Applying RSA-OAEP with AES to Wrap Key Material

Apply RSA-OAEP with AES to wrap key material using the CLI interface.

Using the CLI

This section describes how to apply RSA-OAEP with AES to wrap the key material Command Line Interface (CLI).

Open a command prompt and run the following commands to wrap the RSA key material using RSA-OAEP with a temporary AES key. Replace example file names and values as appropriate.

  1. Generate a temporary AES key:
    openssl rand -out <temporary_AES_key_path> 32
  2. Wrap the temporary AES key with the public wrapping key using RSA-OAEP with SHA-256:
    openssl pkeyutl -encrypt -in <temporary_AES_key_path> -inkey <vault_public_wrapping_key_path> -pubin -out <wrapped_temporary_AES_key_file> -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256
  3. Generate hexadecimal of the temporary AES key material:
    temporary_AES_key_hexdump=$(hexdump -v -e '/1 "%02x"' < ${temporary_AES_key_path})
  4. If the RSA private key you want to import is in PEM format, convert it to DER:
    ${OpenSSL_path} pkcs8 -topk8 -nocrypt -inform PEM -outform DER -in <your_pem_RSA_private_key_path> -out <your_RSA_private_key_file>
  5. Wrap your RSA private key with the temporary AES key:
    openssl enc -id-aes256-wrap-pad -iv A65959A6 -K temporary_AES_key_hexdump -in <your_RSA_private_key_file> -out <wrapped_target_key_file>
  6. Create the wrapped key material by concatenating both wrapped keys:
    cat <wrapped_temporary_AES_key_file> <wrapped_target_key_file> > <wrapped_key_material_file>

Apply base64 encoding on the wrapped key material and then import it to create a key or rotate an existing key to a new key version.

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.