Applying RSA-OAEP with AES to Wrap Key Material
Apply RSA-OAEP with AES to wrap key material using the CLI interface.
Using the CLI
This section describes how to apply RSA-OAEP with AES to wrap the key material Command Line Interface (CLI).
Open a command prompt and run the following commands to wrap the RSA key material using RSA-OAEP with a temporary AES key. Replace example file names and values as appropriate.
- Generate a temporary AES key:
openssl rand -out <temporary_AES_key_path> 32
- Wrap the temporary AES key with the public wrapping key using RSA-OAEP with
SHA-256:
openssl pkeyutl -encrypt -in <temporary_AES_key_path> -inkey <vault_public_wrapping_key_path> -pubin -out <wrapped_temporary_AES_key_file> -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
- Generate hexadecimal of the temporary AES key
material:
temporary_AES_key_hexdump=$(hexdump -v -e '/1 "%02x"' < ${temporary_AES_key_path})
- If the RSA private key you want to import is in PEM format, convert it to DER:
${OpenSSL_path} pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in <your_pem_RSA_private_key_path> -out <your_RSA_private_key_file>
- Wrap your RSA private key with the temporary AES
key:
openssl enc -id-aes256-wrap-pad -iv A65959A6 -K temporary_AES_key_hexdump -in <your_RSA_private_key_file> -out <wrapped_target_key_file>
- Create the wrapped key material by concatenating both wrapped keys:
cat <wrapped_temporary_AES_key_file> <wrapped_target_key_file> > <wrapped_key_material_file>
Apply base64 encoding on the wrapped key material and then import it to create a key or rotate an existing key to a new key version.
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.