Skip to content
/ pkcs11-key-wrap Public

πŸ” Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step

License

Apache-2.0 license
13 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

smallstep/pkcs11-key-wrap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

21 Commits
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
go.mod
go.mod
Β 
Β 
go.sum
go.sum
Β 
Β 
main.go
main.go
Β 
Β 

Repository files navigation

πŸ” pkcs11-key-wrap

Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step.

This tool can be used for example for exporting keys from Amazon's CloudHSM and importing it to Google's KMS or Microsoft Azure's Key Vault.

Install

go install github.com/smallstep/pkcs11-key-wrap

Usage

First we need to create an RSA public wrapping key, in our example this is going to be rsa.pub. Then we need to get the object id or the label of the key that we want to wrap, 1000 or my-key in the following example. Finally run the wrapping tool like:

pkcs11-key-wrap --pin xxxx --id 1000 --wrapping-key rsa.pub > wrapped.key
# OR
pkcs11-key-wrap --pin xxxx --label my-key --wrapping-key rsa.pub > wrapped.key

Without the --module flag will try to load the softhsm2 module, from /usr/lib/softhsm/libsofthsm2.so in a Linux environment and from /usr/local/lib/softhsm/libsofthsm2.so in macOS.

If Amazon CloudHSM is used the flag --cloudhsm is required because the standard CKM_AES_KEY_WRAP_PAD mechanism should be replaced by the custom CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD. The usage in this case will be like:

pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \
    --pin user:password --id 1000 --wrapping-key rsa.pub > wrapped.key
# OR
pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \
    --pin user:password --label my-key --wrapping-key rsa.pub > wrapped.key

CloudHSM troubleshooting

If you get an error running pkcs11-key-wrap on CloudHSM, the best way to know what is going is to look at their logs. To retrieve them just run:

/opt/cloudhsm/bin/pkcs11_info

That command with place a file named pkcs11-data.tar.gz on /tmp. To look at the actual logs run:

cd /tmp
tar xzvf pkcs11-data.tar.gz
less pkcs11-data/cloudhsm-pkcs11.log.*

A common error if you have just one CloudHSM is to get this error:

Key <handle#> does not meet the availability requirements - The key must be available on at least 2 HSMs before being used.

To remove that requirement we can run:

sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check

But the keys might be re-created or imported, Amazon's key_mgmt_util might be useful for these situations as they can wrap a key using wrapKey or exportPrivateKey commands.

About

πŸ” Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step

Topics

wrap hsm pkcs11 cloudhsm

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

13 stars

Watchers

8 watching

Forks

2 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages