Wrapping a Key for Import

When you import a key into the Cryptographic Security Platform Vault for Cryptographic APIs, the target key must be wrapped with RSA-AES. To do this, the key is first wrapped with a temporary AES key, and the temporary AES key is wrapped with an RSA key. The two wrapped keys are concatenated and imported. You will need the following: 

  • Wrapping Key—the public part of an RSA-2048 key created in the Cryptographic Security Platform Vault for Cryptographic APIs. In the examples, this is called rsa_public.pem. The private part of this RSA-2048 key will be used to unwrap the key later.

  • Target Key—an AES-256 32 byte that will be wrapped and imported. In the examples, this is called target_aes_key.

  • Temporary Key—an AES-256 32 byte key that will be wrapped by the wrapping key. In the examples, this is called temporary_aes_key.

Procedure 

  1. Create an RSA-2048 key in the Cryptographic Security Platform Vault for Cryptographic APIs where you want to import the wrapped key. This will be the wrapping key. For more information, see Creating a Key.

  2. Select the key that you created, and click Download Public Key to download the public part of the RSA-2048 key. This should be named something similar to key.pem.

    We recommend that you rename it to rsa_public.pem to make it easy to find.

  3. Generate the target AES-256 32 byte key using openSSL. For example: 

    openssl rand -out target_aes_key 32

  4. Generate a temporary random AES-256 32 byte key using openSSL. For example: 

    openssl rand -out temp_aes_key 32

  5. List the files that you've created or downloaded. For example: 

    [root@machine-name-10-1-228-132 import_key_sample2]# ls -lrt

    total 12

    -rw-r--r--. 1 root root 451 Aug 5 11:15 rsa_public.pem

    -rw-r--r--. 1 root root 32 Aug 5 11:19 temp_aes_key

    -rw-r--r--. 1 root root 32 Aug 5 11:19 target_aes_key

  6. Wrap the temporary AES key with the wrapping public key using the CKM_RSA_PKCS_OAEP algorithm. For example: 

    openssl pkeyutl \

    -encrypt \

    -pubin \

    -inkey rsa_public.pem \

    -in temp_aes_key \

    -out wrapped_aes_key \

    -pkeyopt rsa_padding_mode:oaep \

    -pkeyopt rsa_oaep_md:sha1

  7. List the files again. For example: 

    [root@machine-name-10-1-228-132 import_key_sample2]# ls -lrt

    total 12

    -rw-r--r--. 1 root root 451 Aug 5 11:15 rsa_public.pem

    -rw-r--r--. 1 root root 32 Aug 5 11:19 temp_aes_key

    -rw-r--r--. 1 root root 32 Aug 5 11:19 target_aes_key

    -rw-r--r--. 1 root root 296 Aug 5 11:22 wrapped_aes_key

  8. Wrap the target key with the temporary AES key using the CKM_AES_KEY_WRAP_PAD algorithm, and append it to the wrapped key. For example: 

    openssl enc \

    -id-aes256-wrap-pad \

    -iv A65959A6 \

    -K $( hexdump -v -e '/1 "%02x"' < temp_aes_key ) \

    -in target_aes_key >> wrapped_aes_key

  9. List the files again. For example: 

    [root@machine-name-10-1-228-132 import_key_sample2]# ls -lrt

    total 16

    -rw-r--r--. 1 root root 451 Aug 5 11:15 rsa_public.pem

    -rw-r--r--. 1 root root 32 Aug 5 11:19 temp_aes_key

    -rw-r--r--. 1 root root 32 Aug 5 11:19 target_aes_key

    -rw-r--r--. 1 root root 296 Aug 5 11:22 wrapped_aes_key

  10. Base64 encode the wrapped AES key. For example: 

    [root@machine-name-10-1-228-132 import_key_sample2]# openssl enc -base64 -A -in wrapped_aes_key

    M65ZDVmHPMnT/bFE8idDaJnMeS+Pb/LB+vlJIsBCInnAI05UDtK0E7it6FoxAy0F

    dQsYmJYqJJuOVjkMGX/Uid8N6vDhpHaX2NAQcJsVZMas2sW03gUaeqXcrlOcDKzb

    CgAXbCovBMWEC46HZwqpiIZD8pqqRlxuMqb3m95/7TomPtZh7BYRbtWboJFtq1MA

    ljzjwLTvUdcDZuMf03wHZhPZEaxrZKS68By2KLcHGS/oFvgSvAFH54doBJBRS2jP

    tir5hxo/lma4BQuKwCebRyf9ugOKlGjEJt2DEmTAPAWZ257TxXCinY9ooLTouGY4

    cdqBHimmTDVjgyg28u76poyqMZkUq9ZywVUf8onvEsaNSBERva3DbuoKEZSdbt/1

    MHg/L1031Rg=

  11. Copy the base64 encoded key in a file.

    Important: You must remove any newline characters so that the key will be in a single line.

    This will be the key material used during the upload.