To use a trusted key to wrap a data key in AWS CloudHSM, you must complete three basic steps:
For the data key you plan to wrap with a trusted key, set its
CKA_WRAP_WITH_TRUSTED
attribute to true.For the trusted key you plan to wrap the data key with, set its
CKA_TRUSTED
attribute to true.Use the trusted key to wrap the data key.
Step 1: Set the data key's CKA_WRAP_WITH_TRUSTED
to true
For the data key you want to wrap, choose one of the following options to set the key’s CKA_WRAP_WITH_TRUSTED
attribute to true. Doing this restricts the data key so applications can only use trusted keys to wrap it.
Option 1: If generating a new key, set CKA_WRAP_WITH_TRUSTED
to true
Generate a key using PKCS #11, JCE, or CloudHSM CLI. See the following examples for more details.
To generate a key with PKCS #11, you need to set the key's CKA_WRAP_WITH_TRUSTED
attribute to true. As shown in the following example, do this by including this attribute in the key’s CK_ATTRIBUTE template
and then setting the attribute to true:
CK_BYTE_PTR label = "test_key"; CK_ATTRIBUTE template[] = { {CKA_WRAP_WITH_TRUSTED, &true_val, sizeof(CK_BBOOL)}, {CKA_LABEL, label, strlen(label)}, ... };
For more information, see our public samples demonstrating key generation with PKCS #11
Option 2: If using an existing key, use CloudHSM CLI to set its CKA_WRAP_WITH_TRUSTED
to true
To set an existing key's CKA_WRAP_WITH_TRUSTED
attribute to true, follow these steps:
Use the Log in to an HSM using CloudHSM CLI command to log in as a crypto user (CU).
Use the Set the attributes of keys with CloudHSM CLI command to set the key's
wrap-with-trusted
attribute to true.aws-cloudhsm >
key set-attribute --filter attr.label=test_key --name wrap-with-trusted --value true
{ "error_code": 0, "data": { "message": "Attribute set successfully" } }
Step 2: Set the trusted key's CKA_TRUSTED
to true
To make a key a trusted key, its CKA_TRUSTED
attribute must be set to true. You can either use CloudHSM CLI or the CloudHSM Management Utility (CMU) to do this.
If using CloudHSM CLI to set a key's
CKA_TRUSTED
attribute, see Mark a key as trusted using CloudHSM CLI.If using the CMU to set a key's
CKA_TRUSTED
attribute, see How to mark a key as trusted with the AWS CloudHSM Management Utility.
Step 3. Use the trusted key to wrap the data key
To wrap the data key referenced in Step 1 with the trusted key you set in Step 2, refer to the following links for code samples. Each demonstrates how to wrap keys.