Reference for AWS CloudHSM Key Management Utility commands

The key_mgmt_util command line tool helps you to manage keys in the hardware security modules (HSM) in your AWS CloudHSM cluster, including creating, deleting, and finding keys and their attributes. It includes multiple commands, each of which is described in detail in this topic.

For a quick start, see Getting started with AWS CloudHSM key_mgmt_util. For help interpreting the key attributes, see the AWS CloudHSM key attribute reference for KMU. For information about the cloudhsm_mgmt_util command line tool, which includes commands to manage the HSM and users in your cluster, see AWS CloudHSM Management Utility (CMU).

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

To list all key_mgmt_util commands, type:


Command: help

To get help for a particular key_mgmt_util command, type:


Command: <command-name> -h

To end your key_mgmt_util session, type:


Command: exit

The following topics describe commands in key_mgmt_util.

Note

Some commands in key_mgmt_util and cloudhsm_mgmt_util have the same names. However, the commands typically have different syntax, different output, and slightly different functionality.

Command	Description
aesWrapUnwrap	Encrypts and decrypts the contents of a key in a file.
deleteKey	Deletes a key from the HSMs.
Error2String	Gets the error that corresponds to a key_mgmt_util hexadecimal error code.
exit	Exits the key_mgmt_util.
exportPrivateKey	Exports a copy of a private key from an HSM to a file on disk.
exportPubKey	Exports a copy of a public key from an HSM to a file.
exSymKey	Exports a plaintext copy of a symmetric key from the HSMs to a file.
extractMaskedObject	Extracts a key from an HSM as a masked object file.
findKey	Search for keys by key attribute value.
findSingleKey	Verifies that a key exists on all HSMs in the cluster.
genDSAKeyPair	Generates a Digital Signing Algorithm (DSA) key pair in your HSMs.
genECCKeyPair	Generates an Elliptic Curve Cryptography (ECC) key pair in your HSMs.
genRSAKeyPair	Generates an RSA asymmetric key pair in your HSMs.
genSymKey	Generates a symmetric key in your HSMs
getAttribute	Gets the attribute values for an AWS CloudHSM key and writes them to a file.
getCaviumPrivKey	Creates a fake PEM-format version of a private key and exports it to a file.
getCert	Retrieves an HSM's partitions certificates and saves them to a file.
getKeyInfo	Gets the HSM user IDs of users who can use the key. If the key is quorum controlled, it gets the number of users in the quorum.
help	Displays help information about the commands available in key_mgmt_util.
importPrivateKey	Imports a private key into an HSM.
importPubKey	Imports a public key into an HSM.
imSymKey	Imports a plaintext copy of a symmetric key from a file into the HSM.
insertMaskedObject	Inserts a masked object from a file on disk into an HSM contained by related cluster to the object's origin cluster. Related clusters are any clusters generated from a backup of the origin cluster.
Validate key file using AWS CloudHSM KMU	Determines whether or not a given file contains a real private key or a fake PEM key.
listAttributes	Lists the attributes of an AWS CloudHSM key and the constants that represent them.
listUsers	Gets the users in the HSMs, their user type and ID, and other attributes.
loginHSM and logoutHSM	Log in and out of the HSMs in a cluster.
setAttribute	Converts a session key to a persistent key.
sign	Generate a signature for a file using a chosen private key.
unWrapKey	Imports a wrapped (encrypted) key from a file into the HSMs.
verify	Verifies whether a given key was used to sign a given file.
wrapKey	Exports an encrypted copy of a key from the HSM to a file.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Install the client (Windows)

aesWrapUnwrap