Use the exSymKey command in the key_mgmt_tool to export a plaintext copy of a symmetric key from the Hardware Security Module (HSM) and save it to a file.
Access control: Only the key's owner — the Crypto User (CU) who created it — can export the key. CU users with shared key access can use the key for encryption but cannot export it.
Use case: Combine exSymKey with imSymKey to back up or migrate symmetric keys between HSMs.
Encrypted export: To export a key in encrypted form without decrypting it locally, use wrapKey instead.
Prerequisites
Before you begin, ensure that you have:
Started key_mgmt_tool
Logged in to HSM as a Crypto User (CU)
Syntax
exSymKey -k <key-to-export>
-w <wrapping-key>
-out <key-file>
[-m 4]
[-wk <unwrapping-key-file>]Enter parameters in the order shown in the syntax.
Parameters
| Parameter | Description | Required | Valid values |
|---|---|---|---|
-k | Handle of the symmetric key to export. To find key handles, use findKey. | Yes | Key handle integer |
-w | Handle of the key used to encrypt the exported key. To find key handles, use findKey. | Yes | Key handle integer |
-out | Path and filename for the exported key file. | Yes | Any valid file path |
-m | Encryption mechanism used during export. | No | 4 (NIST_AES_WRAP) |
-wk | Path to the AES key file used for decryption. | No | Defaults to the key specified by -w |
Example
The following command exports the symmetric key with handle 9, using the key with handle 6 as the wrapping key, and writes the plaintext key to /tmp/aes.key.
Command: exSymKey -k 9 -w 6 -out /tmp/aes.key
Cfm3ExportWrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Cfm3ExportUnwrapKeyWithMech returned: 0x00 : HSM Return: SUCCESS
Exported Symmetric Key written to file "/tmp/aes.key"