Skip to content

Export

Main menu option: Export

Exports keys and objects outside the HSM. To export an object, it must have the export attribute enabled. The output usually goes to a file and in some cases there is also the option of a screen dump.

Warning

Additional, specialized export methods are available in the HSM Operation menu under the options EFT and SPB options. See the topics EFT and SPB topics for more information.

The following types of objects can be exported via the console interfaces:

  1. Symmetric keys

  2. Asymmetric keys

  3. Other objects

The indication (local) always refers to a file name on the user's workstation and the indication (hsm) refers to an object name on the HSM partition.

As long as the authenticated user has permission to read objects in other partition(s), the operation can be performed by indicating the name of the partition and the name of the object with the formation rule:

partition/object

Danger

Plain text export methods should only be used in highly controlled environments protected by other security measures, as the key material will be completely exposed.

When operating in Restricted mode, the RSA KEK method is available for symmetric key export (3DES and AES) and the PKCS#8 method is available for asymmetric key export (RSA or ECC) with derivation of the AES 256 encryption key by a 16-character password.

Symmetric Keys

Symmetric keys can be exported using the following methods:

  1. Protected by KEK, aKey Encryption Key.

    If the KEK is an RSA key, the enveloping method used is the PKCS#1 version 2.1 standard, with the following encryption scheme RSAES-OAEP. The exportable symmetric keys in the HSM are exported encrypted by a public key. The recipient must have the equivalent private key and open the digital envelope following the rules of the encryption scheme.

    Attention

    In KEK(Key Encryption Key) exports, the encryption key must not be weaker than the transported key.

  2. In clear text.

Asymmetric Keys

Asymmetric keys can be exported using the following methods:

  1. Protected by KEK, aKey Encryption Key.

    Attention

    In KEK(Key Encryption Key) exports, the encryption key must not be weaker than the transported key.

  2. PKCS#1; the RSA public and/or private key is exported in clear text with DER encoding. In the case of private key export, the output file format will be ASN.1 as defined in the PKCS#1 v1.5 standard in section 7.1. When exporting the public key, the output file will contain the representation in section 7.2.

    Private key:

    RSAPrivateKey ::= SEQUENCE {
    version Version,
    modulus INTEGER, -- n
    publicExponent INTEGER, -- e
    privateExponent INTEGER, -- d
    prime1 INTEGER, -- p
    prime2 INTEGER, -- q
    exponent1 INTEGER, -- d mod (p-1)
    exponent2 INTEGER, -- d mod (q-1)
    coefficient INTEGER -- (inverse of q) mod p }
    

    Public key:

    RSAPublicKey ::= SEQUENCE {
    modulus INTEGER, -- n
    publicExponent INTEGER -- e }
    
  3. PKCS#8; in this option the asymmetric private key (RSA or ECC/ECDSA) can be exported in plain text or protected by digital envelope. For details on the standards, see the RSA Labs Public-Key Cryptography Standards (PKCS) documents.

    In restricted operating mode, exportable asymmetric keys can only be exported via the PKCS#8 standard using a digital envelope, deriving an AES 256 key from a password of exactly 16 (sixteen) characters, and the derivation is done according to the PKCS#5 version 2.0 standard.

  4. PKCS#12the certificate and the corresponding private key are exported in a bundle with a transport scheme PKCS#12 in plain text or protected by encryption derived from a user-defined password. The files are usually created with a .pfx or .p12 extension.

Certificates, Chains and Files

Certificate / PKCS#7 / File can be exported:

  1. Certificate: the object indicated must be an X.509 certificate;

  2. PKCS#7 standard certificate chains: the object indicated must be an X.509 certificate chain;

  3. File: objects that are opaque to the HSM, interpreted only as a sequence of bytes.

BYOK

Keys in the BYOK strategy can be exported to the following cloud providers: Azure and AWS.

  1. Azure

    Important

    • Key Vault should be tier Premium
    • KEK must be RSA 3072+ bits for security level compliance
    • PKCS#8 format required (not PKCS#1)
    • Generic encryption error occurs with insufficient key size
    • OAEP-SHA1 envelope of an ephemeral AES-256 key

      • Padding: MOD_CORE_KEK_WRAP_OBJ_OAEP_PAD
      • Object type: ALG_NULL_OBJECT
      • KEK: Azure public key (downloaded from the dashboard)
    • KWP envelope of the target key formatted in PKCS#8

      • Padding: UNUSED (KWP handles padding internally)
      • Object type: MOD_CORE_KEK_WRAP_OBJ_T_P8
      • KEK: AES-256 key
    • Import commands in Azure (using az application):

      • RSA key:

        az keyvault key import --vault-name <nome-vault> --name <nome-chave> --byok-file <arquivo.byok> --ops sign
        

      • EC key:

        az keyvault key import --vault-name <nome-vault> --name <nome-chave> --byok-file <arquivo.byok> --ops sign --kty EC     --curve P-256
        

      • AES key:

        az keyvault key import --hsm-name <nome-hsm> --name <nome-chave> --byok-file <arquivo.byok> --ops encrypt decrypt   --kty   oct
        

  2. AWS

    Important

    • Use only the first wrapping key generated
    • Multiple key size options available (2048, 3072, 4096)
    • Import tokens expire
    • Remove and recreate the Managed Key if subsequent imports fail
    • Prerequisites

      • Use the first public key file generated by AWS (subsequent generations can cause problems)
      • If the import fails, remove the Managed Key and create a new one
    • Supported Wrapping Algorithms:

      • PKCS#1 v1.5
      • OAEP SHA-1
      • OAEP SHA-256
    • Wrapping wrench specifications

      • RSA 2048
      • RSA 3072
      • RSA 4096
    • Use the AWS Management Console GUI to import the generated file.

Export options
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.9.0.0 (DXP) - TCA0000000  - ID master

Keys/Objects - Export



 1 - Symmetric Keys
 2 - Asymmetric Keys
 3 - Certificate / PKCS#7 / File
 4 - BYOK













 0 - Main Menu

Option:

Export asymmetric keys in PKCS#8 standard

Exporting a private key in PKCS#8 format
Dinamo - Remote Management Console v. 4.7.12.3 2018 (c) Dinamo Networks

HSM 127.0.0.1 e - Engine 5.9.0.0 (DXP) - TCA0000000  - ID master

Keys/Objects - Export - Asymmetric Keys - PKCS#8

Asymmetric Key name (HSM) : myexpRSA
Password (16 characters or ENTER for clear text export): ****************
Confirm password: ****************
Output File (local): myexpRSA.pkcs8

File exported successfully.

Press ENTER key to continue...