hsm-clone-kwk
This command clones a key wrapping key between HSM-equipped appliances.
Availability
Requires the HSM.
Syntax
hsm-clone-kwk [input file] [output file]
Parameters
input
file- Indicates the name of the local file to use as input to the cloning action. During the first part of this four-part task, do not specify this parameter. During the other parts of this task, this parameter is required.
output
file- Indicates the name of the local file that the cloning action creates. During the last part of this four-part task, do not specify this parameter. During the other parts of this task, this parameter is required.
Guidelines
- The appliance is equipped with an internal HSM.
- The appliance is operating in Crypto Officer (CO) mode.
Use the hsm-clone-kwk command if two HSM-equipped systems have the same key sharing domain and if both systems are at the same FIPS security level. This command copies the key-wrapping key from the source HSM system to the destination HSM system. You must run this command four times.
- On the source HSM system, create an output file (for example,
temporary:///source-one
) that contains the key material. After you validate that the command created the file, copy it to the destination HSM system. - On the destination HSM system, create an output file (for example,
temporary:///destination-two
) that uses the copied file (for example,temporary:///source-one
) as the input file. After you validate that the command created the file, copy it to the source HSM system. - On the source HSM system, create an output file (for example,
temporary:///source-three
) that uses the copied file (for example,temporary:///destination-two
) as the input file. After you validate that the command created the file, copy it to the destination HSM system. - On the destination HSM system, use the copied file (for example,
temporary:///source-three
) as the input file.
The key cloning operation succeeds only when the appliance is not restarted between the two hsm-clone-kwk command invocations on that appliance. For example, restarting the source appliance after Step 1 causes Step 3 to fail.
The source and destination HSM systems have the same key-wrapping key. After you clone the key-wrapping key on each HSM domain member, the domain member can share keys in the following way.
- Creating an export crypto object
- Transferring the export crypto object to a target system in the HSM domain
- Importing the export crypto object on the target system
See the HSM documentation for information about the key cloning task from the web management interface.