Unwrapping a Key

Configure command to unwrap a key.

The unwrapKey command enables you to unwrap a sensitive key on an HSM. You can identify the key by its handle.

Open a command prompt and run unwrapKey command to unwrap sensitive keys on HSM. You can identify the key by its handle.

Syntax



Syntax: unWrapKey -h -f <key file name> -w <wrapper key handle> [-sess] [-attest] [-min_srv <minimum number of servers>] [-timeout <number of seconds>] [-aad <additional authenticated data filename>] [-iv_file <IV file>] [-m <wrapping mechanism>] [-nex] [-u <user id list>] [-noheader] [-l <key label>] [-i <Unwrapping IV>]
Parameter Description
-h Displays this information
-f Specifies the path and name of the file that contains the wrapped key.
-w Specifies the wrapping key. enter the key handle of an AES key or RSA key value on the HSM.
-m Specifies the value representing the wrapping mechanism.
-out Specifies the path and output file name.
-t Specifies the hashing algorithm.
-nex Makes the key nonextractable. cDefault value is the key is extractable.
-noheader The initialization vector (IV) (hex value).
-l Specifies the label to be added to the unwrapped key.
-i Specifies the unwrapping initialization vector (IV) to be used.
-kc Specifies the class of the key to be unwrapped. Acceptable values are 3 = private key from a public-private key pair and 4 = secret (symmetric) key.
-kt Specifies the type of key to be unwrapped.
-sess Creates a key that is available only in the current session. The key cannot be recovered after the session ends
-iv_file The file in which you want to write the IV value obtained in response.
-attest Runs an check that verifies the firmware on which the cluster runs has not been tampered.
-min_sev Specifies the minimum number of HSMs on which the key is synchronized before the value of the -timeout parameter expires. Default value is 1.
-time_out Specifies how long (in seconds) the command waits for a key to be synchronized to the number of HSMs specified by the min_srv parameter. Default value is no timeout.
-u List of users to share the key (comma-delimited list) (optional).
Example
Command: unwrapKey -f 129
 KeyMgmtUtilwrapKey returned: 0x00 : HSM Return: SUCCESS
 Cluster Status:
 Node id 0 status: 0x00000000 : HSM Return: SUCCESS