Applying RSA-OAEP to Wrap the Key Material

This section describes how to apply RSA-OAEP to wrap the key material by using Console.

Using the CLI

Open a command prompt and run the following command to wrap the AES material with the public RSA wrapping key associated with the vault. Replace example file names and values as appropriate.

openssl pkeyutl -encrypt -in <key_material_to_import> -inkey <public_RSA_wrapping_key> -pubin -out <wrapped_key_material> -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

For example:


openssl pkeyutl -encrypt -in "aes_key.bin" -inkey "publickey.pem" -pubin -out "wrappedkey.bin" -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256

After you wrap the key, you can then either import the key material by creating a new key or by rotating a key to a new key version.

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.