How to use trusted keys to wrap data keys in AWS CloudHSM
To use a trusted key to wrap a data key in AWS CloudHSM, you must complete three basic steps:
For the data key you plan to wrap with a trusted key, set its
CKA_WRAP_WITH_TRUSTED
attribute to true.For the trusted key you plan to wrap the data key with, set its
CKA_TRUSTED
attribute to true.Use the trusted key to wrap the data key.
Step 1: Set the data key's CKA_WRAP_WITH_TRUSTED
to true
For the data key you want to wrap, choose one of the following options to set the key’s CKA_WRAP_WITH_TRUSTED
attribute to true. Doing this restricts the data key so applications can only use trusted keys to wrap it.
Option 1: If generating a new key, set CKA_WRAP_WITH_TRUSTED
to true
Generate a key using PKCS #11, JCE, or CloudHSM CLI. See the following examples for more details.
Option 2: If using an existing key, use CloudHSM CLI to set its CKA_WRAP_WITH_TRUSTED
to true
To set an existing key's CKA_WRAP_WITH_TRUSTED
attribute to true, follow these steps:
Use the Log in to an HSM using CloudHSM CLI command to log in as a crypto user (CU).
Use the Set the attributes of keys with CloudHSM CLI command to set the key's
wrap-with-trusted
attribute to true.aws-cloudhsm >
key set-attribute --filter attr.label=test_key --name wrap-with-trusted --value true
{ "error_code": 0, "data": { "message": "Attribute set successfully" } }
Step 2: Set the trusted key's CKA_TRUSTED
to true
To make a key a trusted key, its CKA_TRUSTED
attribute must be set to true. You can either use CloudHSM CLI or the CloudHSM Management Utility (CMU) to do this.
If using CloudHSM CLI to set a key's
CKA_TRUSTED
attribute, see Mark a key as trusted using CloudHSM CLI.If using the CMU to set a key's
CKA_TRUSTED
attribute, see How to mark a key as trusted with the AWS CloudHSM Management Utility.
Step 3. Use the trusted key to wrap the data key
To wrap the data key referenced in Step 1 with the trusted key you set in Step 2, refer to the following links for code samples. Each demonstrates how to wrap keys.