Certified Security - Specialty

Sign Up Free or Log In to participate!

wrapping key?

In the previous lecture it said that the private key needed to be wrapped with a symmetric key before downloading.    Doesn’t that mean that you need to decrypt the private key with your wrapping key before you can use it at all?


Can we integrate HSM with applications or we can use them only as key generator?


Integrating with applications is the primary purpose of CloudHSM. Typically you would not export a private key or symmetric key from an HSM because they are designed to perform encryption/decryption operations while keeping the underlying key material secret.


I think Ryan has demonstrated key generation and export because it doesn’t need an application (which would make the demo more complicated).

2 Answers

Might going out on a limb but I believe the wrapper key is for encrypting your keys for storage and replicating them across the cluster in this case. It is also probably used to store the key information in the HSM database while maintaining no knowledge of the key material. This was my guess with the CMK wrapper. It prevents Amazon from knowing the exact details of your private key so they can’t use it. So if your key gets compromised during HSM cluster replication via MITM attack, it should still be without having the wrapper key. Plus using a symmetric cipher is faster to decrypt for retrieval.

You are right, you have to decrypt the key before you use it. It is done with this command from the lab:

exportPrivateKey -k  -out myprivatekey -w 

The "myprivatekey" is decrypted and ready to use.

Application integration with HSM is a great way for PKI security and SSL offloading:


Removes the security risk of have multiple copies of a SSL private key on multiple devices. One of my dreams usage if I owned a HSM 🙂

Hey ObiJan,

I was confused by this too! This section of the documentation seems to explain it:

The exSymKey command writes a plaintext (unencrypted) copy of the secret key to a file. The export process requires a wrapping key, but the key in the file is not a wrapped key. To export a wrapped (encrypted) copy of a key, use the wrapKey command.


I can’t find documentation online for the exportPrivateKey command but I assume it follows a similar process.


Matthew Mellor

" The export process requires a wrapping key, but the key in the file is not a wrapped key." I don’t understand this.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?