Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
189 lines (154 sloc) 9.44 KB


The genRSAKeyPair command in the key_mgmt_util tool generates an RSA asymmetric key pair. You specify the key type, modulus length, and a public exponent. The command generates a modulus of the specified length and creates the key pair. You can assign an ID, share the key with other HSM users, create nonextractable keys and keys that expire when the session ends. When the command succeeds, it returns a key handle that the HSM assigns to the key. You can use the key handle to identify the key to other commands.

Before you run any key_mgmt_util command, you must start key_mgmt_util and log in to the HSM as a crypto user (CU).

To find the attributes of a key that you have created, such as the type, length, label, and ID, use getAttribute. To find the keys for a particular user, use getKeyInfo. To find keys based on their attribute values, use findKey.


genRSAKeyPair -h

genRSAKeyPair -m <modulus length>
              -e <public exponent> 
              -l <label> 
              [-id <key ID>] 
              [-min_srv <minimum number of servers>] 
              [-m_value <0..8>]
              [-timeout <number of seconds> ]
              [-u <user-ids>] 


These examples show how to use genRSAKeyPair to create asymmetric key pairs in your HSMs.

Example : Create and Examine an RSA Key Pair
This command creates an RSA key pair with a 2048-bit modulus and an exponent of 65541. The output shows that the public key handle is 262159 and the private key handle is 262160.

Command: genRSAKeyPair -m 2048 -e 65541 -l rsa_test 

Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS
Cfm3GenerateKeyPair: public key handle: 262159 private key handle: 262160
Cluster Error Status
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

The next command uses getAttribute to get the attributes of the public key that we just created. It writes the output to the attr_262159 file. It is followed by a cat command that gets the content of the attribute file. For help interpreting the key attributes, see the Key Attribute Reference.
The resulting hexadecimal values confirm that it is a public key (OBJ_ATTR_CLASS 0x02) with a type of RSA (OBJ_ATTR_KEY_TYPE 0x00). You can use this public key to encrypt (OBJ_ATTR_ENCRYPT 0x01), but not to decrypt (OBJ_ATTR_DECRYPT 0x00) or wrap (OBJ_ATTR_WRAP 0x00). The results also include the key length (512, 0x200), the modulus, the modulus length (2048, 0x800), and the public exponent (65541, 0x10005).

Command:  getAttribute -o 262159 -a 512 -out attr_262159

got all attributes of size 731 attr cnt 20
Attributes dumped into attr_262159 file

 Cfm3GetAttribute returned: 0x00 : HSM Return: SUCCESS

$  cat attr_262159


Example : Generate a Shared RSA Key Pair
This command generates an RSA key pair and shares the private key with user 4, another CU on the HSM. The command uses the m_value parameter to require at least two approvals before the private key in the pair can be used in a cryptographic operation. When you use the m_value parameter, you must also use -u in the command and the m_value cannot exceed the total number of users (number of values in -u + owner).

 Command:  genRSAKeyPair -m 2048 -e 195193 -l rsa_mofn -id rsa_mv2 -u 4 -m_value 2

        Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS

        Cfm3GenerateKeyPair:    public key handle: 27    private key handle: 28

        Cluster Error Status
        Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
        Node id 1 and err state 0x00000000 : HSM Return: SUCCESS


Displays help for the command.
Required: Yes

Specifies the length of the modulus in bits. The minimum value is 2048.
Required: Yes

Specifies the public exponent. The value must be an odd number greater than or equal to 65537.
Required: Yes

Specifies a user-defined label for the key pair. Type a string. The same label applies to both keys in the pair
You can use any phrase that helps you to identify the key. Because the label does not have to be unique, you can use it to group and categorize keys.
Required: Yes

Specifies a user-defined identifier for the key pair. Type a string that is unique in the cluster. The default is an empty string. The ID that you specify applies to both keys in the pair.
Default: No ID value.
Required: No

Specifies the minimum number of HSMs on which the key is synchronized before the value of the -timeout parameter expires. If the key is not synchronized to the specified number of servers in the time allotted, it is not created.
AWS CloudHSM automatically synchronizes every key to every HSM in the cluster. To speed up your process, set the value of min_srv to less than the number of HSMs in the cluster and set a low timeout value. Note, however, that some requests might not generate a key.
Default: 1
Required: No

Specifies the number of users who must approve any cryptographic operation that uses the private key in the pair. Type a value from 0 to 8.
This parameter establishes a quorum authentication requirement for the private key. The default value, 0, disables the quorum authentication feature for the key. When quorum authentication is enabled, the specified number of users must sign a token to approve cryptographic operations that use the private key, and operations that share or unshare the private key.
To find the m_value of a key, use getKeyInfo.
This parameter is valid only when the -u parameter in the command shares the key pair with enough users to satisfy the m_value requirement.
Default: 0
Required: No

Makes the private key nonextractable. The private key that is generated cannot be exported from the HSM. Public keys are always extractable.
Default: Both the public and private keys in the key pair are extractable.
Required: No

Creates a key that exists only in the current session. The key cannot be recovered after the session ends.
Use this parameter when you need a key only briefly, such as a wrapping key that encrypts, and then quickly decrypts, another key. Do not use a session key to encrypt data that you might need to decrypt after the session ends.
To change a session key to a persistent (token) key, use setAttribute.
Default: The key is persistent.
Required: No

Specifies how long (in seconds) the command waits for a key to be synchronized to the number of HSMs specified by the min_srv parameter.
This parameter is valid only when the min_srv parameter is also used in the command.
Default: No timeout. The command waits indefinitely and returns only when the key is synchronized to the minimum number of servers.
Required: No

Shares the private key in the pair with the specified users. This parameter gives other HSM crypto users (CUs) permission to use the private key in cryptographic operations. Public keys can be used by any user without sharing.
Type a comma-separated list of HSM user IDs, such as -u 5,6. Do not include the HSM user ID of the current user. To find HSM user IDs of CUs on the HSM, use listUsers. To share and unshare existing keys, use shareKey in the cloudhsm_mgmt_util.
Default: Only the current user can use the private key.
Required: No

Runs an integrity check that verifies that the firmware on which the cluster runs has not been tampered with.
Default: No attestation check.
Required: No

Related Topics

You can’t perform that action at this time.