Exporting a Key
When you export a key, you must wrap it before you export it, and then unwrap the key after it has been exported. The key must be encrypted in AES-256 format.
-
Generate an RSA 2048 key using openSSL. For example:
$ openssl genrsa -out key.pem 2048
-
Extract the public key from the key that you created, and list the parts of the key. For example:
$ openssl rsa -in key.pem -outform PEM -pubout -out public.pem
$ ls -lrt
-rw-r--r-- 1 user1 1049089 1732 Aug 6 15:16 key.pem
-rw-r--r-- 1 user1 1049089 460 Aug 6 15:18 public.pem
The public part of the key (public.pem) will be used to wrap the key, and the private part of the key (key.pem) will be used to unwrap the key.
-
Export the target AES-256 key from the Cryptographic Security Platform Vault for Cryptographic APIs webGUI by performing the following:
-
Log into the Cryptographic Security Platform Vault for Cryptographic APIs webGUI.
-
From the Home tab, select Manage > Keys.
-
On the Manage Keys page, select the key that you want to export and select Actions > Export Key.
-
On the Export Key page, complete the following:
Field
Description
Version
Displays the version number of the key. Copy this value to the clipboard. This is the key GUID.
Public Key
Click Browse and import the public part (public.pem) of the RSA 2048 key that you created.
Hashing Algorithm
Select SHA256 or SHA1.
-
Click Download Key.
The downloaded key is Base64 encoded. You can keep this as is, or decode it using the private key key.pem.
-
-
Base64 decode the wrapped AES key and save it in a file. For example:
$ openssl enc -base64 -d <<< H2frvNvTUP+VyynwRYqo8+YEPRAgdioSyWtzYtJlQ1AqvxWW2B5EjEiJ8HxczMkxGKJPVjMJzKhYFkWgRhgWVDUQSroDLV4PMZvcwRQ33/Z05brjJk/3I7n2aqPKlwPwAtVLy2phT8DVa4j1ozcmDI5aLKUncrdz/iY/tuaEaFMyTHrHuLoo2jAONmyy2wJpi4tGeNoa+v+tKIzcmV9a9oE76Y7g9WHy35YDwryP2jzaK6NdMlBiABqnrdGaa9O1mIt8HTZNMawHX9IXP7amAww0gGb4AGvOragllxUw42/Eo2E7Nfo0JKElo2xn6NuKZ2TZRoMolTQZrDkEOrmoX6rBZb3d3HyiHlHFDbU0JPIt/O+0EwS9tQJoBunv7gISLE1rrcLStrI= >> decoded_wrapped_key
$ ls -lrt
-rw-r--r-- 1 user1 1049089 1732 Aug 6 15:16 key.pem
-rw-r--r-- 1 user1 1049089 460 Aug 6 15:18 public.pem
-rw-r--r-- 1 user1 1049089 296 Aug 6 16:01 decoded_wrapped_key
-
Split the decoded key into two parts, the temporary AES key and the target key. For example:
$ dd if=decoded_wrapped_key of=wrapped_temp_aes_key bs=1 count=256
256+0 records in
256+0 records out
256 bytes copied, 0.0101148 s, 25.3 kB/s
$ dd if=decoded_wrapped_key of=wrapped_target_key bs=1 skip=256
40+0 records in
40+0 records out
40 bytes copied, 0.0025336 s, 15.8 kB/s
$ ls -lrt
-rw-r--r-- 1 user1 1049089 1732 Aug 6 15:16 key.pem
-rw-r--r-- 1 user1 1049089 460 Aug 6 15:18 public.pem
-rw-r--r-- 1 user1 1049089 296 Aug 6 16:01 decoded_wrapped_key
-rw-r--r-- 1 user1 1049089 256 Aug 6 16:04 wrapped_temp_aes_key
-rw-r--r-- 1 user1 1049089 40 Aug 6 16:04 wrapped_target_key
-
Unwrap the temp AES key using the private key. For example:
$ openssl pkeyutl \
-decrypt \
-inkey key.pem \
-in wrapped_temp_aes_key \
-out temp_aes_key \
-pkeyopt rsa_padding_mode:oaep \
-pkeyopt rsa_oaep_md:sha1
$ ls -lrt
-rw-r--r-- 1 bhavsac 1049089 1732 Aug 6 15:16 key.pem
-rw-r--r-- 1 bhavsac 1049089 460 Aug 6 15:18 public.pem
-rw-r--r-- 1 bhavsac 1049089 296 Aug 6 16:01 decoded_wrapped_key
-rw-r--r-- 1 bhavsac 1049089 256 Aug 6 16:04 wrapped_temp_aes_key
-rw-r--r-- 1 bhavsac 1049089 40 Aug 6 16:04 wrapped_target_key
-rw-r--r-- 1 bhavsac 1049089 32 Aug 6 16:06 temp_aes_key
-
Unwrap the target key using the temp AES key. The output is the unwrapped value of the target key. If the target key is an AES key, then the output is Base64 encoded. For example:
$ openssl enc -d \
-id-aes256-wrap-pad \
-iv A65959A6 \
-K $( hexdump -v -e '/1 "%02x"' < temp_aes_key ) \
-in wrapped_target_key | openssl enc -base64
0vEmbWIQnMAjP3gVJ0C4amnl+TWHymmW5ezQu5MDI+o=
-
Verify the output using the Get Key Value API. For example:
GET: <CSP-vault-IP>/token/1.0/key/<key-guid_of_target_key>/value/
Response
{
"result": "success",
"value": "0vEmbWIQnMAjP3gVJ0C4amnl+TWHymmW5ezQu5MDI+o="
}