Exports an asymmetric private key from a Hardware Security Module (HSM) to a file without deleting the key, altering its properties, or affecting encryption operations.
Feature description
The key must have the
OBJ_ATTR_EXTRACTABLE(is exportable) property set to1before it can be exported. To check key properties, use the getAttribute command. For details on key properties, refer to key property constants.Keys cannot be exported from HSM in plaintext. The exported private key must be encrypted using AES.
Use
exportPrivateKeytogether with importPrivateKey to back up or migrate a private key.
Start key_mgmt_tool and log on to HSM with a CU identity before running this command.
Syntax
Enter parameters in the order shown below. For parameter descriptions, see Parameters.
exportPrivateKey -k <private-key-handle>
-w <wrapping-key-handle>
-out <key-file>
[-m <wrapping-mechanism>]
[-wk <wrapping-key-file>]Parameters must be entered in the sequence shown in the syntax.
Example
The following example exports the private key with handle 8, encrypts it using the wrapping key with handle 6, and saves the output to /tmp/exportKey.pem.
Command: exportPrivateKey -k 8 -w 6 -out /tmp/exportKey.pem
Cfm3ExportWrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Cfm3ExportUnwrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
PEM formatted private key is written to /tmp/exportKey.pemParameters
| Parameter | Description | Required | Valid values |
|---|---|---|---|
-k | The handle of the private key to export. To find the key handle, use findKey. | Yes | — |
-w | The handle of the wrapping key used to encrypt the exported private key. To find the key handle, use findKey. | Yes | — |
-out | The file name for the exported private key. | Yes | No specific requirements |
-m | The encryption mechanism for the exported private key. | No | 4 (NIST_AES_WRAP) |
-wk | The AES key file used to decrypt the exported private key, including the path and file name. Defaults to the encryption key specified by -w. | No | — |