For Windows Server 2019 on x86\$164 architecture, open PowerShell as an administrator and run the following command:
```
PS C:\> wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Windows/AWSCloudHSMCLI-latest.msi -Outfile C:\AWSCloudHSMCLI-latest.msi
```
```
PS C:\> Start-Process msiexec.exe -ArgumentList '/i C:\AWSCloudHSMCLI-latest.msi /quiet /norestart /log C:\client-install.txt' -Wait
```
------
#### [ Windows Server 2016 ]
For Windows Server 2016 on x86\$164 architecture, open PowerShell as an administrator and run the following command:
```
PS C:\> wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/Windows/AWSCloudHSMCLI-latest.msi -Outfile C:\AWSCloudHSMCLI-latest.msi
```
```
PS C:\> Start-Process msiexec.exe -ArgumentList '/i C:\AWSCloudHSMCLI-latest.msi /quiet /norestart /log C:\client-install.txt' -Wait
```
------
Use the following commands to configure CloudHSM CLI.
**To bootstrap a Linux EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of the HSM(s) in your cluster.
```
$ sudo /opt/cloudhsm/bin/configure-cli -a
```
**To bootstrap a Windows EC2 instance for Client SDK 5**
+ Use the configure tool to specify the IP address of the HSM(s) in your cluster.
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" -a
```
# Use the CloudHSM CLI
Use the following commands to start and use the CloudHSM CLI.
1. Use the following command to start CloudHSM CLI.
------
#### [ Linux ]
```
$ /opt/cloudhsm/bin/cloudhsm-cli interactive
```
------
#### [ Windows ]
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\cloudhsm-cli.exe" interactive
```
------
1. Use the **login** command to log in to the cluster. All users can use this command.
The command in the following example logs in *admin*, which is the default [admin](understanding-users.md) account. You set this user's password when you [activated the cluster](activate-cluster.md).
```
aws-cloudhsm > login --username admin --role admin
```
The system prompts you for your password. You enter the password, and the output shows that the command was successful.
```
Enter password:
{
"error_code": 0,
"data": {
"username": "admin",
"role": "admin"
}
}
```
1. Run the **user list** command to list all the users on the cluster.
```
aws-cloudhsm > user list
{
"error_code": 0,
"data": {
"users": [
{
"username": "admin",
"role": "admin",
"locked": "false",
"mfa": [],
"cluster-coverage": "full"
},
{
"username": "app_user",
"role": "internal(APPLIANCE_USER)",
"locked": "false",
"mfa": [],
"cluster-coverage": "full"
}
]
}
}
```
1. Use **user create** to create a CU user named **example\$1user**.
You can create CUs because in a previous step you logged in as an admin user. Only admin users can perform user management tasks, such as creating and deleting users and changing the passwords of other users.
```
aws-cloudhsm > user create --username example_user --role crypto-user
Enter password:
Confirm password:
{
"error_code": 0,
"data": {
"username": "example_user",
"role": "crypto-user"
}
}
```
1. Use **user list** to list all the users on the cluster.
```
aws-cloudhsm > user list
{
"error_code": 0,
"data": {
"users": [
{
"username": "admin",
"role": "admin",
"locked": "false",
"mfa": [],
"cluster-coverage": "full"
},
{
"username": "example_user",
"role": "crypto_user",
"locked": "false",
"mfa": [],
"cluster-coverage": "full"
},
{
"username": "app_user",
"role": "internal(APPLIANCE_USER)",
"locked": "false",
"mfa": [],
"cluster-coverage": "full"
}
]
}
}
```
1. Use the **logout** command to log out of AWS CloudHSM cluster.
```
aws-cloudhsm > logout
{
"error_code": 0,
"data": "Logout successful"
}
```
1. Use the **quit** command to stop the CLI.
```
aws-cloudhsm > quit
```
# Command modes in CloudHSM CLI
In CloudHSM CLI, you can run commands two different ways: in single command mode and interactive mode. Interactive mode is designed for users, and single command mode is designed for scripts.
**Note**
All commands work in interactive mode and single command mode.
## Interactive mode
Use the following commands to start CloudHSM CLI interactive mode
------
#### [ Linux ]
```
$ /opt/cloudhsm/bin/cloudhsm-cli interactive
```
------
#### [ Windows ]
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\cloudhsm-cli.exe" interactive
```
------
When using the CLI in Interactive Mode, you can log in to a user account using the **login** command.
```
aws-cloudhsm > login --username --role ROLE>
```
To list all CloudHSM CLI commands, run the following command:
```
aws-cloudhsm > help
```
To get the syntax for a CloudHSM CLI command, run the following command:
```
aws-cloudhsm > help
```
To get a list of users on the HSMs, enter **user list**.
```
aws-cloudhsm > user list
```
To end your CloudHSM CLI session, run the following command:
```
aws-cloudhsm > quit
```
## Single Command mode
**Note**
When using single command mode, you must escape any special characters in environment variables and command-line arguments that may be interpreted by your shell.
If you run CloudHSM CLI using Single Command Mode, you need to set two environment variables to provide credentials: CLOUDHSM\$1PIN and CLOUDHSM\$1ROLE:
```
$ export CLOUDHSM_ROLE=admin
```
```
$ export CLOUDHSM_PIN=admin_username:admin_password
```
After doing this, you can execute commands using the credentials stored in your environment.
```
$ cloudhsm-cli user change-password --username alice --role crypto-user
Enter password:
Confirm password:
{
"error_code": 0,
"data": {
"username": "alice",
"role": "crypto-user"
}
}
```
# Key attributes for CloudHSM CLI
This topic describes how to use CloudHSM CLI to set key attributes. A key attribute in CloudHSM CLI can define a key’s type, how a key can function, or how a key is labeled. Some attributes define unique characteristics (a key’s type, for example). Other attributes can be set to true or false—changing them either activates or deactivates a part of the key’s functionality.
For examples showing how to use key attributes, see the commands listed under the parent command [The key category in CloudHSM CLI](cloudhsm_cli-key.md).
The following topics provide additional detail about key attributes in CloudHSM CLI.
**Topics**
+ [Supported attributes](cloudhsm_cli-key-attributes-table.md)
+ [Check value](chsm-cli-key-attribute-details.md)
+ [Related topics](chsm_cli-key-attributes-seealso.md)
# Supported attributes for CloudHSM CLI
As a best practice, only set values for attributes you wish to make restrictive. If you don’t specify a value, CloudHSM CLI uses the default value specified in the table below.
The following table lists the key attributes, possible values, defaults, and related notes for CloudHSM CLI. An empty cell in the **Value** column indicates that there is no specific default value assigned to the attribute.
****
| CloudHSM CLI attribute | Value | Modifiable with [key set-attribute](cloudhsm_cli-key-set-attribute.md) | Settable at key creation |
| --- | --- | --- | --- |
| always-sensitive | The value is `True` if `sensitive` has always been set to `True` and has never changed. | No | No |
| check-value | The check value of the key. For more information, see [Additional Details](chsm-cli-key-attribute-details.md). | No | No |
| class | Possible values: `secret-key`, `public-key`, and `private-key`. | No | Yes |
| curve | Elliptic curve used to generate the EC key pair. Valid Values: `secp224r1`, `secp256r1`, `prime256v1`, `secp384r1`, `secp256k1`, `secp521r1`, and `ed25519` `ed25519` is only supported on hsm2m.medium instances in non-FIPS mode. | No | Settable with EC, not settable with RSA |
| decrypt | Default: `False` | Yes | Yes |
| derive | Default: `False` | Derive can be set on hsm2m.medium instances. It cannot be set for RSA keys on hsm1.medium instances. | Yes |
| destroyable | Default: `True` | Yes | Yes |
| ec-point | For EC keys, DER-encoding of ANSI X9.62 ECPoint value "Q" in a hexadecimal format. For other key types, this attribute does not exist. | No | No |
| encrypt | Default: `False` | Yes | Yes |
| extractable | Default: `True` | No | Yes |
| id | Default: Empty | id can be set on hsm2m.medium instances. It cannot be set on hsm1.medium instances. | Yes |
| key-length-bytes | Required for generating an AES key.Valid values: `16`, `24`, and `32` bytes. | No | No |
| key-type | Possible values: `aes`, `rsa`, and `ec` | No | Yes |
| label | Default: Empty | Yes | Yes |
| local | Default: `True` for keys generated in the HSM, `False` for keys imported into the HSM. | No | No |
| modifiable | Default: `True` | Can be changed from true to false, but not from false to true. | Yes |
| modulus | The modulus that was used to generate an RSA key pair. For other key types, this attribute does not exist. | No | No |
| modulus-size-bits | Required for generating an RSA key pair.Minimum value is `2048`. | No | Settable with RSA, not settable with EC |
| never-extractable | The value is `True` if extractable has never been set to `False`. The value is `False` if extractable has ever been set to `True`. | No | No |
| private | Default: `True` | No | Yes |
| public-exponent | Required for generating an RSA key pair.Valid values: The value must be an odd number greater than or equal to `65537`. | No | Settable with RSA, not settable with EC |
| sensitive | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | No | Settable with private keys, not settable with public keys. |
| sign | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | Yes | Yes |
| token | Default: `True` | Can be changed from false to true, but not from true to false. | Yes |
| trusted | Default: `False` | Only admin users can set this parameter. | No |
| unwrap | Default: False | Yes | Yes, except for public keys. |
| unwrap-template | Values should use the attribute template applied to any key unwrapped using this wrapping key. | Yes | No |
| verify | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-attributes-table.html) | Yes | Yes |
| wrap | Default: False | Yes | Yes, except for private keys. |
| wrap-template | Values should use the attribute template to match the key wrapped using this wrapping key. | Yes | No |
| wrap-with-trusted | Default: `False` | Yes | Yes |
# Check value in CloudHSM CLI
The *check value* in CloudHSM CLI is a 3-byte hash or checksum of a key that is generated when the HSM imports or generates a key. You can also calculate a check value outside of the HSM, such as after you export a key. You can then compare the check value values to confirm the identity and integrity of the key. To get the check value of a key, use [key list](cloudhsm_cli-key-list.md) with the verbose flag.
AWS CloudHSM uses the following standard methods to generate a check value:
+ **Symmetric keys**: First 3 bytes of the result of encrypting a zero-block with the key.
+ **Asymmetric key pairs**: First 3 bytes of the SHA-1 hash of the public key.
+ **HMAC keys**: KCV for HMAC keys is not supported at this time.
# Related topics for CloudHSM CLI
See the following topics for more information about CloudHSM CLI.
+ [The key category in CloudHSM CLI](cloudhsm_cli-key.md)
+ [Reference for CloudHSM CLI commands](cloudhsm_cli-reference.md)
# Advanced configurations for CloudHSM CLI
The AWS CloudHSM Command Line Interface (CLI) includes the following advanced configuration, which is not part of the general configurations most customers utilize. These configurations provide additional capabilities.
+ [Connecting to multiple clusters](cloudhsm_cli-configs-multi-cluster.md)
# Connecting to multiple clusters with CloudHSM CLI
With AWS CloudHSM Client SDK 5, you can configure CloudHSM CLI to allow connections to multiple CloudHSM clusters from a single CLI instance.
The following topics describe how to use the CloudHSM CLI multi-cluster functionality to connect with multiple clusters.
**Topics**
+ [Prerequisites](cloudhsm_cli-multi-cluster-prereqs.md)
+ [Configure multi-cluster functionality](cloudhsm_cli-multi-cluster-config-run.md)
+ [Add a cluster](cloudhsm_cli-multi-cluster-add-cluster.md)
+ [Remove a cluster](cloudhsm_cli-multi-cluster-remove-cluster.md)
+ [Interact with clusters](cloudhsm_cli-multi-cluster-usage.md)
# Multi-cluster prerequisites for AWS CloudHSM
Before configuring your cluster in AWS CloudHSM to connect to multiple clusters, you must meet the following prerequisites:
+ Two or more AWS CloudHSM clusters to which you’d like to connect to, along with their cluster certificates.
+ An EC2 instance with Security Groups correctly configured to connect to all of the clusters above. For more information about how to set up a cluster and the client instance, refer to [Getting started with AWS CloudHSM](getting-started.md).
+ To set up multi-cluster functionality, you must have already downloaded and installed the CloudHSM CLI. If you have not already done this, refer to the instructions in [Getting started with AWS CloudHSM Command Line Interface (CLI)](cloudhsm_cli-getting-started.md).
+ You will not be able to access a cluster configured with `./configure-cli[.exe] -a` since it will not be associated with a `cluster-id`. You can reconfigure it by following `config-cli add-cluster` as described in this guide.
# Configure the CloudHSM CLI for multi-cluster functionality
To configure your CloudHSM CLI for multi-cluster functionality, follow these steps:
1. Identify the clusters you want to connect to.
1. Add these clusters to your CloudHSM CLI configuration using the [configure-cli](configure-sdk-5.md) subcommand `add-cluster` as described below.
1. Restart any CloudHSM CLI processes in order for the new configuration to take effect.
# Add a cluster to your AWS CloudHSM configuration
When connecting to multiple clusters, use the `configure-cli add-cluster` command to add a cluster to your configuration.
## Syntax
```
configure-cli add-cluster [OPTIONS]
--cluster-id
[--region ]
[--endpoint ]
[--hsm-ca-cert ]
[--client-cert-hsm-tls-file ]
[--client-key-hsm-tls-file ]
[-h, --help]
```
## Examples
### Add a cluster using the `cluster-id` parameter
**Example**
Use the `configure-cli add-cluster` along with the `cluster-id` parameter to add a cluster (with the ID of `cluster-1234567`) to your configuration.
```
$ sudo /opt/cloudhsm/bin/configure-cli add-cluster --cluster-id
```
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" add-cluster --cluster-id
```
**Tip**
If using `configure-cli add-cluster` with the `cluster-id` parameter doesn't result in the cluster being added, refer to the following example for a longer version of this command that also requires `--region` and `--endpoint` parameters to identify the cluster being added. If, for example, the region of the cluster is different than the one configured as your AWS CLI default, you should use the `--region` parameter to use the correct region. Additionally, you have the ability to specify the AWS CloudHSM API endpoint to use for the call, which may be necessary for various network setups, such as using VPC interface endpoints that don’t use the default DNS hostname for AWS CloudHSM.
### Add a cluster using `cluster-id`, `endpoint`, and `region` parameters
**Example**
Use the `configure-cli add-cluster` along with the `cluster-id`, `endpoint`, and `region` parameters to add a cluster (with the ID of `cluster-1234567`) to your configuration.
```
$ sudo /opt/cloudhsm/bin/configure-cli add-cluster --cluster-id --region --endpoint
```
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" add-cluster --cluster-id --region --endpoint
```
For more information about the `--cluster-id`, `--region`, and `--endpoint` parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Parameters
**--cluster-id ****
Makes a `DescribeClusters` call to find all of the HSM elastic network interface (ENI) IP addresses in the cluster associated with the cluster ID. The system adds the ENI IP addresses to the AWS CloudHSM configuration files.
If you use the `--cluster-id` parameter from an EC2 instance within a VPC that does not have access to the public internet, then you must create an interface VPC endpoint to connect with AWS CloudHSM. For more information about VPC endpoints, see [AWS CloudHSM and VPC endpoints](cloudhsm-vpc-endpoint.md).
Required: Yes
**--endpoint ****
Specify the AWS CloudHSM API endpoint used for making the `DescribeClusters` call. You must set this option in combination with `--cluster-id`.
Required: No
**--hsm-ca-cert ****
Specifies the filepath to the HSM CA certificate.
Required: No
**--region ****
Specify the region of your cluster. You must set this option in combination with `--cluster-id`.
If you don’t supply the `--region` parameter, the system chooses the region by attempting to read the `AWS_DEFAULT_REGION` or `AWS_REGION` environment variables. If those variables aren’t set, then the system checks the region associated with your profile in your AWS config file (typically `~/.aws/config`) unless you specified a different file in the `AWS_CONFIG_FILE` environment variable. If none of the above are set, the system defaults to the `us-east-1` region.
Required: No
**--client-cert-hsm-tls-file ****
Path to the client certificate used for TLS client-HSM mutual authentication.
Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-key-hsm-tls-file`.
Required: No
**--client-key-hsm-tls-file ****
Path to the client key used for TLS client-HSM mutual authentication.
Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-cert-hsm-tls-file`.
Required: No
# Remove a cluster from your AWS CloudHSM configuration
When connecting to multiple clusters with CloudHSM CLI, use the `configure-cli remove-cluster` command to remove a cluster from your configuration.
## Syntax
```
configure-cli remove-cluster [OPTIONS]
--cluster-id
[-h, --help]
```
## Examples
### Remove a cluster using the `cluster-id` parameter
**Example**
Use the `configure-cli remove-cluster` along with the `cluster-id` parameter to remove a cluster (with the ID of `cluster-1234567`) from your configuration.
```
$ sudo /opt/cloudhsm/bin/configure-cli remove-cluster --cluster-id
```
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\configure-cli.exe" remove-cluster --cluster-id
```
For more information about the `--cluster-id` parameter, see [AWS CloudHSM Client SDK 5 configuration parameters](configure-tool-params5.md).
## Parameter
**--cluster-id ****
The ID of the cluster to remove from the configuration.
Required: Yes
# Interact with multiple clusters in AWS CloudHSM
After configuring multiple clusters with CloudHSM CLI, use the `cloudhsm-cli` command to interact with them.
## Examples
### Setting a default `cluster-id` when using interactive mode
**Example**
Use the [Interactive mode](cloudhsm_cli-modes.md#cloudhsm_cli-mode-interactive) along with the `cluster-id` parameter to set a default cluster (with the ID of `cluster-1234567`) from your configuration.
```
$ cloudhsm-cli interactive --cluster-id
```
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\cloudhsm-cli.exe" interactive --cluster-id
```
### Setting the `cluster-id` when running a single command
**Example**
Use the `cluster-id` parameter to set the cluster (with the ID of `cluster-1234567`) to get [List HSMs with CloudHSM CLI](cloudhsm_cli-cluster-hsm-info.md) from.
```
$ cloudhsm-cli cluster hsm-info --cluster-id
```
```
PS C:\> & "C:\Program Files\Amazon\CloudHSM\bin\cloudhsm-cli.exe" cluster hsm-info --cluster-id
```
# Reference for CloudHSM CLI commands
CloudHSM CLI helps admins manage users in their AWS CloudHSM cluster. CloudHSM CLI can be run in two modes: Interactive Mode and Single Command Mode. For a quick start, see [Getting started with AWS CloudHSM Command Line Interface (CLI)](cloudhsm_cli-getting-started.md).
To run most CloudHSM CLI commands, you must start the CloudHSM CLI and log in to the HSM. If you add or delete HSMs, update the configuration files for CloudHSM CLI. Otherwise, the changes that you make might not be effective for all HSMs in the cluster.
The following topics describe commands in CloudHSM CLI:
| Command | Description | User Type |
| --- | --- | --- |
| [activate](cloudhsm_cli-cluster-activate.md) | Activates an CloudHSM cluster and provides confirmation the cluster is new. This must be done before any other operations can be performed. | Unactivated admin |
| [hsm-info](cloudhsm_cli-cluster-hsm-info.md) | List the HSMs in your cluster. | All [1](#cli-ref-1), including unauthenticated users. Login is not required. |
| [ecdsa](cloudhsm_cli-crypto-sign-ecdsa.md) | Generates a signature using an EC private key and the ECDSA signing mechanism. | Crypto users (CU) |
| [ed25519ph](cloudhsm_cli-crypto-sign-ed25519ph.md) | Generates a signature using an Ed25519 private key and the HashEdDSA signing mechanism. | CU |
| [rsa-pkcs](cloudhsm_cli-crypto-sign-rsa-pkcs.md) | Generates a signature using an RSA private key and the RSA-PKCS signing mechanism. | CU |
| [rsa-pkcs-pss](cloudhsm_cli-crypto-sign-rsa-pkcs-pss.md) | Generates a signature using an RSA private key and the RSA-PKCS-PSS signing mechanism. | CU |
| [ecdsa](cloudhsm_cli-crypto-verify-ecdsa.md) | Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the ECDSA signing mechanism. Compares a signed file against a source file and determine whether the two are cryptographically related based on a given ecdsa public key and signing mechanism. | CU |
| [ed25519ph](cloudhsm_cli-crypto-verify-ed25519ph.md) | Verifies HashEdDSA signatures using an Ed25519 public key. | CU |
| [rsa-pkcs](cloudhsm_cli-crypto-verify-rsa-pkcs.md) | Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the RSA-PKCS signing mechanism. Compares a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. | CU |
| [rsa-pkcs-pss](cloudhsm_cli-crypto-verify-rsa-pkcs-pss.md) | Confirms a file has been signed in the HSM by a given public key. Verifies the signature was generated using the RSA-PKCS-PSS signing mechanism. Compares a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism. | CU |
| [key delete](cloudhsm_cli-key-delete.md) | Deletes a key from your AWS CloudHSM cluster. | CU |
| [key generate-file](cloudhsm_cli-key-generate-file.md) | Generates a key file in your AWS CloudHSM cluster. | CU |
| [key generate-asymmetric-pair rsa](cloudhsm_cli-key-generate-asymmetric-pair-rsa.md) | Generates an asymmetric RSA key pair in your AWS CloudHSM cluster. | CU |
| [key generate-asymmetric-pair ec](cloudhsm_cli-key-generate-asymmetric-pair-ec.md) | Generates an asymmetric Elliptic-curve (EC) key pair in your AWS CloudHSM cluster. | CU |
| [key generate-symmetric aes](cloudhsm_cli-key-generate-symmetric-aes.md) | Generates a symmetric AES key in your AWS CloudHSM cluster. | CU |
| [key generate-symmetric generic-secret](cloudhsm_cli-key-generate-symmetric-generic-secret.md) | Generates a symmetric Generic Secret key in your AWS CloudHSM cluster. | CU |
| [key import pem](cloudhsm_cli-key-import-pem.md) | Imports a PEM format key into an HSM. You can use it to import public keys that were generated outside of the HSM. | CU |
| [key list](cloudhsm_cli-key-list.md) | Finds all keys for the current user present in your AWS CloudHSM cluster. | CU |
| [key replicate](cloudhsm_cli-key-replicate.md) | Replicate a key from a source cluster to a cloned destination cluster. | CU |
| [key set-attribute](cloudhsm_cli-key-set-attribute.md) | Sets the attributes of keys in your AWS CloudHSM cluster. | CUs can run this command, admins can set the trusted attribute. |
| [key share](cloudhsm_cli-key-share.md) | Shares a key with other CUs in your AWS CloudHSM cluster. | CU |
| [key unshare](cloudhsm_cli-key-unshare.md) | Unshares a key with other CUs in your AWS CloudHSM cluster. | CU |
| [aes-gcm](cloudhsm_cli-key-unwrap-aes-gcm.md) | Unwraps a payload key into the cluster using the AES wrapping key and the AES-GCM unwrapping mechanism. | CU |
| [aes-no-pad](cloudhsm_cli-key-unwrap-aes-no-pad.md) | Unwraps a payload key into the cluster using the AES wrapping key and the AES-NO-PAD unwrapping mechanism. | CU |
| [aes-pkcs5-pad](cloudhsm_cli-key-unwrap-aes-pkcs5-pad.md) | Unwraps a payload key using the AES wrapping key and the AES-PKCS5-PAD unwrapping mechanism. | CU |
| [aes-zero-pad](cloudhsm_cli-key-unwrap-aes-zero-pad.md) | Unwraps a payload key into the cluster using the AES wrapping key and the AES-ZERO-PAD unwrapping mechanism. | CU |
| [cloudhsm-aes-gcm](cloudhsm_cli-key-unwrap-cloudhsm-aes-gcm.md) | Unwraps a payload key into the cluster using the AES wrapping key and the CLOUDHSM-AES-GCM unwrapping mechanism. | CU |
| [rsa-aes](cloudhsm_cli-key-unwrap-rsa-aes.md) | Unwraps a payload key using an RSA private key and the RSA-AES unwrapping mechanism. | CU |
| [rsa-oaep](cloudhsm_cli-key-unwrap-rsa-oaep.md) | Unwraps a payload key using the RSA private key and the RSA-OAEP unwrapping mechanism. | CU |
| [rsa-pkcs](cloudhsm_cli-key-unwrap-rsa-pkcs.md) | Unwraps a payload key using the RSA private key and the RSA-PKCS unwrapping mechanism. | CU |
| [aes-gcm](cloudhsm_cli-key-wrap-aes-gcm.md) | Wraps a payload key using an AES key on the HSM and the AES-GCM wrapping mechanism. | CU |
| [aes-no-pad](cloudhsm_cli-key-wrap-aes-no-pad.md) | Wraps a payload key using an AES key on the HSM and the AES-NO-PAD wrapping mechanism. | CU |
| [aes-pkcs5-pad](cloudhsm_cli-key-wrap-aes-pkcs5-pad.md) | Wraps a payload key using an AES key on the HSM and the AES-PKCS5-PAD wrapping mechanism. | CU |
| [aes-zero-pad](cloudhsm_cli-key-wrap-aes-zero-pad.md) | Wraps a payload key using an AES key on the HSM and the AES-ZERO-PAD wrapping mechanism. | CU |
| [cloudhsm-aes-gcm](cloudhsm_cli-key-wrap-cloudhsm-aes-gcm.md) | Wraps a payload key using an AES key on the HSM and the CLOUDHSM-AES-GCM wrapping mechanism. | CUs |
| [rsa-aes](cloudhsm_cli-key-wrap-rsa-aes.md) | Wraps a payload key using an RSA public key on the HSM and the RSA-AES wrapping mechanism. | CU |
| [rsa-oaep](cloudhsm_cli-key-wrap-rsa-oaep.md) | Wraps a payload key using an RSA public key on the HSM and the RSA-OAEP wrapping mechanism. | CU |
| [ Wrap a key with RSA-PKCS using CloudHSM CLIrsa-pkcs The **key wrap rsa-pkcs** command wraps a payload key using an RSA public key on the HSM and the `RSA-PKCS` wrapping mechanism. Use the **key wrap rsa-pkcs** command in CloudHSM CLI to wrap a payload key using an RSA public key on the hardware security module (HSM) and the `RSA-PKCS` wrapping mechanism. The payload key’s `extractable` attribute must be set to `true`. Only the owner of a key, that is the crypto user (CU) who created the key, can wrap the key. Users who share the key can use the key in cryptographic operations. To use the **key wrap rsa-pkcs** command, you must first have an RSA key in your AWS CloudHSM cluster. You can generate an RSA key pair using the [The generate-asymmetric-pair category in CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair.md) command and the `wrap` attribute set to `true`. User type The following types of users can run this command. Crypto users (CUs) Requirements To run this command, you must be logged in as a CU. Syntax
```
aws-cloudhsm > help key wrap rsa-pkcs
Usage: key wrap rsa-pkcs [OPTIONS] --payload-filter [...] --wrapping-filter [...]
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--payload-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a payload key
--wrapping-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a wrapping key
--path
Path to the binary file where the wrapped key data will be saved
--wrapping-approval
File path of signed quorum token file to approve operation for wrapping key
--payload-approval
File path of signed quorum token file to approve operation for payload key
-h, --help
Print help
``` Example This example shows how to use the **key wrap rsa-pkcs** command using an RSA public key.
**Example**
```
aws-cloudhsm > key wrap rsa-pkcs --payload-filter attr.label=payload-key --wrapping-filter attr.label=rsa-public-key-example
{
"error_code": 0,
"data": {
"payload_key_reference": "0x00000000001c08f1",
"wrapping_key_reference": "0x00000000007008da",
"wrapped_key_data": "am0Nc7+YE8FWs+5HvU7sIBcXVb24QA0l65nbNAD+1bK+e18BpSfnaI3P+r8Dp+pLu1ofoUy/vtzRjZoCiDofcz4EqCFnGl4GdcJ1/3W/5WRvMatCa2d7cx02swaeZcjKsermPXYRO1lGlfq6NskwMeeTkV8R7Rx9artFrs1y0DdIgIKVaiFHwnBIUMnlQrR2zRmMkfwU1jxMYmOYyD031F5VbnjSrhfMwkww2la7uf/c3XdFJ2+0Bo94c6og/yfPcpOOobJlITCoXhtMRepSdO4OggYq/6nUDuHCtJ86pPGnNahyr7+sAaSI3a5ECQLUjwaIARUCyoRh7EFK3qPXcg=="
}
``` Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a payload key.
Required: Yes
******
Path to the binary file where the wrapped key data will be saved.
Required: No
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a wrapping key.
Required: Yes
******
Specifies the file path to a signed quorum token file to approve operation for wrapping key. Only required if wrapping key's key management service quorum value is greater than 1.
******
Specifies the file path to a signed quorum token file to approve operation for payload key. Only required if payload key's key management service quorum value is greater than 1. Related topics [The key wrap command in CloudHSM CLI](cloudhsm_cli-key-wrap.md) [The key unwrap command in CloudHSM CLI](cloudhsm_cli-key-unwrap.md) ](cloudhsm_cli-key-wrap-rsa-pkcs.md) | Wraps a payload key using an RSA public key on the HSM and the RSA-PKCS wrapping mechanism. | CU |
| [login](cloudhsm_cli-login.md) | Log in to your AWS CloudHSM cluster. | Admin, crypto user (CU), and appliance user (AU) |
| [logout](cloudhsm_cli-logout.md) | Log out of your AWS CloudHSM cluster. | Admin, CU, and appliance user (AU) |
| [quorum token-sign delete](cloudhsm_cli-qm-token-del.md) | Deletes one or more tokens for a quorum authorized service. | Admin |
| [quorum token-sign generate](cloudhsm_cli-qm-token-gen.md) | Generates a token for a quorum authorized service. | Admin |
| [quorum token-sign list](cloudhsm_cli-qm-token-list.md) | Lists all token-sign quorum tokens present in your CloudHSM cluster. | All [1](#cli-ref-1), including unauthenticated users. Login is not required. |
| [quorum token-sign list-quorum-values](cloudhsm_cli-qm-token-list-qm.md) | Lists the quorum values set in your CloudHSM cluster. | All [1](#cli-ref-1), including unauthenticated users. Login is not required. |
| [quorum token-sign set-quorum-value](cloudhsm_cli-qm-token-set-qm.md) | Sets a new quorum value for a quorum authorized service. | Admin |
| [user change-mfa](cloudhsm_cli-user-change-mfa.md) | Changes a user's multi-factor authentication (MFA) strategy. | Admin, CU |
| [user change-password](cloudhsm_cli-user-change-password.md) | Changes the passwords of users on the HSMs. Any user can change their own password. Admins can change anyone's password. | Admin, CU |
| [user create](cloudhsm_cli-user-create.md) | Creates a user in your AWS CloudHSM cluster. | Admin |
| [user delete](cloudhsm_cli-user-delete.md) | Deletes a user in your AWS CloudHSM cluster. | Admin |
| [user list](cloudhsm_cli-user-list.md) | Lists the users in your AWS CloudHSM cluster. | All [1](#cli-ref-1), including unauthenticated users. Login is not required. |
| [user change-quorum token-sign register](cloudhsm_cli-user-chqm-token-reg.md) | Registers the quorum token-sign quorum strategy for a user. | Admin |
**Annotations**
+ [1] All users includes all listed roles and users not logged in.
# The cluster category in CloudHSM CLI
In the CloudHSM CLI, **cluster** is a parent category for a group of commands that, when combined with the parent category, create a command specific to clusters. Currently, the cluster category consists of the following commands:
**Topics**
+ [activate](cloudhsm_cli-cluster-activate.md)
+ [hsm-info](cloudhsm_cli-cluster-hsm-info.md)
+ [mtls](cloudhsm_cli-cluster-mtls.md)
# Activate a cluster with CloudHSM CLI
Use the **cluster activate** command in CloudHSM CLI to [activate a new cluster](activate-cluster.md) in AWS CloudHSM. This command must be run before the cluster can be used to perform cryptographic operations.
## User type
The following types of users can run this command.
+ Unactivated admin
## Syntax
This command has no parameters.
```
aws-cloudhsm > help cluster activate
Activate a cluster
This command will set the initial Admin password. This process will cause your CloudHSM cluster to
move into the ACTIVE state.
USAGE:
cloudhsm-cli cluster activate [OPTIONS] [--password ]
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--password
Optional: Plaintext activation password If you do not include this argument you will be prompted for it
-h, --help
Print help (see a summary with '-h')
```
## Example
This command activates your cluster by setting the initial password for you admin user.
```
aws-cloudhsm > cluster activate
Enter password:
Confirm password:
{
"error_code": 0,
"data": "Cluster activation successful"
}
```
## Related topics
+ [user create](cloudhsm_cli-user-create.md)
+ [user delete](cloudhsm_cli-user-delete.md)
+ [user change-password](cloudhsm_cli-user-change-password.md)
# List HSMs with CloudHSM CLI
Use the **cluster hsm-info** command in CloudHSM CLI to list the hardware security modules (HSMs) in your AWS CloudHSM cluster. You do not need to be logged in to CloudHSM CLI to run this command.
**Note**
If you add or delete HSMs, update the configuration files that the AWS CloudHSM client and the command line tools use. Otherwise, the changes that you make might not be effective on all HSMs in the cluster.
## User type
The following types of users can run this command.
+ All users. You do not need to be logged in to run this command.
## Syntax
```
aws-cloudhsm > help cluster hsm-info
List info about each HSM in the cluster
Usage: cloudhsm-cli cluster hsm-info [OPTIONS]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
-h, --help Print help
```
## Example
This command lists the HSMs present in your AWS CloudHSM cluster.
```
aws-cloudhsm > cluster hsm-info
{
"error_code": 0,
"data": {
"hsms": [
{
"vendor": "Marvell Semiconductors, Inc.",
"model": "NITROX-III CNN35XX-NFBE",
"serial-number": "5.3G1941-ICM000590",
"hardware-version-major": "5",
"hardware-version-minor": "3",
"firmware-version-major": "2",
"firmware-version-minor": "6",
"firmware-build-number": "16",
"firmware-id": "CNN35XX-NFBE-FW-2.06-16"
"fips-state": "2 [FIPS mode with single factor authentication]"
},
{
"vendor": "Marvell Semiconductors, Inc.",
"model": "NITROX-III CNN35XX-NFBE",
"serial-number": "5.3G1941-ICM000625",
"hardware-version-major": "5",
"hardware-version-minor": "3",
"firmware-version-major": "2",
"firmware-version-minor": "6",
"firmware-build-number": "16",
"firmware-id": "CNN35XX-NFBE-FW-2.06-16"
"fips-state": "2 [FIPS mode with single factor authentication]"
},
{
"vendor": "Marvell Semiconductors, Inc.",
"model": "NITROX-III CNN35XX-NFBE",
"serial-number": "5.3G1941-ICM000663",
"hardware-version-major": "5",
"hardware-version-minor": "3",
"firmware-version-major": "2",
"firmware-version-minor": "6",
"firmware-build-number": "16",
"firmware-id": "CNN35XX-NFBE-FW-2.06-16"
"fips-state": "2 [FIPS mode with single factor authentication]"
}
]
}
}
```
The output has the following attributes:
+ **Vendor**: The vendor name of the HSM.
+ **Model**: The model number of the HSM.
+ **Serial-number**: The serial number of the HSM. This may change due to replacements.
+ **Hardware-version-major**: The major hardware version.
+ **Hardware-version-minor**: The minor hardware version.
+ **Firmware-version-major**: The major firmware version.
+ **Firmware-version-minor**: The minor firmware version.
+ **Firmware-build-number**: The firmware build number.
+ **Firmware-id**: The firmware ID, which includes the major and minor versions along with the build.
+ **FIPS-state**: The FIPS mode the cluster and the HSMs in it. If in FIPS mode, the output is "2 [FIPS mode with single factor authentication]." If in non-FIPS mode, the output is "0 [non-FIPS mode with single factor authentication]".
## Related topics
+ [Activate a cluster with CloudHSM CLI](cloudhsm_cli-cluster-activate.md)
# The cluster mtls category in CloudHSM CLI
In CloudHSM CLI, **cluster mtls** is a parent category for a group of commands that, when combined with the parent category, create a command specific to AWS CloudHSM clusters. Currently, this category consists of the following commands:
**Topics**
+ [deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md)
+ [get-enforcement](cloudhsm_cli-cluster-mtls-get-enforcement.md)
+ [list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md)
+ [register-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md)
+ [set-enforcement](cloudhsm_cli-cluster-mtls-set-enforcement.md)
# Deregister a trust anchor with CloudHSM CLI
Use the **cluster mtls deregister-trust-anchor** command in CloudHSM CLI to deregister a trust anchor for mutual TLS between client and AWS CloudHSM.
## User type
The following users can run this command.
+ Admin
## Requirements
+ To run this command, you must be logged in as a admin user.
## Syntax
```
aws-cloudhsm > help cluster mtls deregister-trust-anchor
Deregister a trust anchor for mtls
Usage: cluster mtls deregister-trust-anchor [OPTIONS] --certificate-reference [...]
Options:
--certificate-reference A hexadecimal or decimal certificate reference
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--approval Filepath of signed quorum token file to approve operation
-h, --help Print help
```
## Example
**Example**
In the following example, this command removes a trust anchor from the HSM.
```
aws-cloudhsm > cluster mtls deregister-trust-anchor --certificate-reference 0x01
{
"error_code": 0,
"data": {
"message": "Trust anchor with reference 0x01 deregistered successfully"
}
}
```
You can then run the **list-trust-anchors** command to confirm that trust anchor has been deregistered from the AWS CloudHSM:
```
aws-cloudhsm > cluster mtls list-trust-anchors
{
"error_code": 0,
"data": {
"trust_anchors": []
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
** ** **
A hexadecimal or decimal certificate reference.
**Required**: Yes
After you deregister a trust anchor in the cluster, all existing mTLS connections using the client certificate signed by that trust anchor will be dropped.
** ** **
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.
## Related topics
+ [cluster mtls reregister-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md)
+ [cluster mtls list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# Get the mTLS enforcement level with CloudHSM CLI
Use the **cluster mtls get-enforcement** command in CloudHSM CLI to get the enforcement level of the usage of mutual TLS between client and AWS CloudHSM.
## User type
The following users can run this command.
+ Admin
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a admin user or crypto user (CUs).
## Syntax
```
aws-cloudhsm > help cluster mtls get-enforcement
Get the status of mtls enforcement in the cluster
Usage: cluster mtls get-enforcement [OPTIONS]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
-h, --help Print help
```
## Example
**Example**
In the following example, this command lists the mtls enforcement level of the AWS CloudHSM.
```
aws-cloudhsm > cluster mtls get-enforcement
{
"error_code": 0,
"data": {
"mtls-enforcement-level": "none"
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
## Related topics
+ [cluster mtls set-enforcement](cloudhsm_cli-cluster-mtls-set-enforcement.md)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# List trust anchors with CloudHSM CLI
Use the **cluster mtls list-trust-anchors** command in CloudHSM CLI to list all the trust anchors which can be used for mutual TLS between client and AWS CloudHSM.
## User type
The following users can run this command.
+ All users. You do not need to be logged in to run this command.
## Syntax
```
aws-cloudhsm > help cluster mtls list-trust-anchors
List all trust anchors for mtls
Usage: cluster mtls list-trust-anchors [OPTIONS]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
-h, --help Print help
```
## Example
**Example**
In the following example, this command lists all the registered trust anchors from the AWS CloudHSM.
```
aws-cloudhsm > cluster mtls list-trust-anchors
{
"error_code": 0,
"data": {
"trust_anchors": [
{
"certificate-reference": "0x01",
"certificate": "",
"cluster-coverage": "full"
},
{
"certificate-reference": "0x02",
"certificate": "",
"cluster-coverage": "full"
}
]
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
## Related topics
+ [cluster mtls reregister-trust-anchor](cloudhsm_cli-cluster-mtls-register-trust-anchor.md)
+ [cluster mtls deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# Register a trust anchor with CloudHSM CLI
Use the **cluster mtls register-trust-anchor** command in CloudHSM CLI to register a trust anchor for mutual TLS between client and AWS CloudHSM.
## User type
The following users can run this command.
+ Admin
## Requirements
The AWS CloudHSM accepts trust anchors with the following key types:
****
| Key Type | Description |
| --- | --- |
| EC | secp256r1 (P-256), secp384r1 (P-384), and secp521r1 (P-521) curves. |
| RSA | 2048-bit, 3072-bit, and 4096-bit RSA keys. |
## Syntax
```
aws-cloudhsm > help cluster mtls register-trust-anchor
Register a trust anchor for mtls
Usage: cluster mtls register-trust-anchor [OPTIONS] --path [...]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--path Filepath of the trust anchor to register
--approval Filepath of signed quorum token file to approve operation
-h, --help Print help
```
## Example
**Example**
In the following example, this command registers a trust anchor onto the HSM. The maximum number of trust anchors can be registered is two (2).
```
aws-cloudhsm > cluster mtls register-trust-anchor --path /home/rootCA
{
"error_code": 0,
"data": {
"trust_anchor": {
"certificate-reference": "0x01",
"certificate": "",
"cluster-coverage": "full"
}
}
}
```
You can then run the **list-trust-anchors** command to confirm that trust anchor has been registered onto the AWS CloudHSM:
```
aws-cloudhsm > cluster mtls list-trust-anchors
{
"error_code": 0,
"data": {
"trust_anchors": [
{
"certificate-reference": "0x01",
"certificate": "",
"cluster-coverage": "full"
}
]
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
** ** **
Filepath of the trust anchor to register.
**Required**: Yes
AWS CloudHSM supports registering intermediate certificates as trust anchor. In such cases, the entire PEM-encoded certificate chain file needs to be registered onto the HSM, with the certificates in hierarchical order.
AWS CloudHSM supports a certificate chain of 6980 bytes.
** ** **
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.
## Related topics
+ [cluster mtls deregister-trust-anchor](cloudhsm_cli-cluster-mtls-deregister-trust-anchor.md)
+ [cluster mtls list-trust-anchors](cloudhsm_cli-cluster-mtls-list-trust-anchors.md)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# Set the mTLS enforcement level with CloudHSM CLI
Use the **cluster mtls set-enforcement** command in CloudHSM CLI to set the enforcement level of the usage of mutual TLS between client and AWS CloudHSM.
## User type
The following users can run this command.
+ Admin with username as admin
## Requirements
To run this command:
+ At least one trust anchor has been successfully registered onto the AWS CloudHSM.
+ Configure the CloudHSM CLI with the right private key and client certificate, and start CloudHSM CLI under a mutual TLS connection.
+ You must be logged in as the default admin with username "admin". Any other admin user will not be able to run this command.
## Syntax
```
aws-cloudhsm > help cluster mtls set-enforcement
Set mtls enforcement policy in the cluster
Usage: cluster mtls set-enforcement [OPTIONS] --level [...]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--level Level to be set for mtls in the cluster [possible values: none, cluster]
--approval Filepath of signed quorum token file to approve operation
-h, --help Print help
```
## Example
**Example**
In the following example, this command set the mtls enforcement level of the AWS CloudHSM to be cluster. The set-enforcement command can only be performed in a mutual TLS connection and logged in as the admin user with username as admin, see [set the mTLS enforcement for AWS CloudHSM](getting-started-setup-mtls.md#getting-start-setup-mtls-enforcement).
```
aws-cloudhsm > cluster mtls set-enforcement --level cluster
{
"error_code": 0,
"data": {
"message": "Mtls enforcement level set to Cluster successfully"
}
}
```
You can then run the **get-enforcement** command to confirm that enforcement level has been set to cluster:
```
aws-cloudhsm > cluster mtls get-enforcement
{
"error_code": 0,
"data": {
"mtls-enforcement-level": "cluster"
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
** ** **
Level to be set for mtls in the cluster.
**Valid values**
+ **cluster**: Enforce the usage of mutual TLS between client and AWS CloudHSM in the cluster.
+ **none**: Do not enforce the usage of mutual TLS between client and AWS CloudHSM in the cluster.
**Required**: Yes
After you enforce mTLS usage in the cluster, all existing non-mTLS connections will be dropped and you can only connect to the cluster with mTLS certificates.
** ** **
Specifies the file path to a signed quorum token file to approve operation. Only required if quorum cluster service quorum value is greater than 1.
## Related topics
+ [cluster mtls get-enforcement](cloudhsm_cli-cluster-mtls-get-enforcement.md)
+ [Setup mTLS (recommended)](getting-started-setup-mtls.md)
# The crypto category in CloudHSM CLI
In the CloudHSM CLI, **crypto** is a parent category for a group of commands that, when combined with the parent category, create a command specific to cryptographic operations. Currently, this category consists of the following commands:
+ [sign](cloudhsm_cli-crypto-sign.md)
+ [ecdsa](cloudhsm_cli-crypto-sign-ecdsa.md)
+ [ed25519ph](cloudhsm_cli-crypto-sign-ed25519ph.md)
+ [rsa-pkcs](cloudhsm_cli-crypto-sign-rsa-pkcs.md)
+ [rsa-pkcs-pss](cloudhsm_cli-crypto-sign-rsa-pkcs-pss.md)
+ [verify](cloudhsm_cli-crypto-verify.md)
+ [ecdsa](cloudhsm_cli-crypto-verify-ecdsa.md)
+ [ed25519ph](cloudhsm_cli-crypto-verify-ed25519ph.md)
+ [rsa-pkcs](cloudhsm_cli-crypto-verify-rsa-pkcs.md)
+ [rsa-pkcs-pss](cloudhsm_cli-crypto-verify-rsa-pkcs-pss.md)
# The crypto sign category in CloudHSM CLI
In the CloudHSM CLI, **crypto sign** is a parent category for a group of commands that, when combined with the parent category, uses a chosen private key in your AWS CloudHSM cluster to generate a signature. **crypto sign** has the following subcommands:
+ [Generate a signature with the ECDSA mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-ecdsa.md)
+ [Generate a signature with the HashEdDSA mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-ed25519ph.md)
+ [Generate a signature with the RSA-PKCS mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-rsa-pkcs.md)
+ [Generate a signature with the RSA-PKCS-PSS mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-rsa-pkcs-pss.md)
To use **crypto sign**, you must have a private key in your HSM. You can generate a private key with the following commands:
+ [key generate-asymmetric-pair ec](cloudhsm_cli-key-generate-asymmetric-pair-ec.md)
+ [key generate-asymmetric-pair rsa](cloudhsm_cli-key-generate-asymmetric-pair-rsa.md)
# Generate a signature with the ECDSA mechanism in CloudHSM CLI
Use the **crypto sign ecdsa** command in CloudHSM CLI to generate a signature using an EC private key and the ECDSA signing mechanism.
To use the **crypto sign ecdsa** command, you must first have an EC private key in your AWS CloudHSM cluster. You can generate an EC private key using the [Generate an asymmetric EC key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-ec.md) command with the `sign` attribute set to `true`.
The resulting ECDSA signature is generated in the format `r||s`, where the r and s components are concatenated as raw binary data and returned in base64 encoded format.
**Note**
Signatures can be verified in AWS CloudHSM with [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto sign ecdsa
Sign with the ECDSA mechanism
Usage: crypto sign ecdsa --key-filter [>...] --hash-function <--data-path |--data >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function
[possible values: sha1, sha224, sha256, sha384, sha512]
--data-path
The path to the file containing the data to be signed
--data
Base64 Encoded data to be signed
--approval
Filepath of signed quorum token file to approve operation
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
-h, --help
Print help
```
## Example
These examples show how to use **crypto sign ecdsa** to generate a signature using the ECDSA signing mechanism and `SHA256` hash function. This command uses a private key in the HSM.
**Example: Generate a signature for base 64 encoded data**
```
aws-cloudhsm > crypto sign ecdsa --key-filter attr.label=ec-private --hash-function sha256 --data YWJjMTIz
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007808dd",
"signature": "4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw=="
}
}
```
**Example: Generate a signature for a data file**
```
aws-cloudhsm > crypto sign ecdsa --key-filter attr.label=ec-private --hash-function sha256 --data-path data.txt
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007808dd",
"signature": "4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw=="
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of attr.KEY\$1ATTRIBUTE\$1NAME=KEY\$1ATTRIBUTE\$1VALUE to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Specifies the file path to a signed quorum token file to approve operation. Only required if the key usage service quorum value of the private key is greater than 1.
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# Generate a signature with the HashEdDSA mechanism in CloudHSM CLI
**Important**
HashEdDSA signing operations are only supported on hsm2m.medium instances in non-FIPS mode.
Use the **crypto sign ed25519ph** command in CloudHSM CLI to generate a signature using an Ed25519 private key and the HashEdDSA signing mechanism. For additional information on HashEdDSA, see [NIST SP 186-5, Section 7.8](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf).
To use the **crypto sign ed25519ph** command, you must first have an Ed25519 private key in your AWS CloudHSM cluster. You can generate an Ed25519 private key using the [Generate an asymmetric EC key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-ec.md) command with the `curve` parameter set to `ed25519` and the `sign` attribute set to `true`.
**Note**
Signatures can be verified in AWS CloudHSM with [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
+ HashEdDSA signing operations are only supported on hsm2m.medium instances in non-FIPS mode.
## Syntax
```
aws-cloudhsm > help crypto sign ed25519ph
Sign with the Ed25519ph mechanism
Usage: crypto sign ed25519ph [OPTIONS] --key-filter [...] --data-type --hash-function <--data-path |--data >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--data-path
The path to the file containing the data to be signed
--data
Base64 Encoded data to be signed
--approval
Filepath of signed quorum token file to approve operation
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
--hash-function
Hash function [possible values: sha512]
-h, --help
Print help
```
## Example
These examples show how to use **crypto sign ed25519ph** to generate a signature using the Ed25519ph signing mechanism and `sha512` hash function. This command uses a private key in the HSM.
**Example: Generate a signature for base 64 encoded data**
```
aws-cloudhsm > crypto sign ed25519ph \
--key-filter attr.label=ed25519-private \
--data-type raw \
--hash-function sha512 \
--data YWJj
{
"error_code": 0,
"data": {
"key-reference": "0x0000000000401cdf",
"signature": "mKcCIvC4Ehqp0w+BPWg/gJ5GK0acf/h2OUmbuU5trkEx+FBCRjwqNVogA9BirfWqoQuMYeY2Biqq0RwqJgg0Bg=="
}
}
```
**Example: Generate a signature for a data file**
```
aws-cloudhsm > crypto sign ed25519ph \
--key-filter attr.label=ed25519-private \
--data-type raw \
--hash-function sha512 \
--data-path data.txt
{
"error_code": 0,
"data": {
"key-reference": "0x0000000000401cdf",
"signature": "mKcCIvC4Ehqp0w+BPWg/gJ5GK0acf/h2OUmbuU5trkEx+FBCRjwqNVogA9BirfWqoQuMYeY2Biqq0RwqJgg0Bg=="
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data parameter)
******
Specifies the hash function. Ed25519ph only supports SHA512.
Valid values:
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of attr.KEY\$1ATTRIBUTE\$1NAME=KEY\$1ATTRIBUTE\$1VALUE to select a matching key.
For a list of supported CloudHSM CLI key attributes, see [Key attributes for CloudHSM CLI](cloudhsm_cli-key-attributes.md).
Required: Yes
******
Specifies the file path to a signed quorum token file to approve operation. Only required if the key usage service quorum value of the private key is greater than 1.
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
Required: Yes
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# Generate a signature with the RSA-PKCS mechanism in CloudHSM CLI
Use the **crypto sign rsa-pkcs** command in CloudHSM CLI to generate a signature using an RSA private key and the RSA-PKCS signing mechanism.
To use the **crypto sign rsa-pkcs** command, you must first have a RSA private key in your AWS CloudHSM cluster. You can generate an RSA private key using the [Generate an asymmetric RSA key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-rsa.md) command with the `sign` attribute set to `true`.
**Note**
Signatures can be verified in AWS CloudHSM with [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto sign rsa-pkcs
Sign with the RSA-PKCS mechanism
Usage: crypto sign rsa-pkcs --key-filter [>...] --hash-function <--data-path |--data >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function
[possible values: sha1, sha224, sha256, sha384, sha512]
--data-path
The path to the file containing the data to be signed
--data
Base64 Encoded data to be signed
--approval
Filepath of signed quorum token file to approve operation
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
-h, --help
Print help
```
## Example
These examples show how to use **crypto sign rsa-pkcs** to generate a signature using the RSA-PKCS signing mechanism and `SHA256` hash function. This command uses a private key in the HSM.
**Example: Generate a signature for base 64 encoded data**
```
aws-cloudhsm > crypto sign rsa-pkcs --key-filter attr.label=rsa-private --hash-function sha256 --data YWJjMTIz
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007008db",
"signature": "XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ=="
}
}
```
**Example: Generate a signature for a data file**
```
aws-cloudhsm > crypto sign rsa-pkcs --key-filter attr.label=rsa-private --hash-function sha256 --data-path data.txt
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007008db",
"signature": "XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ=="
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Specifies the file path to a signed quorum token file to approve operation. Only required if the key usage service quorum value of the private key is greater than 1.
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
For RSA-PKCS, the data must be passed in DER encoded format as specified in [RFC 8017, Section 9.2](https://www.rfc-editor.org/rfc/rfc8017#section-9.2)
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# Generate a signature with the RSA-PKCS-PSS mechanism in CloudHSM CLI
Use the **crypto sign rsa-pkcs-pss** command in CloudHSM CLI to generate a signature using an RSA private key and the `RSA-PKCS-PSS` signing mechanism.
To use the **crypto sign rsa-pkcs-pss** command, you must first have a RSA private key in your AWS CloudHSM cluster. You can generate an RSA private key using the [Generate an asymmetric RSA key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-rsa.md) command with the `sign` attribute set to `true`.
**Note**
Signatures can be verified in AWS CloudHSM with [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto sign rsa-pkcs-pss
Sign with the RSA-PKCS-PSS mechanism
Usage: crypto sign rsa-pkcs-pss [OPTIONS] --key-filter [...] --hash-function --mgf --salt-length <--data-path |--data >
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...] Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function [possible values: sha1, sha224, sha256, sha384, sha512]
--data-path The path to the file containing the data to be signed
--data Base64 Encoded data to be signed
--mgf The mask generation function [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512]
--salt-length The salt length
--approval Filepath of signed quorum token file to approve operation
--data-type The type of data passed in, either raw or digest [possible values: raw, digest]
-h, --help Print help
```
## Example
These examples show how to use **crypto sign rsa-pkcs-pss** to generate a signature using the `RSA-PKCS-PSS` signing mechanism and `SHA256` hash function. This command uses a private key in the HSM.
**Example: Generate a signature for base 64 encoded data**
```
aws-cloudhsm > crypto sign rsa-pkcs-pss --key-filter attr.label=rsa-private --hash-function sha256 --data YWJjMTIz --salt-length 10 --mgf mgf1-sha256
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007008db",
"signature": "H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg=="
}
}
```
**Example: Generate a signature for a data file**
```
aws-cloudhsm > crypto sign rsa-pkcs-pss --key-filter attr.label=rsa-private --hash-function sha256 --data-path data.txt --salt-length 10 --mgf mgf1-sha256
{
"error_code": 0,
"data": {
"key-reference": "0x00000000007008db",
"signature": "H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg=="
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Specifies the mask generation function.
The mask generation function hash function must match the signing mechanism hash function.
Valid values:
+ mgf1-sha1
+ mgf1-sha224
+ mgf1-sha256
+ mgf1-sha384
+ mgf1-sha512
Required: Yes
******
Specifies the salt length.
Required: Yes
******
Specifies the file path to a signed quorum token file to approve operation. Only required if the key usage service quorum value of the private key is greater than 1.
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
## Related topics
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# The crypto verify category in CloudHSM CLI
In the CloudHSM CLI, **crypto verify** is a parent category for a group of commands that, when combined with the parent category, confirms whether a file has been signed by a given key. **crypto verify** has the following subcommands:
+ [crypto verify ecdsa](cloudhsm_cli-crypto-verify-ecdsa.md)
+ [crypto verify ed25519ph](cloudhsm_cli-crypto-verify-ed25519ph.md)
+ [crypto verify rsa-pkcs](cloudhsm_cli-crypto-verify-rsa-pkcs.md)
+ [crypto verify rsa-pkcs-pss](cloudhsm_cli-crypto-verify-rsa-pkcs-pss.md)
The **crypto verify** command compares a signed file against a source file and analyzes whether they are cryptographically related based on a given public key and signing mechanism.
**Note**
Files can be signed in AWS CloudHSM with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) operation.
# Verify a signature signed with the ECDSA mechanism in CloudHSM CLI
Use the **crypto verify ecdsa** command in CloudHSM CLI to complete the following operations:
+ Confirm a file has been signed in the HSM by a given public key.
+ Verify the signature was generated using the ECDSA signing mechanism.
+ Compare a signed file against a source file and determine whether the two are cryptographically related based on a given ecdsa public key and signing mechanism.
+ The ECDSA verification function expects the signature in the format `r||s`, where the r and s components are concatenated as raw binary data.
To use the **crypto verify ecdsa** command, you must first have an EC public key in your AWS CloudHSM cluster. You can import an EC public key using the [Import a PEM format key with CloudHSM CLI](cloudhsm_cli-key-import-pem.md) command with the `verify` attribute set to `true`.
**Note**
You can generate a signature in CloudHSM CLI with [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto verify ecdsa
Verify with the ECDSA mechanism
Usage: crypto verify ecdsa --key-filter [...] --hash-function <--data-path |--data > <--signature-path |--signature >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function
[possible values: sha1, sha224, sha256, sha384, sha512]
--data-path
The path to the file containing the data to be verified
--data
Base64 encoded data to be verified
--signature-path
The path to where the signature is located
--signature
Base64 encoded signature to be verified
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
-h, --help
Print help
```
## Example
These examples show how to use **crypto verify ecdsa** to verify a signature that was generated using the ECDSA signing mechanism and `SHA256` hash function. This command uses a public key in the HSM.
**Example: Verify a Base64 encoded signature with Base64 encoded data**
```
aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data YWJjMTIz --signature 4zki+FzjhP7Z/KqoQvh4ueMAxQQVp7FQguZ2wOS3Q5bzk+Hc5irV5iTkuxQbropPttVFZ8V6FgR2fz+sPegwCw==
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Verify a signature file with a data file**
```
aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data-path data.txt --signature-path signature-file
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Prove false signing relationship**
This command verifies whether the data located at `/home/data` was signed by a public key with the label `ecdsa-public` using the ECDSA signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message.
```
aws-cloudhsm > crypto verify ecdsa --hash-function sha256 --key-filter attr.label=ec-public --data aW52YWxpZA== --signature +ogk7M7S3iTqFg3SndJfd91dZFr5Qo6YixJl8JwcvqqVgsVuO6o+VKvTRjz0/V05kf3JJbBLr87Q+wLWcMAJfA==
{
"error_code": 1,
"data": "Signature verification failed"
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Base64 encoded signature.
Required: Yes (unless provided through signature path)
******
Specifies the location of the signature.
Required: Yes (unless provided through signature path)
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# Verify a signature signed with the HashEdDSA mechanism in CloudHSM CLI
**Important**
HashEdDSA signature verification operations are only supported on hsm2m.medium instances in non-FIPS mode.
Use the **crypto verify ed25519ph** command in CloudHSM CLI to complete the following operations:
+ Verify signatures of data or files using a given Ed25519 public key.
+ Confirm the signature was generated using the HashEdDSA signing mechanism. For additional information on HashEdDSA, see [NIST SP 186-5, Section 7.8](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf).
To use the **crypto verify ed25519ph** command, you must first have an Ed25519 public key in your AWS CloudHSM cluster. You can generate an Ed25519 key pair using the [Generate an asymmetric EC key pair with CloudHSM CLI](cloudhsm_cli-key-generate-asymmetric-pair-ec.md) command with the `curve` parameter set to `ed25519` and the `verify` attribute set to `true`, or import an Ed25519 public key using the [Import a PEM format key with CloudHSM CLI](cloudhsm_cli-key-import-pem.md) command with the `verify` attribute set to `true`.
**Note**
You can generate a signature in CloudHSM CLI with [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
+ HashEdDSA signature verification operations are only supported on hsm2m.medium instances in non-FIPS mode.
## Syntax
```
aws-cloudhsm > help crypto verify ed25519ph
Verify with the Ed25519ph mechanism
Usage: crypto verify ed25519ph [OPTIONS] --key-filter [...] --data-type --hash-function <--data-path |--data > <--signature-path |--signature >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--data-path
The path to the file containing the data to be verified
--data
Base64 encoded data to be verified
--signature-path
The path to where the signature is located
--signature
Base64 encoded signature to be verified
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
--hash-function
Hash function [possible values: sha512]
-h, --help
Print help
```
## Example
These examples show how to use **crypto verify ed25519ph** to verify a signature that was generated using the Ed25519ph signing mechanism and `sha512` hash function. This command uses an Ed25519 public key in the HSM.
**Example: Verify a Base64 encoded signature with Base64 encoded data**
```
aws-cloudhsm > crypto verify ed25519ph \
--hash-function sha512 \
--key-filter attr.label=ed25519-public \
--data-type raw \
--data YWJj \
--signature mKcCIvC4Ehqp0w+BPWg/gJ5GK0acf/h2OUmbuU5trkEx+FBCRjwqNVogA9BirfWqoQuMYeY2Biqq0RwqJgg0Bg==
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Verify a signature file with a data file**
```
aws-cloudhsm > crypto verify ed25519ph \
--hash-function sha512 \
--key-filter attr.label=ed25519-public \
--data-type raw \
--data-path data.txt \
--signature-path signature-file
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be verified.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be verified.
Required: Yes (unless provided through data parameter)
******
Specifies the hash function. Ed25519ph only supports SHA512.
Valid values:
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see [Key attributes for CloudHSM CLI](cloudhsm_cli-key-attributes.md).
Required: Yes
******
Base64 encoded signature.
Required: Yes (unless provided through signature path)
******
Specifies the location of the signature.
Required: Yes (unless provided through signature parameter)
******
Specifies whether the value of the data parameter should be hashed as part of the verification algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
Required: Yes
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
+ [Generate a signature with the HashEdDSA mechanism in CloudHSM CLI](cloudhsm_cli-crypto-sign-ed25519ph.md)
# Verify a signature signed with the RSA-PKCS mechanism in CloudHSM CLI
Use the **crypto verify rsa-pkcs** command in CloudHSM CLI complete the following operations:
+ Confirm a file has been signed in the HSM by a given public key.
+ Verify the signature was generated using the `RSA-PKCS` signing mechanism.
+ Compare a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism.
To use the **crypto verify rsa-pkcs** command, you must first have an RSA public key in your AWS CloudHSM cluster.
**Note**
You can generate a signature using the CloudHSM CLI with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto verify rsa-pkcs
Verify with the RSA-PKCS mechanism
Usage: crypto verify rsa-pkcs --key-filter [...] --hash-function <--data-path |--data > <--signature-path |--signature >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function
[possible values: sha1, sha224, sha256, sha384, sha512]
--data-path
The path to the file containing the data to be verified
--data
Base64 encoded data to be verified
--signature-path
The path to where the signature is located
--signature
Base64 encoded signature to be verified
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
-h, --help
Print help
```
## Example
These examples show how to use **crypto verify rsa-pkcs** to verify a signature that was generated using the RSA-PKCS signing mechanism and `SHA256` hash function. This command uses a public key in the HSM.
**Example: Verify a Base64 encoded signature with Base64 encoded data**
```
aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data YWJjMTIz --signature XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ==
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Verify a signature file with a data file**
```
aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data-path data.txt --signature-path signature-file
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Prove false signing relationship**
This command verifies whether the invalid data was signed by a public key with the label `rsa-public` using the RSAPKCS signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message.
```
aws-cloudhsm > crypto verify rsa-pkcs --hash-function sha256 --key-filter attr.label=rsa-public --data aW52YWxpZA== --signature XJ7mRyHnDRYrDWTQuuNb+5mhoXx7VTsPMjgOQW4iMN7E42eNHj2Q0oovMmBdHUEH0F4HYG8FBJOBhvGuM8J/z6y41GbowVpUT6WzjnIQs79K9i7i6oR1TYjLnIS3r/zkimuXcS8/ZxyDzru+GO9BUT9FFU/of9cvu4Oyn6a5+IXuCbKNQs19uASuFARUTZ0a0Ny1CB1MulxUpqGTmI91J6evlP7k/2khwDmJ5E8FEar5/Cvbn9t21p3Uj561ngTXrYbIZ2KHpef9jQh/cEIvFLG61sexJjQi8EdTxeDA+I3ITO0qrvvESvA9+Sj7kdG2ceIicFS8/8LwyxiIC31UHQ==
{
"error_code": 1,
"data": "Signature verification failed"
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Base64 encoded signature.
Required: Yes (unless provided through signature path)
******
Specifies the location of the signature.
Required: Yes (unless provided through signature path)
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
For RSA-PKCS, the data must be passed in DER encoded format as specified in [RFC 8017, Section 9.2](https://www.rfc-editor.org/rfc/rfc8017#section-9.2)
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# Verify a signature signed with the RSA-PKCS-PSS mechanism in CloudHSM CLI
Use the **crypto sign rsa-pkcs-pss** command in CloudHSM CLI to complete the following operations.
+ Confirm a file has been signed in the HSM by a given public key.
+ Verify the signature was generated using the RSA-PKCS-PSS signing mechanism.
+ Compare a signed file against a source file and determines whether the two are cryptographically related based on a given rsa public key and signing mechanism.
To use the **crypto verify rsa-pkcs-pss** command, you must first have an RSA public key in your AWS CloudHSM cluster. You can import an RSA public key using the key import pem command ADD UNWRAP LINK HERE) with the `verify` attribute set to `true`.
**Note**
You can generate a signature using the CloudHSM CLI with the [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md) subcommands.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help crypto verify rsa-pkcs-pss
Verify with the RSA-PKCS-PSS mechanism
Usage: crypto verify rsa-pkcs-pss --key-filter [...] --hash-function --mgf --salt-length >SALT_LENGTH< <--data-path |--data <--signature-path |--signature >
Options:
--cluster-id
Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--key-filter [...]
Key reference (e.g. key-reference=0xabc) or space separated list of key attributes in the form of attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE to select a matching key
--hash-function
[possible values: sha1, sha224, sha256, sha384, sha512]
--data-path
The path to the file containing the data to be verified
--data
Base64 encoded data to be verified
--signature-path
The path to where the signature is located
--signature
Base64 encoded signature to be verified
--data-type
The type of data passed in, either raw or digest [possible values: raw, digest]
--mgf
The mask generation function [possible values: mgf1-sha1, mgf1-sha224, mgf1-sha256, mgf1-sha384, mgf1-sha512]
--salt-length
The salt length
-h, --help
Print help
```
## Example
These examples show how to use **crypto verify rsa-pkcs-pss** to verify a signature that was generated using the RSA-PKCS-PSS signing mechanism and `SHA256` hash function. This command uses a public key in the HSM.
**Example: Verify a Base64 encoded signature with Base64 encoded data**
```
aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data YWJjMTIz --salt-length 10 --mgf mgf1-sha256 --signature H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg==
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Verify a signature file with a data file**
```
aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data-path data.txt --salt-length 10 --mgf mgf1-sha256 --signature signature-file
{
"error_code": 0,
"data": {
"message": "Signature verified successfully"
}
}
```
**Example: Prove false signing relationship**
This command verifies whether the invalid data was signed by a public key with the label `rsa-public` using the RSAPKCSPSS signing mechanism to produce the signature located in `/home/signature`. Because the given arguments do not make up a true signing relationship, the command returns an error message.
```
aws-cloudhsm > crypto verify rsa-pkcs-pss --key-filter attr.label=rsa-public --hash-function sha256 --data aW52YWxpZA== --salt-length 10 --mgf mgf1-sha256 --signature H/z1rYVMzNAa31K4amE5MTiwGxDdCTgQXCJXRBKVOVm7ZuyI0fGE4sT/BUN+977mQEV2TqtWpTsiF2IpwGM1VfSBRt7h/g4o6YERm1tTQLl7q+AJ7uGGK37zCsWQrAo7Vy8NzPShxekePo/ZegrB1aHWN1fE8H3IPUKqLuMDI9o1Jq6kM986ExS7YmeOIclcZkyykTWqHLQVL2C3+A2bHJZBqRcM5XoIpk8HkPypjpN+m4FNUds30GAemoOMl6asSrEJSthaZWV53OBsDOqzA8Rt8JdhXS+GZp3vNLdL1OTBELDPweXVgAu4dBX0FOvpw/gg6sNvuaDK4YOBv2fqKg==
{
"error_code": 1,
"data": "Signature verification failed"
}
```
## Arguments
******
The ID of the cluster to run this operation on.
Required: If multiple clusters have been [configured.](cloudhsm_cli-configs-multi-cluster.md)
******
Base64 encoded data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the location of the data to be signed.
Required: Yes (unless provided through data path)
******
Specifies the hash function.
Valid values:
+ sha1
+ sha224
+ sha256
+ sha384
+ sha512
Required: Yes
******
Key reference (for example, `key-reference=0xabc`) or space separated list of key attributes in the form of `attr.KEY_ATTRIBUTE_NAME=KEY_ATTRIBUTE_VALUE` to select a matching key.
For a listing of supported CloudHSM CLI key attributes, see Key attributes for CloudHSM CLI.
Required: Yes
******
Specifies the mask generation function.
The mask generation function hash function must match the signing mechanism hash function.
Valid values:
+ mgf1-sha1
+ mgf1-sha224
+ mgf1-sha256
+ mgf1-sha384
+ mgf1-sha512
Required: Yes
******
Base64 encoded signature.
Required: Yes (unless provided through signature path)
******
Specifies the location of the signature.
Required: Yes (unless provided through signature path)
******
Specifies whether the value of the data parameter should be hashed as part of the signing algorithm. Use `raw` for unhashed data; use `digest` for digests, which are already hashed.
Valid values:
+ raw
+ digest
## Related topics
+ [The crypto sign category in CloudHSM CLI](cloudhsm_cli-crypto-sign.md)
+ [The crypto verify category in CloudHSM CLI](cloudhsm_cli-crypto-verify.md)
# The key category in CloudHSM CLI
In the CloudHSM CLI, **key** is a parent category for a group of commands that, when combined with the parent category, create a command specific to keys. Currently, this category consists of the following commands:
+ [delete](cloudhsm_cli-key-delete.md)
+ [generate-file](cloudhsm_cli-key-generate-file.md)
+ [key generate-asymmetric-pair](cloudhsm_cli-key-generate-asymmetric-pair.md)
+ [key generate-asymmetric-pair rsa](cloudhsm_cli-key-generate-asymmetric-pair-rsa.md)
+ [key generate-asymmetric-pair ec](cloudhsm_cli-key-generate-asymmetric-pair-ec.md)
+ [key generate-symmetric](cloudhsm_cli-key-generate-symmetric.md)
+ [key generate-symmetric aes](cloudhsm_cli-key-generate-symmetric-aes.md)
+ [key generate-symmetric generic-secret](cloudhsm_cli-key-generate-symmetric-generic-secret.md)
+ [import pem](cloudhsm_cli-key-import-pem.md)
+ [list](cloudhsm_cli-key-list.md)
+ [replicate](cloudhsm_cli-key-replicate.md)
+ [set-attribute](cloudhsm_cli-key-set-attribute.md)
+ [share](cloudhsm_cli-key-share.md)
+ [unshare](cloudhsm_cli-key-unshare.md)
+ [unwrap](cloudhsm_cli-key-unwrap.md)
+ [wrap](cloudhsm_cli-key-wrap.md)
# Delete a key with CloudHSM CLI
Use the **key delete** command in CloudHSM CLI to delete a key from an AWS CloudHSM cluster. You can only delete one key at a time. Deleting one key in a key pair has no effect on the other key in the pair.
Only the CU who created the key and consequently owns it can delete the key. Users who share the key, but do not own it, can use the key in cryptographic operations, but can not delete it.
## User type
The following types of users can run this command.
+ Crypto users (CUs)
## Requirements
+ To run this command, you must be logged in as a CU.
## Syntax
```
aws-cloudhsm > help key delete
Delete a key in the HSM cluster
Usage: key delete [OPTIONS] --filter [...]
Options:
--cluster-id Unique Id to choose which of the clusters in the config file to run the operation against. If not provided, will fall back to the value provided when interactive mode was started, or error
--filter [