🔐 Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step

🔐 pkcs11-key-wrap

Wrap keys from HSM using CKM_RSA_AES_KEY_WRAP step by step.

This tool can be used for example for exporting keys from Amazon's CloudHSM and importing it to Google's KMS or Microsoft Azure's Key Vault.

Install

go install github.com/smallstep/pkcs11-key-wrap

Usage

First we need to create an RSA public wrapping key, in our example this is going to be rsa.pub. Then we need to get the object id or the label of the key that we want to wrap, 1000 or my-key in the following example. Finally run the wrapping tool like:

pkcs11-key-wrap --pin xxxx --id 1000 --wrapping-key rsa.pub > wrapped.key
# OR
pkcs11-key-wrap --pin xxxx --label my-key --wrapping-key rsa.pub > wrapped.key

Without the --module flag will try to load the softhsm2 module, from /usr/lib/softhsm/libsofthsm2.so in a Linux environment and from /usr/local/lib/softhsm/libsofthsm2.so in macOS.

If Amazon CloudHSM is used the flag --cloudhsm is required because the standard CKM_AES_KEY_WRAP_PAD mechanism should be replaced by the custom CKM_CLOUDHSM_AES_KEY_WRAP_ZERO_PAD. The usage in this case will be like:

pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \
    --pin user:password --id 1000 --wrapping-key rsa.pub > wrapped.key
# OR
pkcs11-key-wrap --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so --cloudhsm \
    --pin user:password --label my-key --wrapping-key rsa.pub > wrapped.key

CloudHSM troubleshooting

If you get an error running pkcs11-key-wrap on CloudHSM, the best way to know what is going is to look at their logs. To retrieve them just run:

/opt/cloudhsm/bin/pkcs11_info

That command with place a file named pkcs11-data.tar.gz on /tmp. To look at the actual logs run:

cd /tmp
tar xzvf pkcs11-data.tar.gz
less pkcs11-data/cloudhsm-pkcs11.log.*

A common error if you have just one CloudHSM is to get this error:

Key <handle#> does not meet the availability requirements - The key must be available on at least 2 HSMs before being used.

To remove that requirement we can run:

sudo /opt/cloudhsm/bin/configure-pkcs11 --disable-key-availability-check

But the keys might be re-created or imported, Amazon's key_mgmt_util might be useful for these situations as they can wrap a key using wrapKey or exportPrivateKey commands.

Owner
Smallstep
End-to-end encryption for distributed applications and the people who manage them.
Smallstep
Similar Resources

Map ssh-ed25519 keys into x25519 keys

ssh-x22519 ========== The twisted Edwards curve used for ed25519 signatures is birationally equivalent to the Montgomery curve used for x25519: it is

Jan 4, 2023

Wrap zap for easy using.

go-project-pkg/log Wrap zap for easy using. Installation $ go get -u github.com/go-project-pkg/log Usage Use default logger: import "github.com/go-pro

Nov 8, 2021

An golang log lib, supports tracking and level, wrap by standard log lib

Logex An golang log lib, supports tracing and level, wrap by standard log lib How To Get shell go get gopkg.in/logex.v1 source code import "gopkg.in/

Nov 27, 2022

A standard way to wrap a proto message

Welcome to Pletter 👋 A standard way to wrap a proto message Pletter was born with a single mission: To standardize wrapping protocol buffer messages.

Nov 17, 2022

Go tool to wrap and fix errors with the new %w verb directive

Go tool to wrap and fix errors with the new %w verb directive

errwrap Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive t

Nov 10, 2022

Go tool to wrap and fix errors with the new %w verb directive

Go tool to wrap and fix errors with the new %w verb directive

errwrap Wrap and fix Go errors with the new %w verb directive. This tool analyzes fmt.Errorf() calls and reports calls that contain a verb directive t

Nov 10, 2022

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

Dec 31, 2022

Wrap unicode text not to exceed a certain width.

wwrap Wrap unicode text not to exceed a specified column width. There is a fold utility in the GNU Coreutils package, but unfortunately it works on by

Dec 1, 2021

Wrap byte read options with uniform interface for io.Reader and byte slice

nibbler Nibble chunks from Reader streams and slice in a common way Overview This is a golang module that provides an interface for treating a Reader

Dec 23, 2021

generic wrap for standard lib of golang.

Generic Std generic wrap for standard lib of golang. Generic will be supported in go 1.18. But for now, standard lib will not support generic containe

Mar 18, 2022

GoDrive is a Go CLI tool written to wrap the Google Drive API.

GoDrive is a Go CLI tool written to wrap the Google Drive API.

Jan 10, 2022

Service that wrap up different movies-related APIs like IMDB and match it to streaming services

Service that wrap up different movies-related APIs like IMDB and match it to streaming services

Service that wrap up different movies-related APIs like IMDB and match it to streaming services. That way you can check in which platforms you can find your favorite movies.

Feb 10, 2022

Wrap contains a method for wrapping one Go error with another.

Note: this code is still in alpha stage. It works but it may change subtly in the near future, depending on what comes out of golang/go#52607. Wrap.Wi

Jun 27, 2022

An example of how to parse json data using go....a typical step for preparing data prior to uploading to a db.

JSON parser using GO An example of parsing json data in go, when you already know the schema of the data Example input: { "num_listings":"36",

Jan 12, 2022

🌰 encrypt/decrypt using ssh keys

ssh-vault 🌰 encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

Dec 30, 2022

🌰 encrypt/decrypt using ssh keys

ssh-vault 🌰 encrypt/decrypt using ssh private keys Documentation https://ssh-vault.com Usage $ ssh-vault -h Example: $ echo "secret" | ssh-vault -u

Dec 30, 2022

A fast (5x) string keyed read-only map for Go - particularly good for keys using a small set of nearby runes.

faststringmap faststringmap is a fast read-only string keyed map for Go (golang). For our use case it is approximately 5 times faster than using Go's

Jan 8, 2023

A Go library to iterate over potentially nested map keys using the visitor pattern

A Go library to iterate over potentially nested map keys using the visitor pattern

Mar 15, 2022

Aws-console-plugin - The current HashiCorp Vault AWS Secret Engine currently supports the creation of short lived API keys using the IAM User

aws-console-plugin Background The current HashiCorp Vault AWS Secret Engine curr

Feb 7, 2022
generic wrap for standard lib of golang.

Generic Std generic wrap for standard lib of golang. Generic will be supported in go 1.18. But for now, standard lib will not support generic containe

Mar 18, 2022
Wrap contains a method for wrapping one Go error with another.

Note: this code is still in alpha stage. It works but it may change subtly in the near future, depending on what comes out of golang/go#52607. Wrap.Wi

Jun 27, 2022
Fault injection library in Go using standard http middleware

Fault The fault package provides go http middleware that makes it easy to inject faults into your service. Use the fault package to reject incoming re

Dec 25, 2022
HSM package provides a simple state chart library written in Go.

UML HSM HSM package provides a simple state chart library written in Go. Supported UML State Chart Features Feature Implemented Test case Simple state

Apr 14, 2022
Step By Step --> 开发游戏服务器
Step By Step --> 开发游戏服务器

Server nanoserver 本地开发 ☁️ Live reload for Go apps go get -u github.com/cosmtrek/air air 本地调试(Mac OS) VSCode-Go Debugging https://github.com/golang/vs

Jan 1, 2023
This is a step by step repo by the docs at gitpod

A Golang CLI template on Gitpod This is a Golang CLI template configured for ephemeral development environments on Gitpod. Next Steps Click the button

Dec 5, 2021
Learn the Go programming language (Golang) in this step-by-step tutorial course for beginners

Learn the Go programming language (Golang) in this step-by-step tutorial course for beginners. Go is an open source programming language designed at Google that makes it easy to build simple, reliable, and efficient software.

Dec 16, 2021
Develop sample controller step by step

Develop sample controller step by step

Jul 21, 2022
Fundamental-Go - A comprehensive and FREE Online Go Development tutorial going step-by-step into the world of Go
Fundamental-Go - A comprehensive and FREE Online Go Development tutorial going step-by-step into the world of Go

FREE Reverse Engineering Self-Study Course HERE Fundamental Go The book and code

Mar 18, 2022
Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops

ssh-to-age Convert SSH Ed25519 keys to age keys. This is useful for usage in sops-nix and sops Usage Exports the private key: $ ssh-to-age -private-ke

Dec 21, 2022