Certified Security - Specialty

Sign Up Free or Log In to participate!

Key Wrapping Clarification

In the "CloudHSM – User Management & Generating & Exporting Keys" lecture you demonstrate exporting keys and explain that a wrapping key needs to be created and used in order to export private & symmetric keys. 

However you don’t explain what service the wrapping key actually performs during the export. There is another similar post on here where the student interpreted the wrapping keys are wrapping the actual exported file, which would make the key unusable without the wrapping key. 

The export private key documentation (https://docs.aws.amazon.com/cloudhsm/latest/userguide/key_mgmt_util-exportPrivateKey.html) states that

"During the export process, exportPrivateKey uses an AES key that you select (the wrapping key) to wrap (encrypt) the private key. This way, the private key file maintains integrity during transit. For more information, see wrapKey."

I think this means the wrapping keys is only used to wrap the keys while it is in transit from the HSM to the endpoint at which point it is decrypted and stored in plaintext. However, I’m still not certain even after reviewing this documentation and would recommend that you clarify the exact function a wrapping key performs during and export (and import?)

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?