Exporting a Software-protected key by Applying RSA-OAEP without Temporary AES Key

Export a software-protected master encryption key by applying RSA-OAEP without a temporary AES key using the Command Line Interface (CLI).

Using the CLI

The following example script transforms the software-protected master encryption key through a mechanism called Optimal Asymmetric Encryption Padding (OAEP). OAEP is commonly used with the RSA encryption algorithm (RSA-OAEP). The Vault service supports RSA-OAEP with a SHA-256 hash.

The script wraps the software-protected master encryption key with the provided public RSA wrapping key, and then unwraps and exports it with the private RSA wrapping key. Only the possessor of the private RSA wrapping key can decrypt the wrapped master encryption key.

To export a software-protected master encryption key, open a command prompt, and then run the following script, replacing example file names and values as appropriate:

#!/usr/bin/env bash

#
# This script is for demonstration purposes only. It provides
# a functioning set of calls to show how to export software-protected AES key material 
# from the Vault service by using the RSA_OAEP_SHA256 algorithm.
#


set -x

OPENSSL="<path_to_OpenSSL>" # Use OpenSSL 1.1.1.
KEY_OCID="<key_OCID>" # The Oracle Cloud Identifier (OCID) of the software-protected master encryption key to export.
ENCRYPTION_ALGORITHM="RSA_OAEP_SHA256"
VAULT_CRYPTO_ENDPOINT="<vault_data_plane_URL>" # The cryptographic endpoint of the vault that contains the software-protected master encryption key.
PUBLIC_KEY_STRING="<public_RSA_wrapping_key_in_PEM_format>" # The content of the public key.
PRIVATE_KEY_PATH="<path_to_private_RSA_wrapping_key>" # The location of the private key.
SOFTWARE_KEY_PATH="<path_to_output_exported_key>" # The location for outputting the software-protected master encryption key.
WRAPPED_SOFTWARE_KEY_PATH="<path_to_output_decoded_wrapped_target_key>" # The location for outputting the decoded, wrapped software-protected master encryption key.

# Invoke the CLI to export a software-protected master encryption key.
wrapped_data=$(oci kms crypto key export --key-id ${KEY_OCID} --algorithm ${ENCRYPTION_ALGORITHM} --public-key "${PUBLIC_KEY_STRING}" --endpoint 
${VAULT_CRYPTO_ENDPOINT} | grep  encrypted-key | cut -d: -f2  | sed 's# "\(.*\)",#\1#g')"

# Decode the encoded wrapped data.
echo ${wrapped_data} | base64 -d > ${WRAPPED_SOFTWARE_KEY_PATH}

# Unwrap the wrapped software-protected key material by using the private RSA wrapping key.
${OPENSSL} pkeyutl -decrypt -in ${WRAPPED_SOFTWARE_KEY_PATH} -inkey ${PRIVATE_KEY_PATH} -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -out ${SOFTWARE_KEY_PATH}

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.