Trusted key attributes in AWS CloudHSM - AWS CloudHSM

Trusted key attributes in AWS CloudHSM

The following attributes allow you to mark an AWS CloudHSM key as trusted, specify a data key can only be wrapped and unwrapped with a trusted key, and control what a data key can do after it is unwrapped:

  • CKA_TRUSTED: Apply this attribute (in addition to CKA_UNWRAP_TEMPLATE) to the key that will wrap data keys to specify that an admin or crypto officer (CO) has done the necessary diligence and trusts this key. Only an admin or CO can set CKA_TRUSTED. The crypto user (CU) owns the key, but only a CO can set its CKA_TRUSTED attribute.

  • CKA_WRAP_WITH_TRUSTED: Apply this attribute to an exportable data key to specify that you can only wrap this key with keys marked as CKA_TRUSTED. Once you set CKA_WRAP_WITH_TRUSTED to true, the attribute becomes read-only and you cannot change or remove the attribute.

  • CKA_UNWRAP_TEMPLATE: Apply this attribute to the wrapping key (in addition to CKA_TRUSTED) to specify which attribute names and values the service must automatically apply to data keys that the service unwraps. When an application submits a key for unwrapping, the application can also provide its own unwrap template. If you specify an unwrap template and the application provides its own unwrap template, the HSM uses both templates to apply attribute names and values to the key. However, if a value in the CKA_UNWRAP_TEMPLATE for the wrapping key conflicts with an attribute provided by the application during the unwrap request, then the unwrap request fails.

For more information about attributes, refer to the following topics: