https://github.com/smallstep/pkcs11-key-wrap

🔐 Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step
https://github.com/smallstep/pkcs11-key-wrap

cloudhsm hsm pkcs11 wrap

Last synced: 9 months ago
JSON representation

🔐 Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step

• Host: GitHub
• URL: https://github.com/smallstep/pkcs11-key-wrap
• Owner: smallstep
• License: apache-2.0
• Created: 2021-12-02T00:06:21.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2021-12-10T09:41:00.000Z (about 4 years ago)
• Last Synced: 2025-04-10T19:57:12.455Z (11 months ago)
• Topics: cloudhsm, hsm, pkcs11, wrap
• Language: Go
• Homepage:
• Size: 31.3 KB
• Stars: 13
• Watchers: 8
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# 🔐 pkcs11-key-wrap

Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step.

This tool can be used for example for exporting keys from Amazon's CloudHSM and

importing it to Google's KMS or Microsoft Azure's Key Vault.

## Install

go install github.com/smallstep/pkcs11-key-wrap

## Usage

First we need to create an RSA public wrapping key, in our example this is going

to be `rsa.pub`. Then we need to get the object id or the label of the key that

we want to wrap, `1000` or `my-key` in the following example. Finally run the

wrapping tool like:

```sh

pkcs11-key-wrap --pin xxxx --id 1000 --wrapping-key rsa.pub > wrapped.key

# OR

pkcs11-key-wrap --pin xxxx --label my-key --wrapping-key rsa.pub > wrapped.key

```

Without the `--module` flag will try to load the softhsm2 module, from

`/usr/lib/softhsm/libsofthsm2.so` in a Linux environment and from

`/usr/local/lib/softhsm/libsofthsm2.so` in macOS.

If Amazon CloudHSM is used the flag `--cloudhsm` is required because the

standard `CKM_AES_KEY_WRAP_PAD` mechanism should be replaced by the custom

`CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD`. The usage in this case will be like:

```sh

pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \

    --pin user:password --id 1000 --wrapping-key rsa.pub > wrapped.key

# OR

pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \

    --pin user:password --label my-key --wrapping-key rsa.pub > wrapped.key

```

## CloudHSM troubleshooting

If you get an error running pkcs11-key-wrap on CloudHSM, the best way to know

what is going is to look at their logs. To retrieve them just run:

```sh

/opt/cloudhsm/bin/pkcs11_info

```

That command with place a file named `pkcs11-data.tar.gz` on `/tmp`. To look at

the actual logs run:

```sh

cd /tmp

tar xzvf pkcs11-data.tar.gz

less pkcs11-data/cloudhsm-pkcs11.log.*

```

A common error if you have just one CloudHSM is to get this error:

```

Key  does not meet the availability requirements - The key must be available on at least 2 HSMs before being used.

```

To remove that requirement we can run:

```sh

sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check

```

But the keys might be re-created or imported, Amazon's `key_mgmt_util` might be

useful for these situations as they can wrap a key using `wrapKey` or

`exportPrivateKey` commands.