All Products
Search
Document Center

Key Management Service:exportPrivateKey

Last Updated:Nov 14, 2024

This topic explains the process of using the exportPrivateKey command to export a private key from HSM.

Feature description

  • The exportPrivateKey command allows for the export of an asymmetric private key from HSM into a file without deleting the key, altering its properties, or impacting encryption operations.

  • Private keys can only be exported if they have the OBJ_ATTR_EXTRACTABLE (is exportable) property value set to 1. To review key properties, utilize the getAttribute command. For further details on key properties, refer to key property constants.

  • Keys cannot be exported in plaintext from HSM; thus, the exported private key must be encrypted using AES.

  • The exportPrivateKey command, in conjunction with the importPrivateKey command importPrivateKey, facilitates the backup or migration of a private key.

Important

Ensure you have initiated the key_mgmt_tool and logged on to HSM with a CU identity before executing this command.

Syntax

Enter the parameters as per the syntax provided below. For descriptions of the parameters, see parameters.

exportPrivateKey -k <private-key-handle
                 -w <wrapping-key-handle>
                 -out <key-file>
                 [-m <wrapping-mechanism>]
                 [-wk <wrapping-key-file>]
Important

Parameters must be entered in the sequence outlined in the syntax.

Example

The example provided demonstrates exporting a private key with a handle value of 8, using a key handle of 6 for encryption, and saving the private key in the file exportKey.pem.

Command:  exportPrivateKey -k 8 -w 6 -out /tmp/exportKey.pem

       	Cfm3ExportWrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS

       	Cfm3ExportUnwrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS

PEM formatted private key is written to /tmp/exportKey.pem

Parameters

Parameter Name

Description

Required

Valid Values

-k

Indicates the handle of the private key to be exported.

Yes

Utilize findKey to locate the key handle.

-w

Specifies the key handle used for encrypting the exported private key.

Yes

Use findKey to find the key handle.

-out

Defines the file name for the exported private key.

Yes

No specific requirements

-m

Specifies the encryption mechanism for the exported private key.

No

4 (NIST_AES_WRAP)

-wk

Indicates the AES key file for decrypting the exported private key, including the path and file name.

No

Defaults to the encryption key specified by -w