This topic explains the process of using the exportPrivateKey command to export a private key from HSM.
Feature description
The exportPrivateKey command allows for the export of an asymmetric private key from HSM into a file without deleting the key, altering its properties, or impacting encryption operations.
Private keys can only be exported if they have the OBJ_ATTR_EXTRACTABLE (is exportable) property value set to 1. To review key properties, utilize the getAttribute command. For further details on key properties, refer to key property constants.
Keys cannot be exported in plaintext from HSM; thus, the exported private key must be encrypted using AES.
The exportPrivateKey command, in conjunction with the importPrivateKey command importPrivateKey, facilitates the backup or migration of a private key.
Ensure you have initiated the key_mgmt_tool and logged on to HSM with a CU identity before executing this command.
Syntax
Enter the parameters as per the syntax provided below. For descriptions of the parameters, see parameters.
exportPrivateKey -k <private-key-handle
-w <wrapping-key-handle>
-out <key-file>
[-m <wrapping-mechanism>]
[-wk <wrapping-key-file>]
Parameters must be entered in the sequence outlined in the syntax.
Example
The example provided demonstrates exporting a private key with a handle value of 8, using a key handle of 6 for encryption, and saving the private key in the file exportKey.pem.
Command: exportPrivateKey -k 8 -w 6 -out /tmp/exportKey.pem
Cfm3ExportWrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Cfm3ExportUnwrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
PEM formatted private key is written to /tmp/exportKey.pem
Parameters
Parameter Name | Description | Required | Valid Values |
-k | Indicates the handle of the private key to be exported. | Yes | Utilize findKey to locate the key handle. |
-w | Specifies the key handle used for encrypting the exported private key. | Yes | Use findKey to find the key handle. |
-out | Defines the file name for the exported private key. | Yes | No specific requirements |
-m | Specifies the encryption mechanism for the exported private key. | No | 4 (NIST_AES_WRAP) |
-wk | Indicates the AES key file for decrypting the exported private key, including the path and file name. | No | Defaults to the encryption key specified by -w |