Exports keys from an HSM and saves them as masked objects in a file.
Overview
The extractMaskedObject command exports keys from an HSM—including non-extractable keys (those with OBJ_ATTR_EXTRACTABLE set to 0)—and stores them as masked objects (also known as clone objects) in a specified output file.
Masked objects created by extractMaskedObject can only be re-imported into the originating HSM cluster or its clone using the insertMaskedObject command. This makes the command useful for key duplication across HSMs in the same cluster.
Before running this command, start key_mgmt_tool and log in to the HSM with a CU (Crypto User) identity.
Syntax
extractMaskedObject -o <object-handle> -out <object-file>Enter the parameters in the order shown in the syntax.
Parameters
| Parameter | Description | Required |
|---|---|---|
-o | The handle of the key to export as a masked object. To get the key handle, use findKey. | Yes |
-out | The name of the file to store the masked object. | Yes |
Example
The following command exports the key with handle 9 and saves the masked object to /tmp/masked.obj:
Command: extractMaskedObject -o 9 -out /tmp/masked.obj
Object was masked and written to file "/tmp/masked.obj"
Cfm3ExtractMaskedObject returned: 0x00 : HSM Return: SUCCESSWhat's next
insertMaskedObject: Re-import a masked object into an HSM cluster.
findKey: Locate the key handle needed for the
-oparameter.